by Hausec

Using ETERNALBLUE & DOUBLEPULSAR (Shadowbroker’s Dump/NSA Tools)

In my previous article I showed how to set up the Fuzzbunch framework. Now I’ll show how to use it to exploit a vulnerable target.

What I’m using in this demo:

Kali Linux 

Windows XP 

Windows 7 (Unpatched)

First is to make a malicious .DLL. Essentially, this exploit will create a backdoor with ETERNALBLUE and upload the DLL with DOUBLEPULSAR and triggering it. To create a malicious DLL, I use msfvenom with LHOST being the IP of my Kali Linux machine and LPORT being any port not being used by Kali (I chose 4443).

eb16.PNG

Next is to transfer the DLL to the Windows XP Machine. AV will capture the DLL and delete it if you put it on your host desktop, so I transfer it by starting my Apache2 server in Kali.

eb8

Then removing the index.html file in the html directory and copying in my malicious DLL.

eb9

Next, I go to my Windows XP machine and go to Kali’s IP to download the .DLL.

eb10

I then save the DLL to the directory fb.py is in.

eb11

Next is to load Fuzzbunch

fuzzbunch4

Upon start, it will ask for a default target IP address, which would be your target. In my case, I’m using an unpatched Windows 7 machines with the address of 192.168.111.131.

eb1

Next it will ask for a callback IP. This is kind of irrelevent since I’ll be using a custom .dll that will call back itself and not need Fuzzbunch to do it for me, so I just put in my Windows XP IP, which is 192.168.111.130.

eb3

It will then ask if you want to use redirection, which I do not, so I type no, then enter.

eb4

It then asks for a log directory which I just specify at C:\ (Doesn’t really matter), then it’ll ask the project type and confirm, to which I hit yes. The final result looks like this:

eb2

After the settings are set, you can use the “?” command to see what you can do, and typing “use” then hitting tab will show what modules you can use.

eb5.PNG

I then use ETERNALBLUE to create the backdoor by typing “use Eternalblue”. It will ask if you want to change the settings, to which I hit yes, then hit enter until I got to “VerifyBackdoor”. For this I put in “false” since we’re just now creating it.

eb13

Next, I hit enter until I get to delivery method which we want to use Fuzzbunch, so change this to 1.

eb14

I then confirm the settings, then fire away.

eb15

Eternalblue succeded and created the backdoor. Next I use DOUBLEPULSAR,  So I type “use doublepulsar” to select the module.

eb6

It fills out settings automatically and asks if you want to change them. I hit “yes” and change the Architecture since my target is 64 bit and then hit enter again until I get to “Function”, then choose “Run DLL”.

eb18.PNG

I input the full path to the DLL + the name, then enter until I get to the end and confirm my settings:

eb24.PNG

And before I hit yes, I need to do one last thing: I start up the listener on my Kali machine by launching Metasploit and using the multi/handler to listen for the DLL being triggered:

eb20

Once running, I then launch the exploit:

eb22

Once it says succeeded, I then look at my Kali machine again and I have a shell:

eb21

With admin privileges.

eb23.PNG

It’s a long process, but once you set it up it’s cool to use NSA tools and also lets you run whatever you want in terms of payloads.

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s