added MS17-010 auxiliary detection module #8167

Merged
merged 11 commits into from Apr 14, 2017

Conversation

Projects
None yet
5 participants
@zerosum0x0
Contributor

zerosum0x0 commented Mar 29, 2017

MS17-010 fixes RCE in SMBv1, but seems to also have inadvertently added a remote, uncredentialed patch check information disclosure.

This module can determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a PeekNamedPipe transaction on FID 0.

If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. After the patch, Win10 returns "STATUS_ACCESS_DENIED" and other Windows versions "STATUS_INVALID_HANDLE". In case none of these are detected, the module says it was not able to detect the patch level (I haven't seen this in practice).

This module does not require valid SMB credentials in default server configurations. It can log on as the user "" and connect to IPC$.

--

Note: This can probably be changed someday to the check() method in an exploit module (assuming the RCE MS17-010 fixed is even feasibly exploitable). But for now as an auxiliary module it has helped get us some screenshots on pentests.

Verification

  • start msfconsole
  • use auxiliary/scanner/smb/smb_ms17_010
  • set RHOSTS to unpatched target
  • run
  • ensure module says host is VULNERABLE
  • Patch your target
  • run
  • ensure module says host is NOT vulnerable

Vulnerable Host

msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > set RHOSTS 192.168.1.104
RHOSTS => 192.168.1.104
msf auxiliary(smb_ms17_010) > run

[*] 192.168.1.104:445    - Connected to \\192.168.1.104\IPC$ with TID = 2048
[*] 192.168.1.104:445    - Received STATUS_INSUFF_SERVER_RESOURCES with FID = 0
[!] 192.168.1.104:445    - Host is likely VULNERABLE to MS17-010!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Same host after patch

msf auxiliary(smb_ms17_010) > run

[*] 192.168.1.104:445    - Connected to \\192.168.1.104\IPC$ with TID = 2052
[*] 192.168.1.104:445    - Received STATUS_ACCESS_DENIED with FID = 0
[+] 192.168.1.104:445    - Host does NOT appear vulnerable.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

zerosum0x0 added some commits Mar 29, 2017

@dmohanty-r7 dmohanty-r7 added the module label Mar 31, 2017

@zerosum0x0

This comment has been minimized.

Show comment
Hide comment
@zerosum0x0

zerosum0x0 Apr 2, 2017

Contributor

Added docs and report_vuln(). Think I'm done playing with the code unless there's a code review or other issue.

Contributor

zerosum0x0 commented Apr 2, 2017

Added docs and report_vuln(). Think I'm done playing with the code unless there's a code review or other issue.

@dmohanty-r7

This comment has been minimized.

Show comment
Hide comment
@dmohanty-r7

dmohanty-r7 Apr 7, 2017

Contributor

Unpatched:

msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > set RHOSTS *.*.*.*
RHOSTS => *.*.*.*

msf auxiliary(smb_ms17_010) > run

[*] 10.6.0.183:445        - Connected to \\*.*.*.*\IPC$ with TID = 2048
[*] 10.6.0.183:445        - Received STATUS_INSUFF_SERVER_RESOURCES with FID = 0
[!] 10.6.0.183:445        - Host is likely VULNERABLE to MS17-010!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched:

msf auxiliary(smb_ms17_010) > run

[*] 10.6.0.129:445        - Connected to \\*.*.*.*\IPC$ with TID = 2048
[*] 10.6.0.129:445        - Received STATUS_INVALID_HANDLE with FID = 0
[+] 10.6.0.129:445        - Host does NOT appear vulnerable.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Contributor

dmohanty-r7 commented Apr 7, 2017

Unpatched:

msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > set RHOSTS *.*.*.*
RHOSTS => *.*.*.*

msf auxiliary(smb_ms17_010) > run

[*] 10.6.0.183:445        - Connected to \\*.*.*.*\IPC$ with TID = 2048
[*] 10.6.0.183:445        - Received STATUS_INSUFF_SERVER_RESOURCES with FID = 0
[!] 10.6.0.183:445        - Host is likely VULNERABLE to MS17-010!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched:

msf auxiliary(smb_ms17_010) > run

[*] 10.6.0.129:445        - Connected to \\*.*.*.*\IPC$ with TID = 2048
[*] 10.6.0.129:445        - Received STATUS_INVALID_HANDLE with FID = 0
[+] 10.6.0.129:445        - Host does NOT appear vulnerable.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@zerosum0x0

This comment has been minimized.

Show comment
Hide comment
@zerosum0x0

zerosum0x0 Apr 7, 2017

Contributor

What windows version? Did you mess with any LSA settings between patching? It looks like it didn't even connect to IPC$ at all, even though anonymous login worked for it the first time.

The error can be rescued but since there's no TID, I don't think the FID code is run. That STATUS_ACCESS_DENIED isn't the one from the patch, happening earlier.

