ShadowBrokers NSA Tool Dump

On Friday, April 14, 2017 – The mysterious hacking group ShadowBrokers released over 300MB of NSA hacking tools and exploits. The dump is hosted as a Yandex disk with password “Reeeeeeeeeeeeeee”. The current dump contains 3 folders oddjob, windows, swift as described below, and a detailed list of the contents can be found here.

oddjob An implant builder
windows Exploits, supporting resources and exploit framework similar to Metasploit
swift SQL scripts for querying SWIFT data from databases

Most of the windows exploits are organized in a 3 file system .exe, .fb and .xml file. The .fb file lists the options supported by the exploit, and the XML file is used as a configuration file for the exploit.

.fb file listing options supported by exploit

The .fb file listing options supported by ETERNALROMANCE are:

XML file shows config details
XML file shows config details

Below are some of the exploits that are in the spotlight and/or have been successfully tested. This list will be updated as we investigate further .

Exploit Description Path
ETERNALROMANCE (MS17-010) SMBv1 Exploit Targeting Windows XP, 2003 SP1 SP2, 2008* SP1 SP2, 2008 R2* SP1, Vista SP1 SP2 , 7 SP1 shadowbrokers-exploits/windows/exploits/
ETERNALCHAMPION (MS17-010)  SMBv1/v2 exploit  Windows XP SP1 SP2, 7 SP1, 2003 SP1 SP2, 2008* SP1 SP2, 2008 R2* SP1, Vista SP1 SP2, 8 shadowbrokers-exploits/windows/specials/
ETERNALBLUE (MS17-010) SMBv2 exploit Targeting Windows XP SP1 SP2 SP3, 7 SP1, 2003 SP1 SP2, 2008* SP1 SP2, 2008 R2* SP1, Vista SP1 SP2 shadowbrokers-exploits/windows/specials/
EXPLODINGCAN Exploit targeting CVE-2017-7269 on Windows 2003 SP1 SP2 shadowbrokers-exploits/windows/exploits/
EWOKFRENZY Lotus Domino 6.5.4, 7.0.2 shadowbrokers-exploits/windows/exploits/
ZIPPYBEER Microsoft Domain Controller exploit shadowbrokers-exploits/windows/exploits/
ESTEEMAUDIT DLL Injection exploit via RDP Targeting Windows XP SP1,SP2,SP3; Windows 2003 SP1,SP2 shadowbrokers-exploits/windows/exploits/
EASYBEE MDaemon WebAdmin Exploit shadowbrokers-exploits/windows/exploits/
ENGLISHMANSDENTIST Probable Outlook WebAccess Exploit shadowbrokers-exploits/windows/exploits/
ERRATICGOPHER SMBv1 Exploit targeting Windows 2000 SP4,XP SP2 SP3,2003 SP1 SP2 shadowbrokers-exploits/windows/exploits/
ESKIMOROLL (MS14-068) Kerberos Service exploit targeting Windows 2000,2003,2003 R2,2008,2008 R2 shadowbrokers-exploits/windows/exploits/
ETERNALSYNERGY (MS17-010) SMBv1 Exploit targeting Windows 8,2012 shadowbrokers-exploits/windows/exploits/
EMPHASISMINE Exploit targeting Lotus Domino 6.5.4-6.5.5FP1, 7.0-8.5.2 shadowbrokers-exploits/windows/exploits/
EMRALDTHREAD (MS10-061) Exploit targeting SMBv1 on Windows XP SP1 SP2 SP3, 2003 SP1 SP2 shadowbrokers-exploits/windows/exploits/
EDUCATEDSCHOLAR (MS09-050) Exploit targeting SMBv1 on Windows Vista SP1 SP2, 2008 SP1 SP2 shadowbrokers-exploits/windows/exploits/
ECLIPSEDWING Exploit targeting Server service on Windows 2000 all versions, XP SP1-SP3, 2003 SP1 SP2 shadowbrokers-exploits/windows/exploits/
EASYPI Exploit targeting Lotus ccMail on Windows NT, 200, XP, 2003 shadowbrokers-exploits/windows/exploits/

* We are in the process of verifying if the exploit works for this platform

FUZZBUNCH:
Fuzzbunch is an exploitation framework similar to Metasploit that is used to run exploits against target machines. The framework is executed via fb.py. The framework requires python 2.6 to function, later versions of python seem to fail due a dependency on python26.dll in one of the .pyd files. Fuzzbunch is compatible on 32- and 64-bit architectures. It provides a console-based interface for collecting exploit configuration.

