Secure Dose

Wednesday 3 May 2017

Hands on Eternalblue, Doublepulsar and Patch

I know, I am writing after a quite long time but I had to!
Eternalblue and Doublepulsar are the exploits by NSA which were leaked by Shadow Brokers. These leaks are known to be a big Cyber Chaos after Stuxnet.
I though to dive into it.

Setting up the environment:
Here is a piece of the orignal exploit by two researchers, Pablo Gonzalez and Sheila Berta from ElevenPaths for the msf implementation.
You can clone it from here
https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/
I assume that you are aware about the how's and do's of msf.
Download and place the exploit file into it.
/usr/share/metaplsoit-framework/modules/exploit/windows/smb/
Search for eternalblue and use it on msfconsole.
In the options, give the path to the dependencies for both eternalblue, doublepulsar and also fulfill rest of the options.Make sure you are giving correct TARGETARCHITECTURE value and PROCESSINJECT value. 

This may give you an error for wine. Simply run wine foo.exe and it will create a .wine folder to your root directory.
Run again and it should successfully run. 


It is not really necessary to set value for LHOST unless you have networks constrains.
I have got access to the win7 machine.

What it does?
It actually uses the original binary present in the leak using wine.
You can find this on Ln 105 and 114 


Not so deep but just an overview that the orignal binary, exploits the SMB protocol and have Windows Kernel exploit and then:
  • DLL Injection
  • Process Injection
You need to have a persistence access so that on every startup it then just require a multi handler and no exploiting again, and again each time you want to access.

Exploitation Scope: 
  • Windows XP(all service pack)(x86)(x64)
  • Windows Server 2003 SP0/1/2(x86)
  • Windows Vista(x86)(x64)
  • Windows Server 2008(x86)
  • Windows Server 2008 R2(x86)(x64)
  • Windows 7(all service pack)(x86)(x64)

Reliable?
These exploits aren't reliable for win7 as well as win server 2k8 R2 as it doesn't always exploit it but does affect the server in some or the other way. 
Following are the behaviors:
  • Unexpected Shutdown
  • BSOD
  • Reboot
  • Hangs up
  • Errors poping up
So if these are the issues you are facing since 3-4 days, you probably being attacked using these "public" 0days.

What did I see?
Lots of errors and critical issues the system was facing.
Let me share:


There were lots of Criticals, Errors and Warnings.
Ok, on analysing these errors you may get a good idea on how these exploits work! :)

If you are interested to dive into few of them following are the links where you can understand it more deeply
https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/custom-dynamic-link-libraries-are-being-loaded-for/912df301-9adc-4a07-8fff-5edd50e9d64b
https://community.spiceworks.com/windows_event/show/1844-microsoft-windows-wininit-11#windows_event_comment_1857
Patch Available?
MS17-010 for Eternalblue and I think MS16-123 for Doublepulsar.


For Eternalblue if you are not interested to have ms17-010, you can disable the SMBv1,2,3 protocol by the following PowerShell Commands.
For SMBv1 Client:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
For SMBv2,3:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
Share if you liked it. :)

 
biz.