EternalRomance, a very dangerous vulnerability

The SMB EternalRomance exploit from the list of leaked vulnerabilities used by the NSA / FuzzBunch that targets Windows XP / Vista / 7, also Windows Server 2003/2008, its main feature is that it attacks through SMB (Port 445), having as a result the control of the target machine. In Sheila Berta’s paper it was demonstrated how an unauthenticated attack can exploit a Windows 7/2008 target vulnerable to EternalBlue, DoublePulsar and Empire. This guide will show how to exploit a Windows Server 2003 SP1 x86 using FuzzBunch’s EternalRomance exploit. It should be considered that the exploitation process is quite similar to that of EternalBlue, except that DoublePulsar will be used to generate a shellcode that will be used by EternalRomance.

Some time ago an exploit was published that takes advantage of the ETERNALROMANCE / SYNERGY bug, with improvements in the exploitation method, to make it more stable when attacking systems with Windows Server 2012 and 2016. But the truth is that, in the true style of Its author (Sleepya), if you want to use this exploit you need to figure out a bit, understand how it works and modify some small things to achieve that, when hitting a target, whatever we want happens.

Recent ransomware incidents have been attributed in part to NSA hacking tools, in particular the EternalBlue exploit. In most cases, these tools could only be used against “old” versions of the Windows operating system. However, a modified version of the EternalSynergy exploit has been used against newer versions of Windows.

The new version of EternalSynergy affects a long list of Windows versions, including Windows 8.1, Windows Server 2012 and 2016. Wang says that, for now, Windows 10 users are protected, but that “this could change.” As a result, around 75% of all Windows-operated computers worldwide are vulnerable to the new version of EternalSynergy.

Other reads:
CRLF Injection – A Vulnerability that attacks servers
Arduino Vulnerability that appeared over time

---