Initial prompt
Initial prompt

Upon selecting an exploit Fuzzbunch automatically collects information about the targets and parameters for the exploit.

DanderSpritz:
A command & control tool used for post exploitation monitoring and controlling. The tool provides utilities for generating payloads in form of dll’s and exe’s for injection into target machines processes among other things.

DanderSpritz
DanderSpritz

Below are the supported commands.

Supported Commands
Supported Commands

As mentioned earlier the tool is also used to generate payloads to use with Doublepulsar.

Payload generation
Payload generation

DanderSpritz ships with module PeddleCheap used to connect and listen  to target machine. It can also be used to trigger exploits on target machines.

PebbleCheap
PeddleCheap

MSRC Update:
The Microsoft Security Response Center (MSRC) has released a statement addressing the exploits released by ShadowBrokers. MSRC has assured us that most of the exploits are already patched. In addition to the ones listed below some of the exploits do not reproduce on supported platforms, therefore customers running Windows 7 and latest versions of Windows or Exchange Server 2010 (EnglismansDentist) are not vulnerable.

Exploit Patch
EternalBlue Addressed by MS17-010
EmeraldThread Addressed by MS10-061
EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
ErraticGopher Addressed prior to the release of Windows Vista
EsikmoRoll Addressed by MS14-068
EternalRomance Addressed by MS17-010
EducatedScholar Addressed by MS09-050
EternalSynergy Addressed by MS17-010
EclipsedWing Addressed by MS08-067

Conclusion:
Based on our initial analysis many exploits appear to be zero-day vulnerabilities, i.e. issues where there are no patches from the vendor. In addition to that, many exploits affect end-of-life software for which vendors will not release patches.  A good mitigation step is to disable SMB service as many exploits are targeting various versions of SMB.  We request organizations to keep track of patches released by the respective vendors and upgrade their end-of-life software.

Update:
An update for the Metasploit framework adds  a new more reliable exploit for EternalRomance, EternalChampion, EternalSynergy. If successful an attacker can target machines listed below.

Operating System Versions/Service Pack/Build Versions Architecture
Windows 2000 SP0,Professional SP4,Advanced Server SP4 x86
Windows XP SP0,SP1,SP2,SP3 x86
Windows XP SP2 x64
Windows Vista Home Premium x86
Windows Vista x64
Windows 7 Ultimate SP1, Enterprise SP1 x86
Windows 7 SP0,SP1 x64
Windows 8 x86,x64
Windows 8.1 Enterprise Evaluation 9600,SP1 x86
Windows 8.1 SP1 x64
Windows 8.1 x64
Windows 10 Enterprise 10.10240,10.10586,10.0.14393 x86
Windows 10 Enterprise Evaluation 10.14393 10.0.14393,10.10586 x64
Windows Server 2003 SP0,SP1, Enterprise SP2,R2 SP1,R2 SP2 x86
Windows Server 2003 SP1,R2 SP1,R2 SP2 x64
Windows Server 2008 SP1 x86
Windows Server 2008 R2,R2 SP1 x64
Windows Server 2008 x64
Windows Server 2008 R2 x64
Windows Server 2008 R2 SP1 x64
Windows Server 2012 x64
Windows Server 2012 R2,R2 Standard 9600,R2 SP1 x64
Windows Server 2012 R2 x86
Windows Server 2016 10.10586,Data Center 10.14393 x64


References:

ShadowBrokers Dump
Lost in Translation
MSRC Statement

2 thoughts on “ShadowBrokers NSA Tool Dump”

Leave a Reply

Your email address will not be published. Required fields are marked *