A new exploit has recently been created which bypasses the MS17-010 patch in the form of Metasploit modules. Below, we have outlined the exploits, explaining what they do, and what steps can be taken to protect yourself from this vulnerability.
“Eternal” exploits and Microsoft’s Server Message Block
Microsoft’s Server Message Block is an application-layer network protocol used to enable file sharing between multiple computers in Windows. As such, it is a prime target for attackers looking to gain access to shared files. The “Eternal” brand of exploits (Synergy, Romance, Champion, Blue) target vulnerabilities within Microsoft’s Server Message Block 1.0 (SMBv1) server. They collectively bypass security over SMB connections, exploit race conditions in SMB transactions (in which secondary requests can be made which modifies the transaction during execution) to invoke access violations, and modify memory contents on a system to obtain data.

The most severe of these vulnerabilities is CVE-2017-0143, or, “Windows SMB Remote Code Execution Vulnerability”, which allows remote attackers to execute arbitrary code via crafted packets. A successful exploit could lead to attackers obtaining sensitive information from process memory. These exploits work even up to recent versions of Windows 10; however, a Windows update was released in March 2017 to resolve these vulnerabilities, and applies to operating systems Windows Vista and later, and Windows Server 2008 and later. The update, MS17-010, resolves these vulnerabilities by correcting how SMBv1 handles specially crafted requests.

What are the MS17-010 EternalSynergy / EternalRomance / EternalChampion auxiliary exploit modules?
These Metasploit modules build and improve upon the previous Eternal exploits and create a new method to exploit SMBv1. Instead of going for shellcode execution, it overwrites the SMB connection session to gain Admin/SYSTEM sessions and allows attackers to gain access to Active Directory. Penetration testers have already claimed to have been able to use these modules to successfully gain unauthorized access on Windows 8.1 Enterprise Evaluation (x86) and Windows 10 Enterprise Evaluation (x64) machines, making it more dangerous than previous versions of the exploit.
So how can you protect yourself?
A workaround to this exploit until a new patch is released is to disable the SMBv1 protocol. This can be done by simply doing the following:
Windows 8.1 and Windows 10 Powershell method:
For Windows Server 2012 R2 & 2016 Powershell method:
For Windows Vista/7/Server 2008/Server 2008 R2, Powershell 2.0 or later is required:
SMB v1


Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force


Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 1 –Force

Alternatively, for Windows 8.1 and later – Open Control Panel, go to Programs, then into “Turn Windows features on or off”. In the Windows Features window, uncheck the SMB1.0/CIFS File Sharing Support box, click OK and restart the system.

Alternatively, for Server 2012 R2 and later – Open Server Manager, click Manage in the top right bar, and select “Remove Roles and Features”. Click Next until you can select the Features tab in the left pane. In the Features window, uncheck the SMB1.0/CIFS File Sharing Support box, click OK, and restart the system.

Once a patch is released and the vulnerability is mitigated, retrace the steps to locate the SMB1.0/CIFS Sharing Support check box and check the box to restore the SMB1.0/CIFS File Sharing Support feature to an active state.
Jeremy Godfrey
Cyber Security Analyst
Jeremy Godfrey is a Cyber Security Analyst at Secrutiny. Prior to this, he studied Computer Science at the University of Reading, and a Master’s degree in Information Security at the University of Surrey. Currently, he is focused on developing his knowledge on the cyber security industry.
Join MAGNIFY, Cyber Security Network, Professional Group