infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added XOR Key calculation

bug/bundler_fix
zerosum0x0 2017-04-22 23:54:30 -06:00 committed by GitHub
parent 8a77bf7b60
commit a69aba0eab
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
modules/auxiliary/scanner/smb/smb_ms17_010.rb
View File

@ -42,6 +42,7 @@ class MetasploitModule < Msf::Auxiliary
[ 'CVE', '2017-0147'], [ 'CVE', '2017-0147'],
[ 'CVE', '2017-0148'], [ 'CVE', '2017-0148'],
[ 'MSB', 'MS17-010'], [ 'MSB', 'MS17-010'],
[ 'URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],
[ 'URL', 'https://github.com/countercept/doublepulsar-detection-script'], [ 'URL', 'https://github.com/countercept/doublepulsar-detection-script'],
[ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx'] [ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']
], ],
@ -49,6 +50,12 @@ class MetasploitModule < Msf::Auxiliary
)) ))
end end
# algorithm to calculate the XOR Key for DoublePulsar knocks
def calculate_doublepulsar_xor_key(s)
x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
x & 0xffffffff # this line was added just to truncate to 32 bits
end
def run_host(ip) def run_host(ip)
begin begin
ipc_share = "\\\\#{ip}\\IPC$" ipc_share = "\\\\#{ip}\\IPC$"
@ -69,14 +76,16 @@ class MetasploitModule < Msf::Auxiliary
) )
# vulnerable to MS17-010, check for DoublePulsar infection # vulnerable to MS17-010, check for DoublePulsar infection
code = do_smb_doublepulsar_probe(tree_id) code, signature = do_smb_doublepulsar_probe(tree_id)
if code == 0x51 if code == 0x51
print_warning("Host is likely INFECTED with DoublePulsar!") xor_key = calculate_doublepulsar_xor_key(signature).to_s(16).upcase
print_warning("Host is likely INFECTED with DoublePulsar! - XOR Key: #{xor_key}")
report_vuln( report_vuln(
host: ip, host: ip,
name: "MS17-010 DoublePulsar Infection", name: "MS17-010 DoublePulsar Infection",
refs: self.references, refs: self.references,
info: 'MultiPlexID = 0x51 on Trans2 request' info: 'MultiPlexID += 0x10 on Trans2 request - XOR Key: #{xor_key}'
) )
end end
elsif status == "STATUS_ACCESS_DENIED" or status == "STATUS_INVALID_HANDLE" elsif status == "STATUS_ACCESS_DENIED" or status == "STATUS_INVALID_HANDLE"
@ -122,7 +131,7 @@ class MetasploitModule < Msf::Auxiliary
pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct
pkt.from_s(bytes[4..-1]) pkt.from_s(bytes[4..-1])
return pkt['SMB'].v['MultiplexID'] return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1']
end end
def do_smb_ms17_010_probe(tree_id) def do_smb_ms17_010_probe(tree_id)