Hillstone Networks

RULE（RULE ID：1905802）

Rule General Information


Release Date:		2020-02-20

Rule Name:		SMB Doublepulsar Remote Code Execution (CVE-2017-0143)

Severity:

CVE ID:

Rule Protection Details


Description:		Attacker exploits a vulnerability on SMBv1/SMBv2 protocols through Eternalblue.After that, doublepulsar is used to inject remotely a malicious dll (it's will generate based on your payload selection).

Impact:		An attacker could exploit this vulnerability to execute arbitrary code.

Affected OS:		Windows

Reference:		SecurityFocusBID:96703 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143 ExploitDB:41987 http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html

Solutions

The vendors have released upgrade patches to fix vulnerabilities, please visit:
https://technet.microsoft.com/zh-cn/library/security/ms17-010