MS17-010 / EternalBlue

⚠️ Disclaimer: This project is provided strictly for educational and defensive security research. It must only be used in legally authorized lab environments. Unauthorized testing against systems you do not own or have explicit permission to assess is illegal.

Overview

This repository contains an educational implementation designed to study the technical concepts behind the SMBv1 vulnerability commonly referred to as EternalBlue.

The purpose of this project is not operational use, but security education, reverse engineering practice, and defensive analysis. It serves as a reference for understanding how memory corruption flaws and protocol-level behavior can be combined within an exploitation chain.

This implementation models the exploitation mechanics associated with the SMBv1 vulnerability known as EternalBlue by manipulating how the target processes NT Transaction requests and Extended Attribute (FEA) data.

The script leverages the Impacket SMB library to construct low-level SMB1 packets, specifically combining SMB_COM_NT_TRANSACT and SMB_COM_TRANSACTION2_SECONDARY messages. These are used to deliver a crafted NtFeaList whose size and layout are designed to exercise the vulnerable buffer conversion logic in the server.

Carefully chosen FEA list sizes (e.g., 0x10000, 0x11000) correspond to allocation thresholds within the Windows non‑paged pool. The payload structure intentionally causes a mismatch between allocated buffer size and copied data length, enabling controlled memory corruption.

To influence kernel heap layout, the code performs non‑paged pool grooming by establishing multiple SMB connections. These allocations increase the probability that attacker-controlled buffers are positioned adjacent to SRVNET structures.

The script then prepares fake SRVNET buffer and MDL-like structures, reflecting reverse-engineered field layouts. Specific fields are populated to model how overwritten metadata could redirect memory writes or alter control flow during receive completion routines.

Large payloads are transmitted using fragmented transaction delivery, where an initial NT Transact request is followed by Transaction2 Secondary fragments. This mirrors how SMB reassembles buffers internally on the target.

Because the behavior depends on kernel memory state, allocation timing, and pool layout, execution reliability is inherently variable and may lead to system instability on vulnerable systems.