Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added double pulsar vuln detection nse. #854

Closed
wants to merge 4 commits into from
Closed

Conversation

@xorrbit
Copy link

@xorrbit xorrbit commented Apr 18, 2017

This is a detection script for the double pulsar backdoor that was leaked by the shadow brokers at https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

It is based on the python detection script at https://github.com/countercept/doublepulsar-detection-script

This has been tested on two machines implanted with double pulsar, along with a few unaffected machines, with all results being as expected.

@cldrn
Copy link
Member

@cldrn cldrn commented Apr 18, 2017

Very nice!

Loading

Copy link

@dmiller-nmap dmiller-nmap left a comment

Rename to smb-double-pulsar-backdoor for consistency as this is not a "vuln" in the classic sense. I can make cleanup changes like this myself but at least I want answers to a couple of the questions.

Loading


author = "Andrew Orr"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add "malware" category

Loading

Copy link
Author

@xorrbit xorrbit Apr 18, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added.

Loading

0x00, -- Max setup count.
0x00, -- Reserved.
0x0000, -- Flags (0x0000 = 2-way transaction, don't disconnect TIDs).
10803622, -- Timeout

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this specific value required? What's the significance?

Loading

Copy link
Author

@xorrbit xorrbit Apr 18, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this value is required. It didn't work with other timeout values I've tried (0, and whatever the default in the smb.lua function is) but I didn't investigate this too much as this value works consistently. I believe it may be the combination of timeout value + multiplex id + 12 null parameters that triggers double pulsar to reply.

Loading

-- the multiplex ID needs to be 65
smbstate["mid"] = 65;
-- 12 (not 11, not 13) nulls
local param = stdnse.fromhex("000000000000000000000000")

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can make this a little more explicit with string.rep like so: local param = ("\0"):rep(12)

Loading

Copy link
Author

@xorrbit xorrbit Apr 18, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to using string.rep. Lua is weird.

Loading

stdnse.debug1("Error: " + result)
else
local status, header, parameters, data = smb.smb_read(smbstate)
local _, _, _, _, _, _, _, _, _, _, signature, _, _, _, _, multiplex_id = bin.unpack("<CCCCCICSSlSSSSS", header)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New string.unpack from Lua 5.3 has a cool function, string.packsize, which can be used to skip over bytes based on a fixed-length pack format. You can rewrite this line as:

local multiplex_id = string.unpack("<I2", header, string.packsize("BBBBB I4 B I2 I2 i8 I2 I2 I2 I2")+1)

In this case, the length turns out to be 30, then the offset is 31 because of Lua's 1-based indexing. So you could also just put in a literal 31. I guess there's no reason to change this, but I like to be pedantic.

Loading

Copy link
Author

@xorrbit xorrbit Apr 18, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to using string.packsize(). Pedantry is welcome.

Loading


description = [[
Checks if the target machine is running the Double Pulsar SMB backdoor.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this require credentials? Host account creds or special backdoor auth creds? This could affect the CVSS score you calculated.

Loading

Copy link
Author

@xorrbit xorrbit Apr 18, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No specific credentials are required, all you need is a null smb session, but this will likely work with any valid credentials as well. It looks like by default nmap will try null/null and guest/null creds, and on my test host guest is disabled but null creds work fine:

NSE: Starting smb-double-pulsar-backdoor against IP.
NSE: [smb-double-pulsar-backdoor IP] SMB: Added account '' to account list
NSE: [smb-double-pulsar-backdoor IP] SMB: Added account 'guest' to account list
NSE: [smb-double-pulsar-backdoor IP] LM Password:
NSE: [smb-double-pulsar-backdoor IP] SMB: Extended login to IP as HOSTNAME\guest failed (NT_STATUS_ACCOUNT_DISABLED)
NSE: [smb-double-pulsar-backdoor IP] LM Password:
NSE: Finished smb-double-pulsar-backdoor against IP.

Loading

@Varunram
Copy link

@Varunram Varunram commented Apr 18, 2017

I don't know whether it's really important, (or maybe Dan skipped it for a reason) but it'd be amazing if you could replace the bin.pack call with a string.pack call (again, Lua 5.3)

Loading

@xorrbit
Copy link
Author

@xorrbit xorrbit commented Apr 18, 2017

These commits should take care of the issues mentioned so far, and responses to the questions are inline.

Loading

@dmiller-nmap
Copy link

@dmiller-nmap dmiller-nmap commented Apr 18, 2017

@Varunram For a time-sensitive thing like this, I wasn't going to push too hard to change the string packing.
@xorrbit I'll check out the changes and try to merge this right away.

Loading

@nmap-bot nmap-bot closed this in 214d527 Apr 18, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants