Using ETERNALBLUE & DOUBLEPULSAR (Shadowbroker’s Dump/NSA Tools)

In my previous article I showed how to set up the Fuzzbunch framework. Now I’ll show how to use it to exploit a vulnerable target.

What I’m using in this demo:

Kali Linux 

Windows XP 

Windows 7 (Unpatched)

First is to make a malicious .DLL. Essentially, this exploit will create a backdoor with ETERNALBLUE and upload the DLL with DOUBLEPULSAR and triggering it. To create a malicious DLL, I use msfvenom with LHOST being the IP of my Kali Linux machine and LPORT being any port not being used by Kali (I chose 4443).


Next is to transfer the DLL to the Windows XP Machine. AV will capture the DLL and delete it if you put it on your host desktop, so I transfer it by starting my Apache2 server in Kali.


Then removing the index.html file in the html directory and copying in my malicious DLL.


Next, I go to my Windows XP machine and go to Kali’s IP to download the .DLL.


I then save the DLL to the directory is in.


Next is to load Fuzzbunch


Upon start, it will ask for a default target IP address, which would be your target. In my case, I’m using an unpatched Windows 7 machines with the address of


Next it will ask for a callback IP. This is kind of irrelevent since I’ll be using a custom .dll that will call back itself and not need Fuzzbunch to do it for me, so I just put in my Windows XP IP, which is


It will then ask if you want to use redirection, which I do not, so I type no, then enter.


It then asks for a log directory which I just specify at C:\ (Doesn’t really matter), then it’ll ask the project type and confirm, to which I hit yes. The final result looks like this:


After the settings are set, you can use the “?” command to see what you can do, and typing “use” then hitting tab will show what modules you can use.


I then use ETERNALBLUE to create the backdoor by typing “use Eternalblue”. It will ask if you want to change the settings, to which I hit yes, then hit enter until I got to “VerifyBackdoor”. For this I put in “false” since we’re just now creating it.


Next, I hit enter until I get to delivery method which we want to use Fuzzbunch, so change this to 1.


I then confirm the settings, then fire away.


Eternalblue succeded and created the backdoor. Next I use DOUBLEPULSAR,  So I type “use doublepulsar” to select the module.


It fills out settings automatically and asks if you want to change them. I hit “yes” and change the Architecture since my target is 64 bit and then hit enter again until I get to “Function”, then choose “Run DLL”.


I input the full path to the DLL + the name, then enter until I get to the end and confirm my settings:


And before I hit yes, I need to do one last thing: I start up the listener on my Kali machine by launching Metasploit and using the multi/handler to listen for the DLL being triggered:


Once running, I then launch the exploit:


Once it says succeeded, I then look at my Kali machine again and I have a shell:


With admin privileges.


It’s a long process, but once you set it up it’s cool to use NSA tools and also lets you run whatever you want in terms of payloads.


How to set up Fuzzbunch (Shadowbroker’s Dump/NSA Tools)

WannaCry was the hot topic of several months and it stemmed from the fact the Shadowbrokers uncovered some of the NSA’s tools, of which the Fuzzbunch exploit framework was discovered which has the DOUBLEPULSAR and ETERNALBLUE modules builtin. Metasploit also has the ETERNALBLUE module now built in, but my success with it has varied, plus the added bonus of being able to upload your own, custom, payload is a big factor when considering AV and IPS.

What you’ll need:

The Shadowbroker’s dump of NSA tools

A copy of Windows XP

Python 2.6.6:


Install Python first, then install Pywin32 after it. Nothing fancy with the settings, just install as normal. Next, download and extract the Shadowbroker’s dump file to the desktop.


Next, you’ll need to create the “listeningposts” folder under the “windows” folder in the shadowbroker’s file, as shown below, to avoid the listeningposts error.


Then navigate to the directory is in, as shown below, assuming you extracted the dump file to your desktop.


Finally, run to get the Fuzzbunch framework running.