CVE-2017-0146

HIGH KEV RANSOMWARE

Microsoft Windows SMBv1 - Remote Code Execution via Crafted Packets

Title source: llm

Exploitation Summary

CVE-2017-0146 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including Metasploit, Sean Dillon, Juan Sacco, including a Metasploit module exploits/windows/smb/smb_doublepulsar_rce.

AI-analyzed exploit summary This Metasploit module exploits SMB vulnerabilities in MS17-010 (CVE-2017-0147) to achieve remote code execution on Windows systems. It leverages a write-what-where primitive to overwrite session information and execute payloads via psexec, PowerShell, or native upload methods.

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.

Exploits (6)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/43970

View Code ZIP pw:eip

This Metasploit module exploits SMB vulnerabilities in MS17-010 (CVE-2017-0147) to achieve remote code execution on Windows systems. It leverages a write-what-where primitive to overwrite session information and execute payloads via psexec, PowerShell, or native upload methods.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows SMB Server (MS17-010)

No auth needed

Prerequisites: Network access to SMB port (445) · Vulnerable Windows system (pre-MS17-010 patch)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb SCANNER VERIFIED

by Sean Dillon · rubydoswindows

https://www.exploit-db.com/exploits/41891

View Code ZIP pw:eip

This Metasploit module scans for the MS17-010 vulnerability (CVE-2017-0147) by checking the SMB response status for FID 0. It does not exploit the vulnerability but detects its presence.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows SMB Server (unpatched versions)

No auth needed

Prerequisites: Network access to the target's SMB port (445/TCP)

MITRE ATT&CK

T1069 - Permission Groups Discovery T1135 - Network Share Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Juan Sacco · pythonremotewindows_x86-64

https://www.exploit-db.com/exploits/41987

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2017-0148 (MS17-010), targeting a buffer overflow in the SMBv1 protocol. It leverages a crafted SMB packet to achieve remote code execution on vulnerable Windows systems.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMBv1 (e.g., Windows Server 2008 R2 SP1)

No auth needed

Prerequisites: Network access to SMB port (445/TCP) · Target system with SMBv1 enabled and unpatched

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GREAT

by Equation Group, Shadow Brokers, zerosum0x0, Luke Jennings, wvu, Jacob Robles · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/smb_doublepulsar_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits the DOUBLEPULSAR implant for SMB, allowing remote code execution on systems compromised by ETERNALBLUE. It includes functionality to detect, execute payloads, and neutralize the implant.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows SMB (DOUBLEPULSAR implant)

No auth needed

Prerequisites: Target must be infected with DOUBLEPULSAR implant · SMB access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 24, 2026 Full analysis →

metasploit SCANNER

by Sean Dillon <[email protected]>, Luke Jennings · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb

View Code ZIP pw:eip

This Metasploit module detects the presence of the MS17-010 vulnerability (CVE-2017-0146) by probing SMB responses and checking for DoublePulsar infections. It does not exploit the vulnerability but scans for it by analyzing SMB transaction responses.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMB Server (unpatched versions affected by MS17-010)

No auth needed

Prerequisites: Network access to the target's SMB port (445/TCP) · SMB service exposed and accessible

MITRE ATT&CK

T1069.002 - Domain Groups T1087.002 - Domain Account

devstral-2 · analyzed Feb 20, 2026 Full analysis →

exploitdb WORKING POC

rubyremotewindows

https://www.exploit-db.com/exploits/47456

View Code ZIP pw:eip

This Metasploit module exploits the DOUBLEPULSAR implant (CVE-2017-0146) to execute payloads or neutralize the implant via SMB. It includes detection, payload execution, and implant neutralization capabilities.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMB (DOUBLEPULSAR implant)

Auth required

Prerequisites: SMB access to target · DOUBLEPULSAR implant presence

MITRE ATT&CK