Eternalblue-Doublepulsar. x86 architecture and using Metasploit.
Introduction
NSA Eternalblue, an exploit developed by NSA (although they have never confirmed this), is an exploit that takes profit of some SMB Microsoft service flaws.
SMB service is used to share files and information between remote hosts. Eternalblue takes benefit on how SMBv1 and SMBv2 manipulates transported packets. As a consequence, an attacker is able to use Remote Code Execution technique.
From the past 2017 until nowadays, MS17–010 vulnerability has been exploted in many ways. The goal of this post is to expose the different versions of this exploit, either included in Metasploit framework or not, and show you how to prepare the 32 bits environment as well as show you the right configuration of Eternalblue_doublepulsar exploit. The following instructions are very simple but important at the same time. Lot of students with who I have talked about this vulnerability have missed something when it comes to MS17_010 vulnerability in 32 bits systems.
We are going to keep it simple and efficient. The content of this article is:
· Table of Windows versions and exploits
· Current Metasploit integrated modules
· Preparing exploit in Metasploit
NB: next POCs are made from a Kali Linux distro.
Windows versions and exploits
NB: “Imported” means the use of the Elevenpath Eternalblue module.
Current Metasploit integrated modules
Metasploit database updated as of July 2018
ms17_010_eternalblue
This module runs with Windows 7 and Server 2008 R2 in x64 architecture. It was the first Metasploit integrated module related with ms17–010 vulnerability.
ms17_010_psexec
This module exploits all Windows versions affected with CVE-2017–143,CVE-2017–0146 and CVE-2017–0147. It is more reliable than other two exploits but requires a named pipe.
ms17_010_eternalblue_win8
Exploit for Windows 8, Windows 10 and 2012.
Preparing environment
Firstly, as we focus on x86 architecture we have to prepare our system in order that all runs smoothly.
The command you have to use: dpkg — add-architecture i386
After having added x86 architecture, you have to update the system:
At this point, we have to install Wine, an open-source layer that allows to run Windows programs on Unix systems. There are couple commands you must consider to install this application:
· apt-get install wine winetricks wine32-preloader
· wine cmd.exe
First command is the main paquets installation while the second one is the first time execution of wine.exe, which results in the configuration of this application:
We can check the installation executing wine cmd.exe
After this layer is installed, we have to add Winetricks. This application is a must if you want to run certain Microsoft programs in Wine. Its function is to add basic functional Microsoft DLLs. Having this in mind, you can install Winetricks following these simple steps:
- Leave Windows cmd, type winetricks in your command line and follow the next steps:
- No more screen captures are needed as the Python 2.6.2 Setup is very simple, we only have to click “Next, Next, Next…”.
- Now you should cancel Pywin32–214 installation as the version we need is Pywin32–212 (which you can download from here).
When the program is downloaded, installation process is quite simple:
Lastly, pywin32–212 installation is “Next, Next, Next…”.
Setting Eternalblue_doublepulsar exploit
At this point, we have set the environment and components needed. The next few steps are focused on how to get the exploit from ElevenPaths Github.
Once we have downloaded it by git clone command we have to move the Ruby exploit to our Metasploit SMB exploits directory, usually the directory is /usr/share/metasploit-framework/modules/exploits/use windows/smb.
After this, we have to edit the ruby exploit and modify “Path directory” of both Eternalblue and Doublepulsar strings. We must add the route where we want to put “deps” folder, no matter where, but you have to remember edit the exploit and change this directory, unless you want to change this value every time you use the exploit (not recommended).
It’s also very important to change the default Process to inject DLL. In spite of wlms.exe you must change the value for spoolsv.exe
Let’s rock!
We are ready to turn Metasploit on and check all this configuration. In case you are already in msfconsole simply use reload_all command in order to reload the Metasploit database.
One of the most important part is to set the exploit in accordance with the OS to exploit (version and architecture). For this reason, the following information is very important:
In the next image we can check how injecting DLL into wlms.exe process does not work, but it does using spoolsv.exe (OS is Windows 7 SP1 Professional 32 bits):
Eternalblue in year 2019
Few days ago I decided to take a look about SMB service exposed to Internet. Shodan returns more than 1.6M hosts with opened SMB port. If we take into consideration that mínimum of 5% of that number is vulnerable the result is about 80.000 systems indexed in a IoT searcher with Eternalblue vulnerability.
In the last Rapid7 threat report (2018 Q4) it appears an increase of 410% of EternalBlue activity in a period of time from January to December. The truth is, this increase includes all malware activity that takes advantage of it in some way, as for example the case of Petya and WannaCry ransomware. Again, both have had enormous impact worldwide.
Month of April (2019). A new based malware campaign has affected Asian territory. Again, this malware takes profit of SMBv1 protocol in order to spread by the maximum number of machines. The actions caused by this malware are out of interest for us now. The relevant idea is that EternalBlue exploit keeps rolling nowadays.
