{"id":1204,"date":"2024-08-31T09:28:46","date_gmt":"2024-08-31T09:28:46","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1204"},"modified":"2025-07-28T13:53:51","modified_gmt":"2025-07-28T13:53:51","slug":"nsa-exploit-eternalsynergy-modified-to-target-newer-windows-versions","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/nsa-exploit-eternalsynergy-modified-to-target-newer-windows-versions\/","title":{"rendered":"NSA Exploit EternalSynergy Modified to Target Newer Windows Versions"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

In April this year, the clandestine hacking group, Shadow Brokers, released a series of exploits developed by the NSA. One of these exploits \u2013 dubbed EternalSynergy \u2013 has recently been modified by Thai analyst Worawit Wang (aka sleepya) in order to prove it can work against newer versions of the Windows Operating System \u2013 a full list of these is further below.<\/p>\n\n\n\n

The original version of the exploit was known to be unstable and would often \u2018crash a target\u2019, the modified version stablises the exploit and, according to Wang, now has a \u201cnearly 0%\u201d chance of doing so. <\/p>\n\n\n\n

Microsoft has registered the vulnerability as CVE-2017-0143.<\/strong><\/p>\n\n\n\n

Vulnerability Description<\/strong><\/p>\n\n\n\n

The vulnerability involves part of the SMB header information transaction where certain parameters like UID, PID, TID and otherInfo are part of the transaction. The parameter values store the Transaction ID in the MID field and some additional fields store the same ID in the FID field. <\/p>\n\n\n\n

What this means is that any foreign SMB transaction parameters with a FID value that matches the original MID, are considered a legitimate transaction. This authentication flaw in the SMB transaction is the root of the EternalSynergy vulnerability.<\/p>\n\n\n\n

Exploiting the vulnerability <\/strong><\/p>\n\n\n\n

In a practical scenario, the vulnerability can be leveraged by packet confusion of the address pointer for the SMB_COM_WRITE_ANDX and SMB_COM_TRANSACTION_SECONDARY transactions. This means the rouge SMB_COM_TRANSACTION_SECONDARY transaction – if it\u2019s FID value matches SMB_COM_WRITE_ANDX MIB \u2013 can overflow the original transaction. <\/p>\n\n\n\n

At this point, the start of the buffer will point to the rouge transaction memory location. The potential risk in this is that any sequence of malicious code can now be executed from that location. <\/p>\n\n\n\n

It is this hijacking of the execution flow from the legitimate SMB transaction to the rouge transaction that enables the exploit to target more recent Windows versions. <\/p>\n\n\n\n

To further understand the real-time exploitation, we performed a code analysis on the vulnerability as listed on Exploit-DB:-<\/p>\n\n\n\n

https:\/\/www.exploit-db.com\/exploits\/42315<\/a><\/p>\n\n\n\n

The first thing we noticed was that an authentication attack is the means by which system access is gained:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The username and password fields can be used when launching the attack from the Meterpeter Shell. The above graphic also shows the newer versions of Windows which the modified exploit can successfully target.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The original transaction and the leaked (rouge) transaction are defined by the \u2018Groom Buffer\u2019 and \u2018Bride Buffer\u2019 headers. Post Pool Size calculation, the Bride Buffer is considered as a leaked transaction and the location will point to the leaked transaction\u2019s memory address.<\/p>\n\n\n\n

Looking at the exploit definition, we see the \u2018bug\u2019 leveraged to access the named Pipes that is available along with target systems IP address.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The if\/else function targets the Windows version based on the Operating system and exits if no suitable version is identified.<\/p>\n\n\n\n

The successful attack exploitation on the target system is identified from the pawned file in the C:\\ directory of the target system:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In this case, a text file \u201cpwned.txt\u201d is created.<\/p>\n\n\n\n

The above steps are from the maturity standpoint of the exploit and a successful launch of the same from the MSF console with proper Pipe name, IP address and subsequent .dll file will do the cause for any attacker.<\/p>\n\n\n\n

Conclusion<\/p>\n\n\n\n

This updated version of the EternalSynergy exploit proves that it can be easily modified to target newer Windows versions \u2013 not just those that are out of support. As always, we recommend applying all updates and patches as soon as possible in order to close the vulnerabilities that enable this exploit to work.<\/p>\n","protected":false},"excerpt":{"rendered":"

In April this year, the clandestine hacking group, Shadow Brokers, released a series of exploits developed by the NSA. One of these exploits \u2013 dubbed EternalSynergy \u2013 has recently been modified by Thai analyst Worawit Wang (aka sleepya) in order to prove it can work against newer versions of the Windows Operating System \u2013 a full list of these is further below. Microsoft has registered the vulnerability as CVE-2017-0143.<\/p>\n","protected":false},"author":1,"featured_media":1209,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1204","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1204"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1204\/revisions"}],"predecessor-version":[{"id":4442,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1204\/revisions\/4442"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1209"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}