I had chosen ReactOS because it let me run Fuzzbunch under Wine instead of Windows. Leveraging this functionality, I exported the implant's kernel-mode install shellcode to disk. But first I needed to figure out how to install it.įortunately, I remembered there was an OutputInstall feature in Fuzzbunch, which we had touched on while working with the SMB implant. With no idea what I was looking for (other than MCS over X.224 over TPKT!), I decided I needed to install the implant to inspect the ping response. TPKT encapsulates the various RDP protocols, and the whole thing runs over TCP, optionally wrapped with SSL (TLS) first. I suspected that the packet might be TPKT due to the 03 header, which indicates the TPKT version. It wasn't the most elegant solution, but I do love one-liners. To satisfy my immediate curiosity, I replicated the ping packet blob from Countercept's RDP DOPU checker with a little Python and Netcat magic, inspecting the resulting packet in Wireshark. If there is research we missed, please let us know! However, 2019 seemed to be the year of RDP vulnerabilities, so we resolved to analyze the RDP implant in good faith. With ETERNALBLUE and other high-profile SMB vulnerabilities having captured the public's attention, it was no surprise that the SMB implant faced the most scrutiny. We decided to pursue the RDP variant of DOUBLEPULSAR because it seemed public research on the subject was lacking, other than the initial work Countercept (now F-Secure) performed to check for the RDP implant. If you're unfamiliar with the more common SMB variant, you can read our blog post detailing how we achieved RCE with it. In this sequel, wvu recounts the R&D (in all its imperfect glory) behind creating a Metasploit module for the DOUBLEPULSAR implant's lesser-known RDP variant.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |