Skip to content

Commit a69aba0

Browse files
author
zerosum0x0
authored
added XOR Key calculation
1 parent 8a77bf7 commit a69aba0

File tree

1 file changed

+13
-4
lines changed

1 file changed

+13
-4
lines changed

modules/auxiliary/scanner/smb/smb_ms17_010.rb

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,13 +42,20 @@ def initialize(info = {})
4242
[ 'CVE', '2017-0147'],
4343
[ 'CVE', '2017-0148'],
4444
[ 'MSB', 'MS17-010'],
45+
[ 'URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],
4546
[ 'URL', 'https://github.com/countercept/doublepulsar-detection-script'],
4647
[ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']
4748
],
4849
'License' => MSF_LICENSE
4950
))
5051
end
5152

53+
# algorithm to calculate the XOR Key for DoublePulsar knocks
54+
def calculate_doublepulsar_xor_key(s)
55+
x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
56+
x & 0xffffffff # this line was added just to truncate to 32 bits
57+
end
58+
5259
def run_host(ip)
5360
begin
5461
ipc_share = "\\\\#{ip}\\IPC$"
@@ -69,14 +76,16 @@ def run_host(ip)
6976
)
7077

7178
# vulnerable to MS17-010, check for DoublePulsar infection
72-
code = do_smb_doublepulsar_probe(tree_id)
79+
code, signature = do_smb_doublepulsar_probe(tree_id)
80+
7381
if code == 0x51
74-
print_warning("Host is likely INFECTED with DoublePulsar!")
82+
xor_key = calculate_doublepulsar_xor_key(signature).to_s(16).upcase
83+
print_warning("Host is likely INFECTED with DoublePulsar! - XOR Key: #{xor_key}")
7584
report_vuln(
7685
host: ip,
7786
name: "MS17-010 DoublePulsar Infection",
7887
refs: self.references,
79-
info: 'MultiPlexID = 0x51 on Trans2 request'
88+
info: 'MultiPlexID += 0x10 on Trans2 request - XOR Key: #{xor_key}'
8089
)
8190
end
8291
elsif status == "STATUS_ACCESS_DENIED" or status == "STATUS_INVALID_HANDLE"
@@ -122,7 +131,7 @@ def do_smb_doublepulsar_probe(tree_id)
122131
pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct
123132
pkt.from_s(bytes[4..-1])
124133

125-
return pkt['SMB'].v['MultiplexID']
134+
return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1']
126135
end
127136

128137
def do_smb_ms17_010_probe(tree_id)

0 commit comments

Comments
 (0)