![]() DoublePulsarXORKe圜alculator.cpp – This program sends 4 SMB packets. However there currently is a bug with the TreeID & UserID not being correctly set in the packets, which will be fixed in a later release. More exploitation attempts may be necessary. It took around 5 seconds for the backdoor to fully be operational, as already reported with EternalBlue writeups around the internet. This exploit works and was tested on Windows 7 圆4 bit. A SMB disconnect and SMB logoff request is then sent and the connection closes. The sockets are then closed by the program which detonates EternalBlue & DoublePulsar on the victim computer. ![]() Afterwards DoublePulsar is sent on Socket 3 to Socket 21. Then 20 other sockets are created and data is being sent to those sockets ( Socket 3 to Socket 21 ). Most of EternalBlue’s base64 payload is being sent over socket 1 where the Negociation, SessionSetup & TreeConnect packets were sent on. ![]() More whitespace or empty SMB packets are sent to the victim over multiple sockets to the same port on the victim. ![]() These NT trans packets are malformed which grooms the exploit in memory on the victim computer. Negociation, SessionSetup, TreeConnect and multiple NT trans and Trans2 packets. EternalBlue.cpp – This program sends multiple SMB packets.
0 Comments
Leave a Reply. |