# EternalBlue

{% embed url="<https://www.sentinelone.com/blog/eternalblue-nsa-developed-exploit-just-wont-die/>" %}

EternalBlue is a critical software vulnerability in the Microsoft Windows Operating System that exploits Microsoft's implementation of the SMBv1 protocol.

EternalBlue takes advantage of three bugs:

1. A mathematical error occurs when SMBv1 tries to determine how much memory to allocate, creating a buffer overflow environment.
2. Two SMBv1 subcommands, *SMB\_COM\_TRANSACTION2* and *SMB\_COM\_NT\_TRANSACT*, create a validation error if *NT\_TRANSACT* is used immediately before *TRANSACTION2*.\
   \
   This validation error causes SMBv1 to allocate memory based on *TRANSACTION2*, whose packet is half the size of *NT\_TRANSACT*. Thus, the *NT\_TRANSACT* packet will occupy more space than it is allocated.
3. SMBv1 vulnerability that allowed for heap spraying, which results in allocating a chunk of memory at a given address.

Due to how widely spread EternalBlue is, there is a module that allows you to easily exploit it using [Metasploit](https://stuff.weelee.zip/network/c2/metasploit).

{% code title="Linux" %}

```fish
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set rhosts [target host]
run
```

{% endcode %}