NSA-Linked Hacking Tools Ported to Metasploit

Three hacking tools supposedly stolen from the National Security Agency-linked Equation Group and made public last year were recently ported to Rapid7’s Metasploit Framework.

The three exploits – EternalSynergy, EternalRomance, and EternalChampion – were released publicly in April 2017 alongside the more popular EternalBlue, one month after Microsoft patched them. 

The tools could previously be used only on several, older Windows releases, although EternalSynergy was modified to target recent Windows versions as well. Last year, EternalRomance was used in the global Bad Rabbit ransomware attack.

All three exploits can now be used to target all Windows versions since Windows 2000, Sean Dillon, a security researcher with RiskSense who goes by the online handle of @zerosum0x0, reveals. The researcher modified the exploits and merged them into the open-source Metasploit Framework. 

The three tools target two vulnerabilities in Microsoft’s platform, namely CVE-2017-0146, a race condition with Transaction requests exploited by EternalChampion and EternalSynergy, and CVE-2017-0143, a type confusion between WriteAndX and Transaction requests exploited by EternalRomance and EternalSynergy. 

The researcher explains that the module does not use kernel shellcode to stage Meterpreter, meaning that those interested in leveraging it would need to use evasion for their payloads. However, the tool can be used to run any command as System or to stage Meterpreter.

“This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild),” the researcher says. 

The module does not attempt shellcode execution, but overwrites the SMB connection session structures instead, thus achieving Admin/SYSTEM session. 

“The MSF module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit’s psexec DCERPC implementation bolted onto it. For the last reason, Rex is used and not RubySMB,” the researcher explains. 

The exploits can be used on both 32-bit and 64-bit architectures and target all platform iterations from Windows 2000 to Windows 10 and Windows Server 2016. 

The module is available on GitHub. As Dillon points out, it has been created for academic research and the development of defenses, not to be used in attacks, except where explicitly authorized. 

Related: ‘Bad Rabbit’ Ransomware Uses NSA Exploit to Spread

Related: EternalSynergy-Based Exploit Targets Recent Windows Versions