EternalBlue does not store vuln for DoublePulsar infection

[egypt]

Steps to reproduce

How'd you do it?

1. Have a host vuln to eternalblue and infected with doublepulsar
2. use auxiliary/scanner/smb/smb_ms17_010
3. set rhosts ...
4. run
   • observe output like [!] 10.0.0.1:445 - Host is likely INFECTED with DoublePulsar! - Arch: x86 (32-bit), XOR Key: 0xAAAAAAAA

OR

2. use exploit/windowssmb/ms17_010_eternalblue
3. set rhosts ...
4. check
   • observe output like [!] 10.0.0.1:445 - Host is likely INFECTED with DoublePulsar! - Arch: x86 (32-bit), XOR Key: 0xAAAAAAAA

THEN

5. vulns
   • see there is no vuln for the infection

Expected behavior

Two vulns should be reported (one for 17-010 and one for DoublePulsar infection).

Current behavior

Only the 17-010 vuln is stored in the database.

System stuff

Metasploit version

msf5 exploit(windows/smb/ms17_010_eternalblue) > version
Framework: 5.0.34-dev
Console  : 5.0.34-dev

I installed Metasploit with:

• [x] Kali package via apt
• [ ] Omnibus installer (nightly)
• [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
• [ ] Source install (please specify ruby version)

OS

Kali

[mkienow-r7]

@egypt What does db_status report?

[egypt]

@mkienow-r7

[*] Connected to msf. Connection type: postgresql.

[mkienow-r7]

This issue appear to be related to Msf::DBManager::Vuln#report_vuln finding an existing vulnerability with the same host and references. See lib/msf/core/db_manager/vuln.rb.

[egypt]

That was my feeling, thanks for validating. Should name be part of uniqueness checking?

[mkienow-r7]

That's probably the quickest solution. However, I'm thinking even this logic could have similar issues. What if we had a vuln with the same host, references and name, but unique info?

[egypt]

info often has timestamps and the like that might be unique but not useful. i think that's why it was originally omitted from the uniqueness check.

[mkienow-r7]

Thanks, that's a good point!