April 15, 2017
Equation Group Dump Analysis and Full RCE on Win7 on MS17-010 with Cobalt Strike
Written by
Justin Elze
Penetration Testing
Security Testing & Analysis
UPDATE: When posting this blog, we had not done the most recent patches for patch Tuesday (in March). This SMB flaw apparently was fixed on Tuesday with MS17-010. When we did our testing, we were out of the patch cycle for March. Clarified the blog post with the update and link to Microsoft below.
Link to advisory:
Windows Advisory.
This blog post contains information that was obtained publicly and not through classified methods but through the "Shadow Brokers" (suspected to be Russia) dump of the "Equation Group" (suspected to be NSA). The techniques here are zero-day in nature and can cause security issues however the information is now public and should be researched and disclosed. If the facts are indeed true, this is a dark day for our intelligence community, and can’t comprehend the damage this has done. The only hope is that while a lot of these exploits date back to research done back in 2013, that the capabilities continue to grow and expand vs. the disclosed date of today. Additionally, we don’t envy the task ahead from the fine and hard working crew working over at Microsoft during the holiday weekend and away from family. Good news is a lot of these have already been patched (some as early as last week).
Our goal with this post and at TrustedSec is not to cause harm or damages – but present information that is already exposed in order to educate and help.
This blog post was written by Justin Elze – Principal Security Consultant at TrustedSec.
Today we awoke to this link from Martin Bos (@cantcomputer) link here (thanks for ruining our day off!). Shadow Brokers leaked additional tools reportedly from the Equation Group. This peaked our interest as a company and after last week’s leak of various 0day exploits and implants for Linux/Solaris, we knew that it was probably legitimate. Leaks like this often contain 0day or known exploits with proof of concepts that have not been seen by the public. This leak was no different and far surpassed expectations.
It’s also a chance to learn new persistence and command and control methods used by government and adversaries. These techniques, tactics, and procedures (TTPs) allow the security industry a much better understanding on capabilities as well as what we need to do in order to emulate true adversarial simulation.
The data in the dump is a few years old (around 2013) but as you begin to dig into it there are multiple 0day day non-patched exploits that effect various versions of Windows from XP -> Windows 8/Server 2012. The full extent is still TBD based on the disclosure date, many of these exploits may be imported to Windows 10 and newer version of Server 2012.
This leak contained 4 files:
odd.tar.xz.gpg – Implant/Backdoor
sha256sum.txt – Contained SHA256 hashes for the files
swift.tar.xz.gpg - Information on the SWIFT/EastNets breach
windows.tar.xz.gpg Contains numerous windows exploits and an exploitation framework called Fuzzbunch.
Swift.tar contents:
Odd.tar contents:
Windows.tar
A handful of people on Twitter were already tearing into the dump at this point we began by attempting to analyze the primary framework. The framework is built on Python 2.6 and requires PyWin as well as 32-bit Windows system because most of the exploits are Win32 binaries.
Moving around this framework called FuzzBunch, it is very similar to Metasploit as far as an exploitation framework. It has capabilities of being able to profile targets and suggest exploits that may be successful on the target as well as a comprehensive framework on exploit development and exploitation. It even has some pretty amazing ASCII art. First thing you do in a new environment you are unfamiliar with is type "help":
Similar to Metasploit, the "use" command is available:
We began by reading various exploit manifests looking at versions of Windows they supported. EternalBlue seemed to have the widest support. We quickly spun up a victim Windows 7 system. Note that the patch for this flaw recently came out last Tuesday in patch Tuesday.
Next, we attempted to launch on a fully patched Windows 7 test system.
Once the system is compromised and DoublePulsar is the default implant installed by the exploit. Switching to the DoublePulsar module context allows you to interact with the compromised system. Various options include verifying backdoor is installed, removing the backdoor, DLL injection, and Raw shell code injection.
We verified the exploit was successful by pinging the backdoor and then going through the removal process and verifying it was removed.
Once we were sure the exploit was functioning properly we exploited the host again and attempted the DLL injection function. First attempt failed because we weren’t using the correct DLL ordinal for the payload however with a quick change we were able to successfully move a compromised host out of the leaked framework and into Cobalt Strike. If you’re attempting this on something besides a test machine, we wouldn’t suggest injecting into LSASS outside of a test machine.
This only scratches the surface of the various exploits and implants in the framework. There was another component in the windows directory a Java application called DanderSpritz which appears to be a listener and command and control framework for compromised hosts.
It’s been many years since there has been a zero user interaction RCE for Windows operating systems MS08-067 and MS09-050 come to mind. While the example exploit and others in the framework are currently unpatched customers should be aware the services exploited in the above example should never be exposed to the public internet.
Below is videos using DoublePulsar to use a CobaltStirike payload for our own RCE payload on a fully patched Windows 7 system:
This blog post was written by Justin Elze, Principal Security Consultant at TrustedSec.