CVE-2017-0148

HIGH KEV RANSOMWARE

Microsoft Windows SMBv1 - Remote Code Execution via Crafted Packets

Title source: llm

Exploitation Summary

CVE-2017-0148 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 6, 2022, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including Metasploit, Sean Dillon, Juan Sacco, including a Metasploit module exploits/windows/smb/smb_doublepulsar_rce.

AI-analyzed exploit summary This Metasploit module exploits the DOUBLEPULSAR implant (CVE-2017-0148) to execute payloads or neutralize the implant on vulnerable SMB servers. It leverages the ETERNALBLUE exploit chain to achieve remote code execution on Windows systems.

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.

Exploits (6)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/47456

View Code ZIP pw:eip

This Metasploit module exploits the DOUBLEPULSAR implant (CVE-2017-0148) to execute payloads or neutralize the implant on vulnerable SMB servers. It leverages the ETERNALBLUE exploit chain to achieve remote code execution on Windows systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMB Server (MS17-010)

No auth needed

Prerequisites: Vulnerable SMB service exposed · Network access to target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb SCANNER VERIFIED

by Sean Dillon · rubydoswindows

https://www.exploit-db.com/exploits/41891

View Code ZIP pw:eip

This Metasploit module scans for the MS17-010 vulnerability (CVE-2017-0147) by checking the SMB response status for FID 0. It does not exploit the vulnerability but detects its presence.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows SMB Server (unpatched versions)

No auth needed

Prerequisites: Network access to the target's SMB port (445/TCP)

MITRE ATT&CK

T1069 - Permission Groups Discovery T1135 - Network Share Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Juan Sacco · pythonremotewindows_x86-64

https://www.exploit-db.com/exploits/41987

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2017-0148 (MS17-010), targeting a buffer overflow in the SMBv1 protocol. It leverages a crafted SMB packet to achieve remote code execution on vulnerable Windows systems.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMBv1 (e.g., Windows Server 2008 R2 SP1)

No auth needed

Prerequisites: Network access to SMB port (445/TCP) · Target system with SMBv1 enabled and unpatched

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by HakaKali · infoleak

https://github.com/HakaKali/CVE-2017-0148

View Code ZIP pw:eip

The repository contains a Ruby script for the Metasploit Framework that scans for the MS17-010 (EternalBlue) vulnerability by checking the SMB response status. It does not include exploit code but detects vulnerability via STATUS_INSUFF_SERVER_RESOURCES.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMB (MS17-010)

No auth needed

Prerequisites: Network access to target SMB port (445/TCP) · SMB service exposed

MITRE ATT&CK

T1069.002 - Domain Groups T1087.002 - Domain Account

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC GREAT

by Equation Group, Shadow Brokers, zerosum0x0, Luke Jennings, wvu, Jacob Robles · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/smb_doublepulsar_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits the DOUBLEPULSAR implant for SMB, allowing remote code execution on systems already compromised by the implant. It includes functionality to detect the implant, execute payloads, and neutralize the implant.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows SMB with DOUBLEPULSAR implant

No auth needed

Prerequisites: Target system must be infected with DOUBLEPULSAR implant · SMB access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 24, 2026 Full analysis →

metasploit SCANNER

by Sean Dillon <[email protected]>, Luke Jennings · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb

View Code ZIP pw:eip

This Metasploit module detects the presence of the MS17-010 vulnerability (CVE-2017-0148) by probing the SMB service for a specific response indicating the absence of the patch. It also checks for DoublePulsar infections on vulnerable hosts.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMB Server (unpatched versions)

No auth needed

Prerequisites: Network access to the target's SMB service (port 445)

MITRE ATT&CK