CVE-2017-0145

HIGH KEV RANSOMWARE

Microsoft Windows SMBv1 - Remote Code Execution via Crafted Packets

Title source: llm

Exploitation Summary

CVE-2017-0145 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 10, 2022, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including Sean Dillon, Juan Sacco, MelonSmasher, including a Metasploit module exploits/windows/smb/smb_doublepulsar_rce.

AI-analyzed exploit summary This Metasploit module scans for the MS17-010 vulnerability (CVE-2017-0147) by checking the SMB response status for FID 0. It does not exploit the vulnerability but detects its presence.

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.

Exploits (6)

exploitdb SCANNER VERIFIED

by Sean Dillon · rubydoswindows

https://www.exploit-db.com/exploits/41891

View Code ZIP pw:eip

This Metasploit module scans for the MS17-010 vulnerability (CVE-2017-0147) by checking the SMB response status for FID 0. It does not exploit the vulnerability but detects its presence.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows SMB Server (unpatched versions)

No auth needed

Prerequisites: Network access to the target's SMB port (445/TCP)

MITRE ATT&CK

T1069 - Permission Groups Discovery T1135 - Network Share Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Juan Sacco · pythonremotewindows_x86-64

https://www.exploit-db.com/exploits/41987

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2017-0148 (MS17-010), targeting a buffer overflow in the SMBv1 protocol. It leverages a crafted SMB packet to achieve remote code execution on vulnerable Windows systems.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMBv1 (e.g., Windows Server 2008 R2 SP1)

No auth needed

Prerequisites: Network access to SMB port (445/TCP) · Target system with SMBv1 enabled and unpatched

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by MelonSmasher · poc

https://github.com/MelonSmasher/chef_tissues

View Code ZIP pw:eip

This repository contains a Chef cookbook that automates the installation of Microsoft's patch for CVE-2017-0145 (EternalBlue/WannaCry vulnerability). It detects the Windows version and architecture, then downloads and installs the appropriate MSU patch from Microsoft's update servers.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Windows 7/8/8.1, Windows Server 2008 R2/2012/2012 R2

Auth required

Prerequisites: Administrative access to the target Windows system · Chef installed on the target system

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC GREAT

by Equation Group, Shadow Brokers, zerosum0x0, Luke Jennings, wvu, Jacob Robles · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/smb_doublepulsar_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits the DOUBLEPULSAR implant for SMB, allowing remote code execution on systems compromised by ETERNALBLUE. It includes functionality to detect, execute payloads, and neutralize the implant.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows SMB (DOUBLEPULSAR implant)

No auth needed

Prerequisites: Target system must be infected with DOUBLEPULSAR implant · SMB access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 24, 2026 Full analysis →

metasploit SCANNER

by Sean Dillon <[email protected]>, Luke Jennings · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb

View Code ZIP pw:eip

This Metasploit module detects the presence of the MS17-010 vulnerability (CVE-2017-0145) by probing the SMB service for a specific response indicating the patch is missing. It also checks for DoublePulsar infections and named pipes on vulnerable hosts.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMB Server (unpatched versions)

No auth needed

Prerequisites: Network access to the target's SMB service (port 445)

MITRE ATT&CK

T1069 - Permission Groups Discovery T1087 - Account Discovery

devstral-2 · analyzed Feb 20, 2026 Full analysis →

exploitdb WORKING POC

rubyremotewindows

https://www.exploit-db.com/exploits/47456

View Code ZIP pw:eip

This Metasploit module exploits the DOUBLEPULSAR implant, which leverages the ETERNALBLUE vulnerability (CVE-2017-0145) to execute payloads or neutralize the implant on vulnerable Windows systems. It communicates via SMB to send crafted packets to the implant, enabling remote code execution or implant removal.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows SMB (DOUBLEPULSAR implant)

No auth needed

Prerequisites: Vulnerable SMB service exposed · DOUBLEPULSAR implant present

MITRE ATT&CK