Added DoublePulsar detection to MS17-010 scanner module

[ghost]

Adds DoublePulsar detection to my MS17-010 scanner module landed in #8167. This performs the DoublePulsar SMB trans2 knock with MultiplexID 0x41, and if it knocks back with MultiplexID 0x51 it's an indicator of pre-existing compromise. DoublePulsar lives as shellcode in ring0 and goes away on system restarts, but seems to change this multiplexID away from the SMB specification. Others have noticed if you knock with 0x42, you'll get 0x52, so it's adding 0x10 to the MID when it should be the same.

The client insures that every request that is sent to the server has a unique MID. When the server replies to a given request, the response contains the same MID. In this way, multiple requests can be sent to the server, and the client can simply match the response MID with the MID it generated to know which request has just been replied to.

This knock is as non-intrusive and unauthed as the missing patch information disclosure, and is done during the same SMB connection if the patch is missing (it's simple to check for, I don't think it needs to be an additional toggle option or a separate module, but will go that route if it's wanted).

I also cleaned up some code and all print statements are now in main run function. I inversed the print messages from good<->bad to better reflect the rest of the framework as a red team tool. DoublePulsar detection is a warning message.

Code is based on Luke Jennings Python code (credited in module)

/~https://github.com/countercept/doublepulsar-detection-script

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use auxiliary/scanner/smb/smb_ms17_010
• target host missing ms17-010
• Verify module says host is vulnerable, no message about infection
• hook host with DoublePulsar
• Verify module says host is vulnerable AND infected
• Verify the "XOR Key" in module output matches DoublePulsar ping

[wvu]

Thanks. This is better than a separate module.

[jork2345]

waiting for an exploit module so hard ! ;)

[ghost]

I figured out the DoublePulsar "xor key" algorithm and think it should be included in this module.

s = SMB.Signature
x = 2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8));

[ghost]

Added the XOR key, changed pull request verification steps to verify it.

This module: we are just kind of replaying a ping packet (which is fine), but I have reverse engineered why this packet works.

https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5

I believe I figured out everything needed to talk to the backdoor. maybe it makes sense to also make a DoublePulsar SMB exploit module (I would still leave the infection code in this aux module though)? Could save time fiddling around until a proper exploit module for EternalBlue/etc. is figured out.

1. Send ping opcode, calculate xor key
2. Send exec opcode, with original inject dll shellcode and append a generated meterpreter DLL with payload of choosing
3. Meterpreter session opened

if done properly, this aux module, dp exploit, and eb exploit modules could re-use a lot of the same code.

[wvu]

Nice work, @zerosum0x0. I was looking at the XOR key algorithm just a couple days ago, too. I've been toying with the idea of a DOUBLEPULSAR exploit module, but I haven't gotten around to writing anything up yet. If you'd like to do it, please feel free to. You have a better understanding of the code than I do.

[ghost]

I probably will hack up something rudimentary for DoublePulsar in the next few days. But I would definitely need some help from you and others in organizing it since you are more familiar with the framework. Where/how should I separate out all the SMB packets that will be re-used across the modules? There needs to be like a MS17-010 mixin.

At first we can just make a module with a lot of hardcoded stuff that interacts with DoublePulsar. One thing that needs to get separated out and cleaned up is a raw kernel payload to inject DLL. Perhaps two, one that takes an existing process name (such as lsass.exe [i.e. what DP does]) and one which spawns a hidden process with a system token. I don't know if Metasploit has such a thing already? These payloads should then be the ones used during MS17-010 exploitation, instead of putting a backdoor in the kernel.

Another question is, since DP ping tells us the architecture, is there a way to say "I just want meterpreter/reverse_tcp" and get it in x86 or x64 flavor automatically, or is that switch only available via the target option? I guess it could just see if the ping arch matches the current target arch if nothing else.

I've also pretty much reversed all of pertinent parts of EternalBlue.exe. One thing I'd like to avoid is a lot of duplicated effort (such as what happened with EXTRABACON, which was my fault). I don't know if anyone else is planning on porting it to Metasploit.

[timwr]

Looks good to me. Excellent stuff @zerosum0x0

[timwr]

Good change

[wvu]

👍

[ghost]

I added printing simple.client.peer_native_os for vulnerable hosts, so you don't waste time trying to pop Windows 10 boxes with EternalBlue.

This can probably be pulled if it passes all discretions. I will refactor some code out if needed in a future pull request.

[nixawk]

A python script for SMB is created. /~https://github.com/nixawk/labs/blob/master/MS17_010/smb_exploit.py

[ghost]

@nixawk nice. I actually started this module doing something similar in Python, but went the lazy route with Metasploit since it had a decent (and now better) SMB library.

You should add DP detection and print the OS like my script (as well as support RHOSTS)

[wvu]

@zerosum0x0: Sorry for the delayed response.

1. Feel free to create a mixin for now. As I understand it, the Trans2 packet is being worked on by @dmaloney-r7, and we should be able to use that when it's ready.
2. Don't think we have any kernel payloads, much less kernel-based DLL injection. I've been injecting into spoolsv.exe.
3. I wanted to say regenerate_payload could do it, but if you choose a payload with a specific arch (which is usually the case for native payloads), you're tied to that arch.
4. All yours! We've been doing our own analysis, but we've made no movement on a module. I know you'll do it justice. :)

Let me know when you'd like this PR merged. Thanks!

[ghost]

thanks @wvu-r7 You can land this for now, so that people who clone can get it as-is. Serving us real well on pentests with the OS detection.

[ghost]

@wvu-r7 spoolsv.exe much saner than the default lsass.exe! good tip!

[wvu]

Shipped, yo. Thanks for the badass research. It's definitely filled in the gaps in my understanding. Cheers!

[nixawk]

Thanks @zerosum0x0. I've add DP detection / Native OS features. Please try it against your lab.

[wvu]

Release Notes

DOUBLEPULSAR detection has been added to the MS17-010 scanner module.