Exploiting Windows with Eternalblue and Doublepulsar with Metasploit!

Most of us got hold of the NSA exploits recently released to the public and there was so much hype and public statements around it. A lot has been said, and most vendors came out to defend their products and to release patches to downplay/mitigate the impact of these exploits.

In the exploits, we came to learn about Fuzzbunch, NSA’s exploit framework – “NSA’s metasploit”. I know a few people who have tried to use it and fail due to lack of knowledge/ familiarity with the dependencies that Fuzzbunch demands…fret no more. We can exploit the same vulnerabilities using our beloved Metasploit :-). Currently Metasploit has the MS17-010 SMB RCE Detection module which “uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is “STATUS_INSUFF_SERVER_RESOURCES”, the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user “\” and connect to IPC$.” It is a scanner module and just informs you that you need to patch your windows boxes – extremely useful for blue teamers.

If you are interested to exploit, read on…

Our friends at Eleven Paths, created a Metasploit module that we can add to our MSF and get a nice meterpreter session.

Steps:

  1. Download the file from https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
  2. Copy the eternalblue_doublepulsar.rb file to the metasploit windows smb exploits path (/usr/share/metasploit-framework/modules/exploits/windows/smb)
  3. Load msf and select the eternalblue_doublepulsar module

msf use eternalblue_

At this point it is important to remind ourselves what the two exploits really do:

Description

and the parameters we need to input:

basic options

And with that,we are set. Fire up the exploit…and voila! Meterpreter session as SYSTEM – we do not even need to elevate privileges :-O

meterpreter session_

Though Microsoft has released patches for this issue, there are millions if not billions of servers, workstations still vulnerable for various reasons. And worse, it is now easier to exploit, as we have seen.

UPDATE!

I should have updated this ages ago! So, a metasploit module was developed for the above exploit and makes exploiting this vulnerability a breeze. Surprisingly, this vulnerability is still not being patched..see video below:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s