Contributor

zerosum0x0 commented Apr 7, 2017

What windows version? Did you mess with any LSA settings between patching? It looks like it didn't even connect to IPC$ at all, even though anonymous login worked for it the first time.

The error can be rescued but since there's no TID, I don't think the FID code is run. That STATUS_ACCESS_DENIED isn't the one from the patch, happening earlier.

@dmohanty-r7

This comment has been minimized.

Show comment
Hide comment
@dmohanty-r7

dmohanty-r7 Apr 14, 2017

Contributor

My mistake, I was not using a proper target for the patched test. I patched the same vulnerable target and got the expected results (updated the output in my previous comment). This looks good to me!

Contributor

dmohanty-r7 commented Apr 14, 2017

My mistake, I was not using a proper target for the patched test. I patched the same vulnerable target and got the expected results (updated the output in my previous comment). This looks good to me!

@dmohanty-r7 dmohanty-r7 merged commit f7c8bd2 into rapid7:master Apr 14, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

dmohanty-r7 added a commit that referenced this pull request Apr 14, 2017

@dmohanty-r7

This comment has been minimized.

Show comment
Hide comment
@dmohanty-r7

dmohanty-r7 Apr 14, 2017

Contributor

Release Notes

The auxiliary/scanner/smb/smb_ms17_010 module has been added to the framework. It scans for Windows hosts that are vulnerable to MS17-010 and connects to the IPC$ tree to attempt a PeekNamedPipe transaction on FID 0. Read this blog for more information: https://community.rapid7.com/community/infosec/blog/2017/04/18/the-shadow-brokers-leaked-exploits-faq.

Contributor

dmohanty-r7 commented Apr 14, 2017

Release Notes

The auxiliary/scanner/smb/smb_ms17_010 module has been added to the framework. It scans for Windows hosts that are vulnerable to MS17-010 and connects to the IPC$ tree to attempt a PeekNamedPipe transaction on FID 0. Read this blog for more information: https://community.rapid7.com/community/infosec/blog/2017/04/18/the-shadow-brokers-leaked-exploits-faq.

@wvu-r7 wvu-r7 referenced this pull request Apr 17, 2017

Merged

Fix report_vuln/print_error in smb_ms17_010 #8255

2 of 2 tasks complete
@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

@zerosum0x0, @dmohanty-r7: See fixes above.

Contributor

wvu-r7 commented Apr 17, 2017

@zerosum0x0, @dmohanty-r7: See fixes above.

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Apr 17, 2017

Contributor

Test it against a xp lab.

screen shot 2017-04-17 at 05 13 23

Contributor

nixawk commented Apr 17, 2017

Test it against a xp lab.

screen shot 2017-04-17 at 05 13 23

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Apr 19, 2017

Contributor

PeekNamedPipe

This form of the pipe Transaction protocol is used to implement the Win32 PeekNamePipe() API remotely. The PeekNamedPipe function copies data from a named or anonymous pipe into a buffer without removing it from the pipe. It also returns information about data in the pipe.

BOOL WINAPI PeekNamedPipe(
  _In_      HANDLE  hNamedPipe,
  _Out_opt_ LPVOID  lpBuffer,
  _In_      DWORD   nBufferSize,
  _Out_opt_ LPDWORD lpBytesRead,
  _Out_opt_ LPDWORD lpTotalBytesAvail,
  _Out_opt_ LPDWORD lpBytesLeftThisMessage
);

References

  1. Microsoft Networks SMB FILE SHARING PROTOCOL v6.0p (January 1, 1996).doc.pdf
  2. https://msdn.microsoft.com/en-us/library/windows/desktop/aa365779(v=vs.85).aspx
Contributor

nixawk commented Apr 19, 2017

PeekNamedPipe

This form of the pipe Transaction protocol is used to implement the Win32 PeekNamePipe() API remotely. The PeekNamedPipe function copies data from a named or anonymous pipe into a buffer without removing it from the pipe. It also returns information about data in the pipe.

BOOL WINAPI PeekNamedPipe(
  _In_      HANDLE  hNamedPipe,
  _Out_opt_ LPVOID  lpBuffer,
  _In_      DWORD   nBufferSize,
  _Out_opt_ LPDWORD lpBytesRead,
  _Out_opt_ LPDWORD lpTotalBytesAvail,
  _Out_opt_ LPDWORD lpBytesLeftThisMessage
);

References

  1. Microsoft Networks SMB FILE SHARING PROTOCOL v6.0p (January 1, 1996).doc.pdf
  2. https://msdn.microsoft.com/en-us/library/windows/desktop/aa365779(v=vs.85).aspx

@zerosum0x0 zerosum0x0 referenced this pull request Apr 20, 2017

Merged

Added DoublePulsar detection to MS17-010 scanner module #8271

3 of 7 tasks complete

@zerosum0x0 zerosum0x0 deleted the RiskSense-Ops:ms17-010 branch Apr 27, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment