CVE-2017-0146
published 2017-03-17CVE-2017-0146: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT…
PriorityP198high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
89.86%
99.8th percentile
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | server_message_block | — | — |
| microsoft_corporation | windows_smb | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
| philips | intellispace_portal | — | — |
| philips | intellispace_portal | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p500_firmware | — | — |
| siemens | acuson_p500_firmware | — | — |
| siemens | acuson_sc2000_firmware | — | — |
| siemens | acuson_sc2000_firmware | >= 4.0 < 4.0e | 4.0e |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
DDI Rule 2722: CVE-2017-0146 - Remote Code Execution - SMB (Request)
- →CVE-2017-0146 (EternalChampion) exploits a race condition in SMBv1 Transaction requests. Detection should focus on anomalous SMB Transaction request patterns on ports 445/139. ↗
- →The exploit requires a named pipe to function; monitor for unexpected named pipe connections over SMB as a detection signal. ↗
- →Trend Micro DDI rule 2722 specifically detects CVE-2017-0146 SMB RCE request traffic; use as a reference signature pattern for network-based detection. ↗
- →Qualys QID 91357 detects EternalChampion (CVE-2017-0146 & CVE-2017-0147) via authenticated scan or Cloud Agent; use as a vulnerability detection reference. ↗
- →The exploit overwrites connection session information to gain Administrator session; monitor for unexpected privilege escalation following SMB connections. ↗
- →The Metasploit module defaults to connecting to the ADMIN$ share; alert on psexec-style service binary uploads to ADMIN$ following SMB exploitation. ↗
- ·CVE-2017-0146 (EternalChampion) is addressed by MS17-010; unpatched and end-of-life systems (Windows XP, Server 2003) remain vulnerable as no patch is available for those platforms. ↗
- ·The Metasploit exploit module targets both x86 and x64 Windows architectures; ensure detection coverage spans both. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows SMB Remote Code Execution Vulnerability
cisa·2022-03-25·CVSS 8.8
CVE-2017-0146 [HIGH] CWE-20 Microsoft Windows SMB Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows SMB Remote Code Execution Vulnerability
Affected: Microsoft Windows
The SMBv1 server in Microsoft Windows allows remote attackers to perform remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0146
Remediation Due Date: 2022-04-15
Microsoft
Windows SMB Remote Code Execution Vulnerability
vendor_msrc·2017-03-14·CVSS 8.1
CVE-2017-0146 [HIGH] Windows SMB Remote Code Execution Vulnerability
Windows SMB Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.
To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.
Windows SMB Server: Windows SMB Server
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likel
GHSA
GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0143 [HIGH] CWE-20 GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0146 [HIGH] CWE-20 GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.
GHSA
GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0144 [HIGH] CWE-20 GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0145 [HIGH] CWE-20 GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0148 [HIGH] CWE-20 GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.
VulnCheck
Microsoft Windows SMB Remote Code Execution Vulnerability
vulncheck·2017·CVSS 8.8
CVE-2017-0146 [HIGH] CWE-20 Microsoft Windows SMB Remote Code Execution Vulnerability
Microsoft Windows SMB Remote Code Execution Vulnerability
The SMBv1 server in Microsoft Windows allows remote attackers to perform remote code execution.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://support.kaspersky.com/shadowbrokers; https://digital.nhs.uk/cyber-alerts/2017/cc-1353; https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf; https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b65
No detection rules found.
Exploit-DB
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
exploitdb·2019-10-02
CVE-2017-0148 DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'DOUBLEPULSAR Payload Execution and Neutralization',
'Description' => %q{
This module executes a Metasploit payload against the Equation Group's
DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.
While this module primarily performs code execution against the implant,
the "Neutralize implant" target allows you to disable the implant.
