Added double pulsar vuln detection nse. #854

Closed
wants to merge 4 commits into
from

Conversation

Projects
None yet
4 participants

xorrbit commented Apr 18, 2017

This is a detection script for the double pulsar backdoor that was leaked by the shadow brokers at https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

It is based on the python detection script at https://github.com/countercept/doublepulsar-detection-script

This has been tested on two machines implanted with double pulsar, along with a few unaffected machines, with all results being as expected.

cldrn commented Apr 18, 2017

Very nice!

@dmiller-nmap

Rename to smb-double-pulsar-backdoor for consistency as this is not a "vuln" in the classic sense. I can make cleanup changes like this myself but at least I want answers to a couple of the questions.

scripts/smb-vuln-double-pulsar.nse
+
+description = [[
+Checks if the target machine is running the Double Pulsar SMB backdoor.
+
@dmiller-nmap

dmiller-nmap Apr 18, 2017

Does this require credentials? Host account creds or special backdoor auth creds? This could affect the CVSS score you calculated.

@xorrbit

xorrbit Apr 18, 2017

No specific credentials are required, all you need is a null smb session, but this will likely work with any valid credentials as well. It looks like by default nmap will try null/null and guest/null creds, and on my test host guest is disabled but null creds work fine:

NSE: Starting smb-double-pulsar-backdoor against IP.
NSE: [smb-double-pulsar-backdoor IP] SMB: Added account '' to account list
NSE: [smb-double-pulsar-backdoor IP] SMB: Added account 'guest' to account list
NSE: [smb-double-pulsar-backdoor IP] LM Password:
NSE: [smb-double-pulsar-backdoor IP] SMB: Extended login to IP as HOSTNAME\guest failed (NT_STATUS_ACCOUNT_DISABLED)
NSE: [smb-double-pulsar-backdoor IP] LM Password:
NSE: Finished smb-double-pulsar-backdoor against IP.
scripts/smb-vuln-double-pulsar.nse
+
+author = "Andrew Orr"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"vuln", "safe"}
scripts/smb-vuln-double-pulsar.nse
+ 0x00, -- Max setup count.
+ 0x00, -- Reserved.
+ 0x0000, -- Flags (0x0000 = 2-way transaction, don't disconnect TIDs).
+ 10803622, -- Timeout
@dmiller-nmap

dmiller-nmap Apr 18, 2017

Is this specific value required? What's the significance?

@xorrbit

xorrbit Apr 18, 2017

I think this value is required. It didn't work with other timeout values I've tried (0, and whatever the default in the smb.lua function is) but I didn't investigate this too much as this value works consistently. I believe it may be the combination of timeout value + multiplex id + 12 null parameters that triggers double pulsar to reply.

scripts/smb-vuln-double-pulsar.nse
+ -- the multiplex ID needs to be 65
+ smbstate["mid"] = 65;
+ -- 12 (not 11, not 13) nulls
+ local param = stdnse.fromhex("000000000000000000000000")
@dmiller-nmap

dmiller-nmap Apr 18, 2017

You can make this a little more explicit with string.rep like so: local param = ("\0"):rep(12)

@xorrbit

xorrbit Apr 18, 2017

Changed to using string.rep. Lua is weird.

scripts/smb-vuln-double-pulsar.nse
+ stdnse.debug1("Error: " + result)
+ else
+ local status, header, parameters, data = smb.smb_read(smbstate)
+ local _, _, _, _, _, _, _, _, _, _, signature, _, _, _, _, multiplex_id = bin.unpack("<CCCCCICSSlSSSSS", header)
@dmiller-nmap

dmiller-nmap Apr 18, 2017

New string.unpack from Lua 5.3 has a cool function, string.packsize, which can be used to skip over bytes based on a fixed-length pack format. You can rewrite this line as:

local multiplex_id = string.unpack("<I2", header, string.packsize("BBBBB I4 B I2 I2 i8 I2 I2 I2 I2")+1)

In this case, the length turns out to be 30, then the offset is 31 because of Lua's 1-based indexing. So you could also just put in a literal 31. I guess there's no reason to change this, but I like to be pedantic.

@xorrbit

xorrbit Apr 18, 2017

Changed to using string.packsize(). Pedantry is welcome.

I don't know whether it's really important, (or maybe Dan skipped it for a reason) but it'd be amazing if you could replace the bin.pack call with a string.pack call (again, Lua 5.3)

xorrbit commented Apr 18, 2017

These commits should take care of the issues mentioned so far, and responses to the questions are inline.

@Varunram For a time-sensitive thing like this, I wasn't going to push too hard to change the string packing.
@xorrbit I'll check out the changes and try to merge this right away.

nmap-bot closed this in 214d527 Apr 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment