Most of us got hold of the NSA exploits recently released to the public and there was so much hype and public statements around it. A lot has been said, and most vendors came out to defend their products and to release patches to downplay/mitigate the impact of these exploits.
In the exploits, we came to learn about Fuzzbunch, NSA’s exploit framework – “NSA’s metasploit”. I know a few people who have tried to use it and fail due to lack of knowledge/ familiarity with the dependencies that Fuzzbunch demands…fret no more. We can exploit the same vulnerabilities using our beloved Metasploit :-). Currently Metasploit has the MS17-010 SMB RCE Detection module which “uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is “STATUS_INSUFF_SERVER_RESOURCES”, the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user “\” and connect to IPC$.” It is a scanner module and just informs you that you need to patch your windows boxes – extremely useful for blue teamers.
If you are interested to exploit, read on…
Our friends at Eleven Paths, created a Metasploit module that we can add to our MSF and get a nice meterpreter session.
- Download the file from https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
- Copy the eternalblue_doublepulsar.rb file to the metasploit windows smb exploits path (/usr/share/metasploit-framework/modules/exploits/windows/smb)
- Load msf and select the eternalblue_doublepulsar module
At this point it is important to remind ourselves what the two exploits really do:
and the parameters we need to input:
And with that,we are set. Fire up the exploit…and voila! Meterpreter session as SYSTEM – we do not even need to elevate privileges :-O
Though Microsoft has released patches for this issue, there are millions if not billions of servers, workstations still vulnerable for various reasons. And worse, it is now easier to exploit, as we have seen.