},
'Author' => [
'Equation Group', # DOUBLEPULSAR implant
'Shadow Brokers', # Equation Group dump
'zerosum0x0', # DOPU analysis and detection
'Luke Jennings', # DOPU analysis and detection
'wvu', # Metasploit modul
Exploit-DB
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
exploitdb·2018-02-05
CVE-2017-0147 Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# Windows XP systems that are not part of a domain default to treating all
# network logons as if they were Guest. This prevents SMB relay attacks from
# gaining administrative access to these systems. This setting can be found
# under:
#
# Local Security Settings >
# Local Policies >
# Security Options >
# Network Access: Sharing and security model for local accounts
class MetasploitModule 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',
'Description' => %q{
This module will exploit
Exploit-DB
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
exploitdb·2017-05-10
CVE-2017-0148 Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
---
# Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com
# Date and time of release: May, 9 2017 - 13:00PM
# Found this and more exploits on my open source security project: http://www.exploitpack.com
#
# MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
# Tested on: Microsoft Windows Server 2008 x64 SP1 R2 Standard
#
# Description: SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input. Srv.sys process SrvOs2FeaListSizeToNt
# and when the logic is not correct it leads to a cross-border copy. The vulnerability trigger point is as follows:
#
# Vu
Exploit-DB
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
exploitdb·2017-04-17
CVE-2017-0147 Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# auxiliary/scanner/smb/smb_ms_17_010
require 'msf/core'
class MetasploitModule 'MS17-010 SMB RCE Detection',
'Description' => %q{
Uses information disclosure to determine if MS17-010 has been patched or not.
Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.
If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does
not have the MS17-010 patch.
This module does not require valid SMB credentials in default server
configurations. It can log on as the user "\" and connect to IPC$.
},
'Author' => [ 'Sean Dillon ' ],
'Referenc
Metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous logi
Metasploit
MS17-010 SMB RCE Detection
metasploit
MS17-010 SMB RCE Detection
MS17-010 SMB RCE Detection
Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.
Metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.
Metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.
Metasploit
SMB DOUBLEPULSAR Remote Code Execution
metasploit
SMB DOUBLEPULSAR Remote Code Execution
SMB DOUBLEPULSAR Remote Code Execution
This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant.
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Trendmicro
BlackSquid Infects Servers and Drives, 8 Exploits Used
blogs_trendmicro·2019-06-03·CVSS 9.8
[CRITICAL] BlackSquid Infects Servers and Drives, 8 Exploits Used
Cyber Threats
# BlackSquid Infects Servers and Drives, 8 Exploits Used
We found a new wormable malware we've named BlackSquid targeting web servers, network and removable drives using evasion, anti-virtualization, anti-debugging, and anti-sandboxing techniques to drop a Monero miner.
By: Johnlery Triunfante, Mark Vicente, Jay Nebre, Earle Maui Earnshaw
2019/06/03
Read time: ( words)
Save to Folio
We updated this article on August 27, 2019 at 7:37 PM PST to include a co-author and amend the solution.
An unpatched security flaw that gets successfully exploited is one thing. But eight exploits that can stealthily and simultaneously get through your businesses’ assets and data and your customers’ information are quite another. We found a new malware family that targets web servers, netw
Trendmicro
BlackSquid Infects Servers and Drives, 8 Exploits Used
blogs_trendmicro·2019-06-03·CVSS 9.8
[CRITICAL] BlackSquid Infects Servers and Drives, 8 Exploits Used
Cyber Threats
# BlackSquid Infects Servers and Drives, 8 Exploits Used
We found a new wormable malware we've named BlackSquid targeting web servers, network and removable drives using evasion, anti-virtualization, anti-debugging, and anti-sandboxing techniques to drop a Monero miner.
By: Johnlery Triunfante, Mark Vicente, Jay Nebre, Earle Maui Earnshaw
Jun 03, 2019
Read time: ( words)
Save to Folio
We updated this article on August 27, 2019 at 7:37 PM PST to include a co-author and amend the solution.
