CVE-2017-0147

HIGH KEV RANSOMWARE

Microsoft Windows - SMBv1 Information Disclosure via Crafted Packets

Title source: llm

Exploitation Summary

CVE-2017-0147 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 24, 2022, with confirmed use in ransomware campaigns. EIP tracks 8 public exploits from researchers including Metasploit, Sean Dillon, Juan Sacco, including a Metasploit module auxiliary/scanner/smb/smb_ms17_010.

AI-analyzed exploit summary This Metasploit module exploits SMB vulnerabilities in MS17-010 (CVE-2017-0147) to achieve remote code execution on Windows systems. It leverages a write-what-where primitive to overwrite session information and execute payloads via psexec, PowerShell, or native upload methods.

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."

Exploits (8)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/43970

View Code ZIP pw:eip

This Metasploit module exploits SMB vulnerabilities in MS17-010 (CVE-2017-0147) to achieve remote code execution on Windows systems. It leverages a write-what-where primitive to overwrite session information and execute payloads via psexec, PowerShell, or native upload methods.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows SMB Server (MS17-010)

No auth needed

Prerequisites: Network access to SMB port (445) · Vulnerable Windows system (pre-MS17-010 patch)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb SCANNER VERIFIED

by Sean Dillon · rubydoswindows

https://www.exploit-db.com/exploits/41891

View Code ZIP pw:eip

This Metasploit module scans for the MS17-010 vulnerability (CVE-2017-0147) by checking the SMB response status for FID 0. It does not exploit the vulnerability but detects its presence.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows SMB Server (unpatched versions)

No auth needed

Prerequisites: Network access to the target's SMB port (445/TCP)

MITRE ATT&CK

T1069 - Permission Groups Discovery T1135 - Network Share Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Juan Sacco · pythonremotewindows_x86-64

https://www.exploit-db.com/exploits/41987

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2017-0148 (MS17-010), targeting a buffer overflow in the SMBv1 protocol. It leverages a crafted SMB packet to achieve remote code execution on vulnerable Windows systems.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMBv1 (e.g., Windows Server 2008 R2 SP1)

No auth needed

Prerequisites: Network access to SMB port (445/TCP) · Target system with SMBv1 enabled and unpatched

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SUSPICIOUS

by RobertoLeonFR-ES · poc

https://github.com/RobertoLeonFR-ES/Exploit-Win32.CVE-2017-0147.A

View Code ZIP pw:eip

The repository contains no exploit code or technical details, only a vague reference to a Microsoft Defender detection name. This appears to be a social engineering lure rather than a legitimate PoC.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC

rubyremotewindows

https://www.exploit-db.com/exploits/47456

View Code ZIP pw:eip

This Metasploit module exploits the DOUBLEPULSAR implant (CVE-2017-0147) to execute payloads or neutralize the implant via SMB. It includes detection, payload execution, and implant neutralization capabilities.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMB (DOUBLEPULSAR implant)

No auth needed

Prerequisites: Target must be infected with DOUBLEPULSAR implant · SMB access to the target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit SCANNER

by Sean Dillon <[email protected]>, Luke Jennings · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb

View Code ZIP pw:eip

This Metasploit module scans for the MS17-010 vulnerability by checking for the STATUS_INSUFF_SERVER_RESOURCES response and also detects DoublePulsar infections. It does not exploit the vulnerability but confirms its presence.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMB Server (unpatched versions vulnerable to MS17-010)

No auth needed

Prerequisites: Network access to the target's SMB port (445/TCP) · SMB service exposed and accessible

MITRE ATT&CK

T1069 - Permission Groups Discovery T1087 - Account Discovery T1135 - Network Share Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GREAT

by Equation Group, Shadow Brokers, zerosum0x0, Luke Jennings, wvu, Jacob Robles · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/smb_doublepulsar_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits the DOUBLEPULSAR implant for SMB, allowing remote code execution on vulnerable Windows systems. It includes functionality to detect the implant, execute payloads, and neutralize the implant.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows SMB (DOUBLEPULSAR implant)

No auth needed

Prerequisites: Vulnerable SMB service with DOUBLEPULSAR implant · Network access to the target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Equation Group, Shadow Brokers, sleepya, Sean Dillon <[email protected]>, Dylan Davis <[email protected]>, thelightcosine, wvu, s first external module, , # External python module · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb

View Code ZIP pw:eip

This is a functional Metasploit module for CVE-2017-0147 (ETERNALBLUE), exploiting a buffer overflow in SMBv1 via a kernel pool corruption vulnerability. It includes detailed exploit logic, payload handling, and target-specific configurations for various Windows versions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows SMBv1 (Windows 7, Server 2008 R2, Windows 8, etc.)

No auth needed

Prerequisites: SMBv1 enabled on target · Network access to port 445

MITRE ATT&CK