Added double pulsar vuln detection nse. #854

Closed
wants to merge 4 commits into
from

Projects

None yet

4 participants

xorrbit commented Apr 18, 2017

This is a detection script for the double pulsar backdoor that was leaked by the shadow brokers at https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

It is based on the python detection script at https://github.com/countercept/doublepulsar-detection-script

This has been tested on two machines implanted with double pulsar, along with a few unaffected machines, with all results being as expected.

cldrn commented Apr 18, 2017

Very nice!

@dmiller-nmap

Rename to smb-double-pulsar-backdoor for consistency as this is not a "vuln" in the classic sense. I can make cleanup changes like this myself but at least I want answers to a couple of the questions.

scripts/smb-vuln-double-pulsar.nse
+
+description = [[
+Checks if the target machine is running the Double Pulsar SMB backdoor.
+
dmiller-nmap
dmiller-nmap Apr 18, 2017

Does this require credentials? Host account creds or special backdoor auth creds? This could affect the CVSS score you calculated.

xorrbit
xorrbit Apr 18, 2017

No specific credentials are required, all you need is a null smb session, but this will likely work with any valid credentials as well. It looks like by default nmap will try null/null and guest/null creds, and on my test host guest is disabled but null creds work fine:

NSE: Starting smb-double-pulsar-backdoor against IP.
NSE: [smb-double-pulsar-backdoor IP] SMB: Added account '' to account list
NSE: [smb-double-pulsar-backdoor IP] SMB: Added account 'guest' to account list
NSE: [smb-double-pulsar-backdoor IP] LM Password:
NSE: [smb-double-pulsar-backdoor IP] SMB: Extended login to IP as HOSTNAME\guest failed (NT_STATUS_ACCOUNT_DISABLED)
NSE: [smb-double-pulsar-backdoor IP] LM Password:
NSE: Finished smb-double-pulsar-backdoor against IP.
scripts/smb-vuln-double-pulsar.nse
+
+author = "Andrew Orr"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"vuln", "safe"}
scripts/smb-vuln-double-pulsar.nse
+ 0x00, -- Max setup count.
+ 0x00, -- Reserved.
+ 0x0000, -- Flags (0x0000 = 2-way transaction, don't disconnect TIDs).
+ 10803622, -- Timeout
dmiller-nmap
dmiller-nmap Apr 18, 2017

Is this specific value required? What's the significance?

xorrbit
xorrbit Apr 18, 2017

I think this value is required. It didn't work with other timeout values I've tried (0, and whatever the default in the smb.lua function is) but I didn't investigate this too much as this value works consistently. I believe it may be the combination of timeout value + multiplex id + 12 null parameters that triggers double pulsar to reply.

scripts/smb-vuln-double-pulsar.nse
+ -- the multiplex ID needs to be 65
+ smbstate["mid"] = 65;
+ -- 12 (not 11, not 13) nulls
+ local param = stdnse.fromhex("000000000000000000000000")
dmiller-nmap
dmiller-nmap Apr 18, 2017

You can make this a little more explicit with string.rep like so: local param = ("\0"):rep(12)

xorrbit
xorrbit Apr 18, 2017

Changed to using string.rep. Lua is weird.

scripts/smb-vuln-double-pulsar.nse
+ stdnse.debug1("Error: " + result)
+ else
+ local status, header, parameters, data = smb.smb_read(smbstate)
+ local _, _, _, _, _, _, _, _, _, _, signature, _, _, _, _, multiplex_id = bin.unpack("<CCCCCICSSlSSSSS", header)
dmiller-nmap
dmiller-nmap Apr 18, 2017

New string.unpack from Lua 5.3 has a cool function, string.packsize, which can be used to skip over bytes based on a fixed-length pack format. You can rewrite this line as:

local multiplex_id = string.unpack("<I2", header, string.packsize("BBBBB I4 B I2 I2 i8 I2 I2 I2 I2")+1)

In this case, the length turns out to be 30, then the offset is 31 because of Lua's 1-based indexing. So you could also just put in a literal 31. I guess there's no reason to change this, but I like to be pedantic.

xorrbit
xorrbit Apr 18, 2017

Changed to using string.packsize(). Pedantry is welcome.

I don't know whether it's really important, (or maybe Dan skipped it for a reason) but it'd be amazing if you could replace the bin.pack call with a string.pack call (again, Lua 5.3)

xorrbit commented Apr 18, 2017

These commits should take care of the issues mentioned so far, and responses to the questions are inline.

@Varunram For a time-sensitive thing like this, I wasn't going to push too hard to change the string packing.
@xorrbit I'll check out the changes and try to merge this right away.

@nmap-bot nmap-bot closed this in 214d527 Apr 18, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment