[DISCLAIMER: So far, the exploit hasnt worked for me. But I am outside of the office, and do not have access to my usual tools. Please let us know if you have any additional details]
Shadowbroker, as part of the set of exploits it collected and had offered for auction, today released a number of Windows related exploits. One that looks in particular interesting as it promises anexploit via SMB for Windows hosts up to Windows 8 and Windows Server 2012, was published under the name ETERNALBLUE.
Right now, I havent been able to make it fully work yet, but I was able to collect some packets to a Windows 7 system. The exploit makes by default 3 attempts to attack a system. An XML file accompanying the exploit allows the attacker to configure various parameters.
In general, an SMB exploit *should* not be all that exciting these days, as blocking port 445 is standard best practice. I am attaching a link to a packet capture below to allow you to analyze it further. In the packet capture, the vulnerable hosts IP address is 10.128.0.243.
After repeated attempts, the Windows 7 host crashed.
pcap: https://isc.sans.edu/diaryimages/eternalblue.pcap
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.