An unpatched security flaw that gets successfully exploited is one thing. But eight exploits that can stealthily and simultaneously get through your businesses’ assets and data and your customers’ information are quite another. We found a new malware family that targets web servers, ne
Checkpoint
BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
blogs_checkpoint·2017-05-25
CVE-2017-0144 BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Background
Rarely does the release of an exploit have such a large impact across the
Checkpoint
Global Outbreak of WannaCry
blogs_checkpoint·2017-05-12·CVSS 8.8
CVE-2017-0143 [HIGH] Global Outbreak of WannaCry
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Global Outbreak of WannaCry
[Updated May 17, 2017]
On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware . We have rep
Sentinelone
SentinelOne Detects Shadow Broker Binaries with Static AI
blogs_sentinelone·2017-04-21·CVSS 8.8
[HIGH] SentinelOne Detects Shadow Broker Binaries with Static AI
Waves of panic were sent through the cybersecurity community as suspected NSA spying tools were released by the Shadow Broker group. What appeared to be potentially one of the most damaging releases of nation-state tool, zero-day exploits was quickly neutralized. Microsoft came forward to announce that although the files contained about 20 different Windows-based exploits, previous patches to supported products rendered the attacks ineffective.
## Behind the Leak: The Shadow Broker Coming to Light
Shadow Brokers, the group behind the leak, garnered attention back in August for releasing hacking tools for routers and firewall products that were supposedly from a leading, possibly NSA-based cyberespionage team called Equation Group. Since then, security experts have suspected that the hack
Sentinelone
SentinelOne Detects Shadow Broker Binaries with Static AI
blogs_sentinelone·2017-04-21·CVSS 8.8
[HIGH] SentinelOne Detects Shadow Broker Binaries with Static AI
Waves of panic were sent through the cybersecurity community as suspected NSA spying tools were released by the Shadow Broker group. What appeared to be potentially one of the most damaging releases of nation-state tool, zero-day exploits was quickly neutralized. Microsoft came forward to announce that although the files contained about 20 different Windows-based exploits, previous patches to supported products rendered the attacks ineffective.
## Behind the Leak: The Shadow Broker Coming to Light
Shadow Brokers, the group behind the leak, garnered attention back in August for releasing hacking tools for routers and firewall products that were supposedly from a leading, possibly NSA-based cyberespionage team called Equation Group. Since then, security experts have suspected that the hack
Qualys
The Shadow Brokers Release Zero Day Exploit Tools | Qualys
blogs_qualys·2017-04-15·CVSS 8.8
[HIGH] The Shadow Brokers Release Zero Day Exploit Tools | Qualys
On Friday, a hacker group known as The Shadow Brokers publicly released a large number of functional exploit tools. Several of these tools make use of zero-day vulnerabilities, most of which are in Microsoft Windows. Exploiting these vulnerabilities in many cases leads to remote code execution and full system access.
Both end-of-support and current Windows versions are impacted, including Windows 2003, XP, Vista, 7, 2008, 8, and 2012. Microsoft has released patches for each vulnerability across all supported platforms, but will not be releasing patches for end-of-support versions of Windows. It is highly recommended that any end-of-support Windows systems be replaced or isolated, as these systems will often be impacted by new vulnerabilities, without the availability of a patch.
For zero
Qualys
The Shadow Brokers Release Zero Day Exploit Tools
blogs_qualys·2017-04-15·CVSS 8.8
[HIGH] The Shadow Brokers Release Zero Day Exploit Tools
On Friday, a hacker group known as The Shadow Brokers publicly released a large number of functional exploit tools. Several of these tools make use of zero-day vulnerabilities, most of which are in Microsoft Windows. Exploiting these vulnerabilities in many cases leads to remote code execution and full system access.
Both end-of-support and current Windows versions are impacted, including Windows 2003, XP, Vista, 7, 2008, 8, and 2012. Microsoft has released patches for each vulnerability across all supported platforms, but will not be releasing patches for end-of-support versions of Windows. It is highly recommended that any end-of-support Windows systems be replaced or isolated, as these systems will often be impacted by new vulnerabilities, without the availability of a patch.
For zero
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
# March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro
2017/03/15
Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB). This vulnerability potentially allows cyber criminals to render affected system
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Ausnutzung von Schwachstellen
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Sfruttamento vulnerabilità
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected sy
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits y vulnerabilidades
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected s
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro 2017/03/15 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected syst
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected sy
Recorded Future
What Is WannaCry? Analyzing the Global Ransomware Attack
blogs_recorded_future
What Is WannaCry? Analyzing the Global Ransomware Attack
# What Is WannaCry? Analyzing the Global Ransomware Attack
### Key Takeaways
- WannaCry ransomware is a new variant of WanaCypt0r, which uses the ETERNALBLUE SMBv1 exploit to infect connected systems.
