Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added double pulsar vuln detection nse. #854

Closed
wants to merge 4 commits into from

Conversation

@xorrbit
Copy link

commented Apr 18, 2017

This is a detection script for the double pulsar backdoor that was leaked by the shadow brokers at https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

It is based on the python detection script at https://github.com/countercept/doublepulsar-detection-script

This has been tested on two machines implanted with double pulsar, along with a few unaffected machines, with all results being as expected.

@cldrn

This comment has been minimized.

Copy link
Member

commented Apr 18, 2017

Very nice!

@dmiller-nmap
Copy link

left a comment

Rename to smb-double-pulsar-backdoor for consistency as this is not a "vuln" in the classic sense. I can make cleanup changes like this myself but at least I want answers to a couple of the questions.


author = "Andrew Orr"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Apr 18, 2017

Add "malware" category

This comment has been minimized.

Copy link
@xorrbit

xorrbit Apr 18, 2017

Author

Added.

0x00, -- Max setup count.
0x00, -- Reserved.
0x0000, -- Flags (0x0000 = 2-way transaction, don't disconnect TIDs).
10803622, -- Timeout

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Apr 18, 2017

Is this specific value required? What's the significance?

This comment has been minimized.

Copy link
@xorrbit

xorrbit Apr 18, 2017

Author

I think this value is required. It didn't work with other timeout values I've tried (0, and whatever the default in the smb.lua function is) but I didn't investigate this too much as this value works consistently. I believe it may be the combination of timeout value + multiplex id + 12 null parameters that triggers double pulsar to reply.

-- the multiplex ID needs to be 65
smbstate["mid"] = 65;
-- 12 (not 11, not 13) nulls
local param = stdnse.fromhex("000000000000000000000000")

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Apr 18, 2017

You can make this a little more explicit with string.rep like so: local param = ("\0"):rep(12)

This comment has been minimized.

Copy link
@xorrbit

xorrbit Apr 18, 2017

Author

Changed to using string.rep. Lua is weird.

stdnse.debug1("Error: " + result)
else
local status, header, parameters, data = smb.smb_read(smbstate)
local _, _, _, _, _, _, _, _, _, _, signature, _, _, _, _, multiplex_id = bin.unpack("<CCCCCICSSlSSSSS", header)

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Apr 18, 2017

New string.unpack from Lua 5.3 has a cool function, string.packsize, which can be used to skip over bytes based on a fixed-length pack format. You can rewrite this line as:

local multiplex_id = string.unpack("<I2", header, string.packsize("BBBBB I4 B I2 I2 i8 I2 I2 I2 I2")+1)

In this case, the length turns out to be 30, then the offset is 31 because of Lua's 1-based indexing. So you could also just put in a literal 31. I guess there's no reason to change this, but I like to be pedantic.

This comment has been minimized.

Copy link
@xorrbit

xorrbit Apr 18, 2017

Author

Changed to using string.packsize(). Pedantry is welcome.


description = [[
Checks if the target machine is running the Double Pulsar SMB backdoor.

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Apr 18, 2017

Does this require credentials? Host account creds or special backdoor auth creds? This could affect the CVSS score you calculated.

This comment has been minimized.

Copy link
@xorrbit

xorrbit Apr 18, 2017

Author

No specific credentials are required, all you need is a null smb session, but this will likely work with any valid credentials as well. It looks like by default nmap will try null/null and guest/null creds, and on my test host guest is disabled but null creds work fine:

NSE: Starting smb-double-pulsar-backdoor against IP.
NSE: [smb-double-pulsar-backdoor IP] SMB: Added account '' to account list
NSE: [smb-double-pulsar-backdoor IP] SMB: Added account 'guest' to account list
NSE: [smb-double-pulsar-backdoor IP] LM Password:
NSE: [smb-double-pulsar-backdoor IP] SMB: Extended login to IP as HOSTNAME\guest failed (NT_STATUS_ACCOUNT_DISABLED)
NSE: [smb-double-pulsar-backdoor IP] LM Password:
NSE: Finished smb-double-pulsar-backdoor against IP.
xorrbit added 2 commits Apr 18, 2017
Added malware category, added additonal error checking, switched to u…
…sing string.rep and string.packsize for cleaner code.
@Varunram

This comment has been minimized.

Copy link

commented Apr 18, 2017

I don't know whether it's really important, (or maybe Dan skipped it for a reason) but it'd be amazing if you could replace the bin.pack call with a string.pack call (again, Lua 5.3)

@xorrbit

This comment has been minimized.

Copy link
Author

commented Apr 18, 2017

These commits should take care of the issues mentioned so far, and responses to the questions are inline.

@dmiller-nmap

This comment has been minimized.

Copy link

commented Apr 18, 2017

@Varunram For a time-sensitive thing like this, I wasn't going to push too hard to change the string packing.
@xorrbit I'll check out the changes and try to merge this right away.

@nmap-bot nmap-bot closed this in 214d527 Apr 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.