Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



NSA’s EternalBlue Exploit Fully Ported to Metasploit

The National Security Agency (NSA)-linked EternalBlue exploit that became well known after being used in a recent global ransomware campaign has been ported to the popular Metasploit penetration testing Framework.

The National Security Agency (NSA)-linked EternalBlue exploit that became well known after being used in a recent global ransomware campaign has been ported to the popular Metasploit penetration testing Framework.

Along with DoublePulsar, EternalBlue is one of the latest exploits publicly released by the hackers calling themselves “The Shadow Brokers” and is said to have been used by the NSA-linked Equation Group to launch cyber-attacks. When EternalBlue was made public, however, the flaw had been already addressed by Microsoft in their March security patches.

Abusing a vulnerability in Windows’ Server Message Block (SMB) on port 445, EternalBlue allowed the WannaCry ransomware to spread like a worm and hit over 200,000 machines within a few days only. Before WannaCry, however, a crypto-currency mining botnet dubbed Adylkuzz had been using the same exploit to compromise devices.

Researchers currently estimate there to be roughly one million computers Internet-acessible systems vulnerable to EternalBlue, but chances are that many more existed only a couple of days ago. Not only did Microsoft issue an emergency patch to protect older systems over the weekend, but the Adylkuzz botnet also blocks access to SMB after infection, to prevent other malware from exploiting the vulnerability.

Because malicious actors are already using EternalBlue in live attacks, researchers decided to add the exploit to the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. The framework is a sub-project of the penetration testing project Metasploit, which is a collaboration of the open source community and Rapid7.

The vulnerability exploited by EternalBlue is in SMBv1, but the exploit uses SMBv2 for the shellcode, one of the researchers behind the port, who goes by the online handle of zerosum0x0, explains. The penetration tester also notes that the code is still a little rough, but that more work will be done to it.

“The genie is already out of the bottle with EternalBlue. Let’s keep in mind it’s probably easier to rebundle the EternalBlue.exe than it is to pull in Ruby and Metasploit. Also, the original exploit still targets more versions. Just patch your systems people, it really isn’t that hard. White hats need this exploit (instead of sketchy NSA malware) to show its impact to clients,” the researcher says.

The researchers also notes that FuzzBunch (NSA’s exploitation framework similar to Metasploit) makes the attack point and click, and that cybercriminals already have worms abusing it. The addition of EternalBlue to Metasploit should prove of great help to the infosec community, zerosum0x0 explains.

“I look at it this way, attackers and defenders are in an asymmetric war. If study is not done to the tools that are available to attackers, it is impossible to defend against them,” the researcher says.

Catalin Cosoi, Chief Security Strategist at Bitdefender, already expressed fears that EternalBlue-powered ransomware is bound to become the norm. Because many organizations failed to patch their systems in a timely manner, “it was only a matter of time until a cybercriminal group would weaponize the leaked vulnerability and strike at unpatched Windows systems,” he said.

“Computers in public institutions, hospitals and other care facilities are usually rarely updated. If they are not hit by ransomware now, these computers are vulnerable for state sponsored attacks for as long as they remain unpatched. Ransomware is the best case scenario now, because it’s visible. But complex threats can be built on it, to stay persistent and infiltrate organizations for a very long time,” Cosoi added.

One major difference between the Metasploit port of EternalBlue and the recent WannaCry and Adylkuzz attacks is the use of DoublePulsar. Instead of the NSA backdoor, the open source project stages Meterpreter userland payloads directly from the kernel through a queued APC. A shellcode that uses a similar technique as DoublePulsar’s DLL injection is used, but is much smaller in size (up to 1000 bytes, depending on options enabled, compared to the 5000 bytes the NSA code has).

“This exploit also demonstrates what is important in the exploit for IDS/IPS/firewall rule makers. By finding out everything that can be nulled out, it evades many rules which were not fully considered, however those vendors can now add proper rules before an “0-day” worm version of it comes out,” zerosum0x0 points out.

Related: Industry Reactions to WannaCry Ransomware Attacks

Related: Vulnerable Services Emulator Released for Metasploit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet