Using ETERNALBLUE & DOUBLEPULSAR (Shadowbroker’s Dump/NSA Tools)
In my previous article I showed how to set up the Fuzzbunch framework. Now I’ll show how to use it to exploit a vulnerable target.
What I’m using in this demo:
Windows 7 (Unpatched)
First is to make a malicious .DLL. Essentially, this exploit will create a backdoor with ETERNALBLUE and upload the DLL with DOUBLEPULSAR and triggering it. To create a malicious DLL, I use msfvenom with LHOST being the IP of my Kali Linux machine and LPORT being any port not being used by Kali (I chose 4443).
Next is to transfer the DLL to the Windows XP Machine. AV will capture the DLL and delete it if you put it on your host desktop, so I transfer it by starting my Apache2 server in Kali.
Then removing the index.html file in the html directory and copying in my malicious DLL.
Next, I go to my Windows XP machine and go to Kali’s IP to download the .DLL.
I then save the DLL to the directory fb.py is in.
Next is to load Fuzzbunch
Upon start, it will ask for a default target IP address, which would be your target. In my case, I’m using an unpatched Windows 7 machines with the address of 192.168.111.131.
Next it will ask for a callback IP. This is kind of irrelevent since I’ll be using a custom .dll that will call back itself and not need Fuzzbunch to do it for me, so I just put in my Windows XP IP, which is 192.168.111.130.
It will then ask if you want to use redirection, which I do not, so I type no, then enter.
It then asks for a log directory which I just specify at C:\ (Doesn’t really matter), then it’ll ask the project type and confirm, to which I hit yes. The final result looks like this:
After the settings are set, you can use the “?” command to see what you can do, and typing “use” then hitting tab will show what modules you can use.
I then use ETERNALBLUE to create the backdoor by typing “use Eternalblue”. It will ask if you want to change the settings, to which I hit yes, then hit enter until I got to “VerifyBackdoor”. For this I put in “false” since we’re just now creating it.
Next, I hit enter until I get to delivery method which we want to use Fuzzbunch, so change this to 1.
I then confirm the settings, then fire away.
Eternalblue succeded and created the backdoor. Next I use DOUBLEPULSAR, So I type “use doublepulsar” to select the module.
It fills out settings automatically and asks if you want to change them. I hit “yes” and change the Architecture since my target is 64 bit and then hit enter again until I get to “Function”, then choose “Run DLL”.
I input the full path to the DLL + the name, then enter until I get to the end and confirm my settings:
And before I hit yes, I need to do one last thing: I start up the listener on my Kali machine by launching Metasploit and using the multi/handler to listen for the DLL being triggered:
Once running, I then launch the exploit:
Once it says succeeded, I then look at my Kali machine again and I have a shell:
With admin privileges.
It’s a long process, but once you set it up it’s cool to use NSA tools and also lets you run whatever you want in terms of payloads.