Eternalblue, DoublePulsar NSA Exploit

This is going to be series of articles about building NSA/ShadowBrokers exploit kit . We will cover the followings  (Eternalblue, EternalRomance, DoublePulsar ) exploits against windows server 2003,2008,2012 and of course why not with 2016 J

 

I’m not going to cover the background history lessons here for more information, please read  here

Ok so eternalblue & externalromance are 2 fantastic bufferoverflow exploits that exploits SMBv1  in memmove operation Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt with simple mathematical mists where a DWORD is substracted into a WORD . The kernel pool is groomed that overwrites an SMbv1 buffer. The actual Return address pointer (RIP) hijack is later completed in srvnet!SrvNetWskReveComplete.

We will not use NSA backdoor dll instead we generate our own DLL with MSFvenom  and execute against our target machine

 

Attacker IP 192.168.1.14 (Kali Linux)

Target IP   192.168.1.28 ( Lab domain joined Windows server 2008 r2 with Smbv1 unpatched)

Ok so i decided to port the NSA exploit kit on to my kali system

1

Figure  1 NSA exploit kit widows based to linux

2

Figure 2 exploit kit python fb.py  nice graphical NSA interface 🙂

3

Figure  3 Set target IP address 192.168.1.26 and Callback IP address 192.168.1.14

5

Figure 4 we use doublepulsar exploit to check if the system is already infected 🙂

6

Figure  5 we choice function backdoor and set path /tmp/win2008.bin shellcode to binary on the target system

7

Figure 6 final validation and we execute the exploit against 192.168.1.26

8

Figure 7 successful execution and shellcode is written to the output file

9

Figure 8 we use eternalblue SMBv1 exploit code and msfvenom reverse shell DLL to execute code on the target system

10

Figure 9 we select 1 tradtional exploit deploymenet using FUZZBUNCH NSA framework

12

Figure 10 we execute the eternalblue with our custom DLL

13

Figure 11 Recerse shell from 192.168.1.26 to our kali machine 192.168.1.26

 

So let’s  summarize

  • Smbv1 is bad and easy to exploit
  • The externalblue exploit runs with SYSTEM priv

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s