Exploiting Windows 7 Machine Using EternalBlue and DoublePulsar

Introduction

This the the demo I have created to understand how MS17-010 is exploited on windows 7 machine. This demo is based on the paper by Sheila A. Berta. I have created my lab environment with slightly different flavor of operating systems.

The tools I am going to use:

- Empire: Post exploitation powershell  agent [Kali Linux]

- Eternalblue: Exploit developed to exploit SMB v01 [Windows XP]

- Doublepulsar: A Plugin to inject malicious DLL to get a reverse shell [Windows XP]

- Fuzzbunch: Framework similar to metasploit coded in python 2.6[Windows XP]

Lab Setup

Attacker 1: Kali Linux with Empire tools [192.168.213.149]

Attacker 2: Window XP Service Pack 3 with Python 2.6 and PyWin32 v2.12[192.168.213.147]

Target Machine: A windows 7 box with Service Pack 1 [192.168.213.150]

Tools

Attacker machine 1: Kali Linux to be installed with Empire, that can be cloned from github.

Attacker machine 2: Windows XP with FuzzBunch, this can also be cloned from github.  You would require couple of more tools that would be required to run FuzzBunch, Python 2.6 and Pywin32 v2.12.

Note: You will have to change environmental variables to add Python 2.6 to the path. How to do this? Here you go. 

Target machine: Nothing :)

Code

There are couple of changes to be made to the actual exploit fb.py. comment out line 72, because the folder in empty inside the leak and returned errors until we comment the line out. 

Another change that need to make is on "Fuzzbunch.xml" file. we have to ammend the path on line 19 and 24 with the path on my XP machine:

C:\Documents and Settings\Administrator\Desktop\shadowbroker-master\shadowbroker

-master\windowsResources 

C:\Documents and Settings\Administrator\Desktop\shadowbroker-master\shadowbroker

-master\windows\logs

Exploitation

EternalBlue

Once everything is set and ready to go, we will fire-up the fb.py on  Windows XP  machine using python26.

Fill the required details, target IP and callback IP (Kali machine). And used "0" for my already made project "eternal-test"

Now, we chose the exploit "EternalBlue".

We will leave most of the settings to default in the exploit, but select "1" for Target OS to select windows 7 exploit and "1" for Mode of delivery to use "FB".

Once all set, we will execute the exploit. The successful execution of the exploit will be confirmed by "Eternalblue Succeeded"

The Empire of Powershell

Once Eternalblue successfully ran, we will switch back to the Kali box and use "empire", to create a malicious DLL and setup a listening agent. 

First step is to set up a listener so that a reverse connection can be established once malicious DLL is injected using Doublepulsar.  We will use HTTP listener  with a name "Eternal" (how thoughtful) and put  Kali's IP address under Host. Once all parameters were set, we will start the listener.

Once the listener is started, we will create a malicious DLL using Empire's module "Stager". we will set the architecture x86 as our target machine is 32-bit machine. We will execute the stager and a malicious DLL will be created with name "launcher.dll".

Now, we will start our HTTP server on Kali and download the file to our attacker 1 machine, i.e. windows xp.

The Doublepulsar

Now, it was time to inject our malicious DLL. Back to FuzzBunch, we will use Doublepulsar. 

Similar to eternalblue, we will be using the default settings, but ensure  the followings are set accordingly:

Protocol: "0" for SMB
Architecture: "0" for x86 (remember, we are using 32-bit OS)
Function: "2" to execute DLL
DllPayload: Path where "launcher.dll" is installed on the attacker machine.

And some more default settings we do not change.

Final check on the module settings and hit execute.

We know that the module ran successfully as we could see "Doublepulsar Succeeded". At this point, we should have a connection back on to my Kali box.

And... we have the reverse shell. To interact with the newly compromised machine, we just nee to  type "interact W74MEG9".

Migrating to Meterpreter

Now that we have pwned the box. We will now be migrating our session to meterpreter. We will use multi handler with the payload "windows/meterpreter/reverse/http". 

On empire, we will use the module "powershell/code_execution/invoke_shellcode" and set the agent to "W74MEG9".

Once executed, we will check whether we have got a reverse meterpreter shell. 

There we go! This exploit is as easier to exploit as SMB Netapi attack on windows XP and 2003.