I tested EternalPulsar in a lab environment with the following setup:

Windows 8.1 (Attacker — 192.168.1.252)

Windows 7 (Victim — 192.168.1.123)

KaliLinux (MSF Handler — 192.168.1.193)

Simple stages that we will go through are:

Payload Creation > EB Exploit > MSF Setup > DoPu Upload > Rooted!

Payload:

This one is super simple, we just use msfvenom to create a .DLL that will call back to our MetaSploit listener. Our target is x64 architecture so lets make sure to use the right one (I didn’t originally and slapped myself when DoublePulsar told me off). Set the IP address of the machine you want to call back to, in this case our Kali instance and the port you’re going to listen on.

Nothing decidedly complex here simple reverse_tcp that we’ve all used.

EB Exploit:

Just like the MetaSploit framework, FuzzBunch allows you to ‘use’ and configure exploits, and their payloads.

FuzzBunch configuration and execution of EternalBlue

For the example here I had already configured the target and parameters but they’re fairly self explanatory, you select:

- Target IP

- Target Port

- Callback IP

- Confirm target OS

- Number of exploit attempts

- Target exploitability

- Define Delivery type

- Remote IP/Port for forwarding (Pivoting)

We then get final verification of settings before being asked if we are ready to fire our exploit.

The rest of the process connects to the target device, confirms that its OS matches what is expected based on the configuration for the exploit and that the exploit is not already installed. SMBv1 is used to connect and create a buffer in memory that will in turn become free for our exploit code to reside (Use-After-Free).

Our exploit code is uploaded and the implant placed, which then sends a return code to FuzzBunch to let us know its been successful. This has been identified as setting the SMB Multiplex ID to a value of 82 (52 00h) this is not a standard value for this and has aided us in creating signatures for the identification of the exploit, which we will cover at the end of this article:

Multiplex ID = 82

MSF Setup:

The next step takes us back to MetaSploit to create a simple handler to receive the connection back that our reverse_tcp payload will execute. We have our expected payload, the IP of the listening machine (get it right or you’ll end up listening on 0.0.0.0 ;) and the port that we configured in the payload.

MetaSploit Reverse TCP Handler

DoPu Upload:

We’re finally ready to upload our DoublePulsar backdoor and payload to the victim. As with the launch of EternalBlue we get the configuration options which are largely the same, except we are asked for details of the payload that we want DoublePulsar to execute once its installed. In this case we are using our ‘meter.dll’ which is the configured meterpreter reverse_tcp that we setup in stage 1, as well as the name of the process that we want to inject into, always best to use a standard windows process so we’re certain its there.

We’re breaking security so lets just use lsass.exe which is conveniently the default, we’re again confirming the protocol that we’re attacking (nbt is also an option that needs to be explored further) and the architecture of the target machine.

We get returns confirming that the DoublePulsar backdoor has staged correctly, then that the .DLL shellcode has been built and injected.

And to be quite honest, that’s all she wrote!

Rooted!:

We can see in our MetaSploit handler that we don’t even have to do anything further, the payload included in our ‘meter.dll’ has been executed and called back to the Kali instance. On the target system we can see our injected process, our shell, and the connection to our staging system.

We use MetaSploit to access the shell we have and can see that as expected we have full system access as user ‘nt authority\SYSTEM’ which if you are not familiar with windows systems is the highest level of privilege, eg root.