Eternalblue, DoublePulsar NSA Exploit

This is going to be series of articles about building NSA/ShadowBrokers exploit kit . We will cover the followings  (Eternalblue, EternalRomance, DoublePulsar ) exploits against windows server 2003,2008,2012 and of course why not with 2016 J


I’m not going to cover the background history lessons here for more information, please read  here

Ok so eternalblue & externalromance are 2 fantastic bufferoverflow exploits that exploits SMBv1  in memmove operation Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt with simple mathematical mists where a DWORD is substracted into a WORD . The kernel pool is groomed that overwrites an SMbv1 buffer. The actual Return address pointer (RIP) hijack is later completed in srvnet!SrvNetWskReveComplete.

We will not use NSA backdoor dll instead we generate our own DLL with MSFvenom  and execute against our target machine


Attacker IP (Kali Linux)

Target IP ( Lab domain joined Windows server 2008 r2 with Smbv1 unpatched)

Ok so i decided to port the NSA exploit kit on to my kali system


Figure  1 NSA exploit kit widows based to linux


Figure 2 exploit kit python  nice graphical NSA interface 🙂


Figure  3 Set target IP address and Callback IP address


Figure 4 we use doublepulsar exploit to check if the system is already infected 🙂


Figure  5 we choice function backdoor and set path /tmp/win2008.bin shellcode to binary on the target system


Figure 6 final validation and we execute the exploit against


Figure 7 successful execution and shellcode is written to the output file


Figure 8 we use eternalblue SMBv1 exploit code and msfvenom reverse shell DLL to execute code on the target system


Figure 9 we select 1 tradtional exploit deploymenet using FUZZBUNCH NSA framework


Figure 10 we execute the eternalblue with our custom DLL


Figure 11 Recerse shell from to our kali machine


So let’s  summarize

  • Smbv1 is bad and easy to exploit
  • The externalblue exploit runs with SYSTEM priv

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s