Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
added MS17-010 auxiliary detection module #8167
MS17-010 fixes RCE in SMBv1, but seems to also have inadvertently added a remote, uncredentialed patch check information disclosure.
This module can determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a PeekNamedPipe transaction on FID 0.
If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. After the patch, Win10 returns "STATUS_ACCESS_DENIED" and other Windows versions "STATUS_INVALID_HANDLE". In case none of these are detected, the module says it was not able to detect the patch level (I haven't seen this in practice).
This module does not require valid SMB credentials in default server configurations. It can log on as the user "" and connect to IPC$.
Note: This can probably be changed someday to the check() method in an exploit module (assuming the RCE MS17-010 fixed is even feasibly exploitable). But for now as an auxiliary module it has helped get us some screenshots on pentests.
Same host after patch
What windows version? Did you mess with any LSA settings between patching? It looks like it didn't even connect to IPC$ at all, even though anonymous login worked for it the first time.
The error can be rescued but since there's no TID, I don't think the FID code is run. That STATUS_ACCESS_DENIED isn't the one from the patch, happening earlier.
Apr 14, 2017
1 check passed
added a commit
this pull request
Apr 14, 2017
The auxiliary/scanner/smb/smb_ms17_010 module has been added to the framework. It scans for Windows hosts that are vulnerable to MS17-010 and connects to the IPC$ tree to attempt a PeekNamedPipe transaction on FID 0. Read this blog for more information: https://community.rapid7.com/community/infosec/blog/2017/04/18/the-shadow-brokers-leaked-exploits-faq.
This form of the pipe Transaction protocol is used to implement the Win32 PeekNamePipe() API remotely. The PeekNamedPipe function copies data from a named or anonymous pipe into a buffer without removing it from the pipe. It also returns information about data in the pipe.