Exploiting MS17-010 – Using EternalBlue and DoublePulsar to gain a remote Meterpreter shell

Exploiting MS17-010 – Using EternalBlue and DoublePulsar to gain a remote Meterpreter shell

This walk through assumes you know a thing or two and won’t go into major detail. After all it’s meant for fellow researchers and penetration testers.

Findings so far…

Findings from using these tools are the following so far

The default process that Doublepulsar injects into is ‘lsass’ It was observed that whilst testing against Windows 2008 R2 SP1 that this caused the ‘lsass’ process to become unstable over time and resulting in some cases in a BSOD.
  • No domain is needed for the tools to work.
  • An active user session is also not needed.

Fuzzbunch setup

Firstly we need to setup our environment for the ShadowBroker tools to run in.

In my case I created a Windows 7 VM for the task.

Prerequisites for this exercise are

Once your environment is setup and you have downloaded the ShadowBroker archive, unzip it to a path of your choice.

In this instance I chose the root of the C: drive.

We then need to edit a few of the files to work with our environment as on first run you will receive various error messages.

Firstly we need to edit the “fb.py” file located in the /windows folder and comment out the line below.

Save the file and open up “Fuzzbunch.xml” you now need to change the “ResourcesDir” and “LogDir” path to match that of your environment.

Note: If there is no log directory then please create it and add the path.

We should now be ready to run the Fuzzbunch tool.

Launch a command prompt and navigate to the /windows folder inside the ShadowBrokers folder.

Type the below command and hit return.

FuzzBunch should now be running in your command prompt like the below screen shot.

Listener and Payload

Now, we need to setup our Linux attack box.  For the purpose of this post I’ll be using a Kali rolling VM with Metasploit installed.

Let’s go ahead and launch Metasploit, create a DLL payload and listener.

The target I am attacking is a x64 Windows  Server 2008 R2 system. So I setup the following payload and saved it as shown in the screen shot below.

Now for the handler a x64 reverse tcp meterpreter.

We’ll run the handler and move on to the next step.

OK, the payload you created needs copying over to the virtual machine where FuzzBunch is sitting and waiting.

Back to Fuzzbunch

Let’s return to our Windows VM.

We can now start entering our details into the FuzzBunch tool.

For most settings we can accept the defaults, the ones that we do need to change are below.

Now our initial variables are set you should now be at the fb prompt.

 

Launching the exploit plugin

Launch the EternalBlue module.

Again, we can accept all defaults except the below.

Change the above from it’s default setting of “0” to “1”, you can then execute the exploit, (Some details from my test have been redacted for security).

 

Injecting our DLL payload

Now the tool has created the backdoor onto the vulnerable system we can now move on to running DoublePulsar which will inject our DLL payload.

Once again we can accept most of the defaults, just change the variables below.

The above setting defaults to x86 and will need changing to x64.

We need to select option “2” so that we can use our newly created DLL payload.

Next we need to enter the path to our DLL file

All other variables can be left at their default value and you can proceed to execute the plugin.

 

Hack all the things!

If everything has been successful you should should now have a Meterpreter shell waiting on your attack box.

If you don’t have a shell yet then something has obviously gone wrong, check your steps and leave a comment and I will try and help you through it.

 

Security Researcher and Penetration Tester
CHECK Team Member

20 thoughts on “Exploiting MS17-010 – Using EternalBlue and DoublePulsar to gain a remote Meterpreter shell

    1. Hi JC, I am still investigating what causes the lsass process to crash. It could be due to other pieces of software/services running on this particular host.

  1. Thanks , do you use any kind of encoder to evade antivirus software? And can this exploit be used against other processes or only against lsass?

Leave a Reply

%d bloggers like this: