EternalBlue (CVE-2017-0144).

EternalBlue (CVE-2017-0144) is a remote code execution vulnerability in Microsoft's SMBv1 implementation that let an unauthenticated attacker on the network run kernel-level code on most then-supported Windows systems. The exploit was an NSA/Equation Group capability dumped publicly by the Shadow Brokers on 14 April 2017, alongside the FuzzBunch framework and the DoublePulsar kernel backdoor that operators typically installed as the post-exploitation payload.

Technically, EternalBlue abuses how srv.sys handles oversized SMBv1 transactions: a type confusion between how the server casts an extended-attribute (FEA) list size causes a buffer overflow in the non-paged kernel pool. The attacker grooms the kernel heap with SMB packets so the overflow lands adjacent to an SRVNET buffer, ultimately redirecting execution into attacker-controlled shellcode. Microsoft shipped MS17-010 on 14 March 2017 — a month before the leak — and later took the rare step of patching out-of-support Windows XP once WannaCry began spreading.

The flaw became the propagation engine of WannaCry (12 May 2017) and NotPetya (27 June 2017); NotPetya, a wiper masquerading as ransomware, caused over USD 10 billion in damage, crippling Maersk, Merck and Mondelez. Years later, unpatched SMBv1 hosts are still being compromised. Defences: apply MS17-010, disable SMBv1 entirely, block TCP/445 at the perimeter, and segment flat networks.

flowchart TD
  A[Shadow Brokers leak<br/>April 2017] --> B[EternalBlue exploit<br/>CVE-2017-0144]
  B --> C[Crafted oversized SMBv1 transaction]
  C --> D[Type confusion + non-paged pool overflow in srv.sys]
  D --> E[Kernel code execution]
  E --> F[DoublePulsar backdoor]
  F --> G{Payload}
  G --> H[WannaCry ransomware]
  G --> I[NotPetya wiper]
  H --> J[Worms to next host via TCP/445]
  I --> J
  J --> C