- Over 100 countries were affected by the ransomware.
- Three Bitcoin wallets are associated with the WannaCry 2.0 ransomware, which have received almost $26,000 in transfers since the beginning of the latest infection, a small sum considering the scope of damage.
- As of this posting, no money appears to have been moved from the Bitcoin wallets.
- Criminals behind WannaCry piggybacked on publicly dumped Equation Group exploits in an attempt to abuse free tools for easy money.
- We believe the criminals behind WannaCry didn’t intend for such a widespread attack, nor did they possess the exp
Recorded Future
What Is WannaCry? Analyzing the Global Ransomware Attack | Recorded Future
blogs_recorded_future
What Is WannaCry? Analyzing the Global Ransomware Attack | Recorded Future
## What Is WannaCry? Analyzing the Global Ransomware Attack
## Key Takeaways
WannaCry ransomware is a new variant of WanaCypt0r, which uses the ETERNALBLUE SMBv1 exploit to infect connected systems.
Over 100 countries were affected by the ransomware .
Three Bitcoin wallets are associated with the WannaCry 2.0 ransomware, which have received almost $26,000 in transfers since the beginning of the latest infection, a small sum considering the scope of damage.
As of this posting, no money appears to have been moved from the Bitcoin wallets.
Criminals behind WannaCry piggybacked on publicly dumped Equation Group exploits in an attempt to abuse free tools for easy money.
We believe the criminals behind WannaCry didn’t intend for such a widespread attack, nor did they possess the expertise
arXiv
Evaluating the Performance of Twitter-based Exploit Detectors
arxiv_fulltext·2020-11-05
Evaluating the Performance of Twitter-based Exploit Detectors
Graygray0.9
g>Grayr
G>Grayc
## Abstract
Patch prioritization is a crucial aspect of information systems security, and knowledge of which vulnerabilities were exploited in the wild is a powerful tool to help systems administrators accomplish this task. The analysis of social media for this specific application can enhance the results and bring more agility by collecting data from online discussions and applying machine learning techniques to detect real-world exploits. In this paper, we use a technique that combines Twitter data with public database information to classify vulnerabilities as exploited or not-exploited. We analyze the behavior of different classifying algorithms, investigate the influence of different antivirus data as ground truth, and experiment with various time window
CTF
17. Using the Metasploit-Framework / Using the Metasploit-Framework
ctf_writeups
17. Using the Metasploit-Framework / Using the Metasploit-Framework
# Using the Metasploit-Framework
Tags: #🧑🎓
Related to: [[metasploit framework]]
See also:
Previous: [[HTB Academy]]
![[logo_using_the_metasploit_framework.png]]
The Metasploit Framework is an open-source set of tools used for network enumeration, attacks, testing security vulnerabilities, evading detection, performing privilege escalation attacks, and performing post-exploitation.
### Cheatsheet
#### MSFconsole Commands
| **Command** | **Description** |
| :--------------- | :----------------------------------------------------------- |
| `show exploits` | Show all exploits within the Framework. |
| `show payloads` | Show all payloads within the Framework. |
| `show auxiliary` | Show all auxiliary modules within the Framework. |
| `search ` | Search for exploits or modules within the
http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.htmlhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96707http://www.securitytracker.com/id/1037991https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdfhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146https://www.exploit-db.com/exploits/41891/https://www.exploit-db.com/exploits/41987/https://www.exploit-db.com/exploits/43970/http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.htmlhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96707http://www.securitytracker.com/id/1037991https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdfhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146https://www.exploit-db.com/exploits/41891/https://www.exploit-db.com/exploits/41987/https://www.exploit-db.com/exploits/43970/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0146
2017-03-17
Published
2022-03-25
Added to CISA KEV
Exploited in the wild