Blitz | Automated Windows Remote Exploitation Framework | Lucideus Research
Blitz : Search and Destroy
Introduction
Blitz is a collection of Remote Exploits for various versions of Windows operating systems.
It is completely programmed in bash with a user interface similar to Metasploit-Framework for ease of use. All exploits are completely automated and require very less input from user, user needs to provide a target IP or an IP range and blitz will begin its work. Blitz leverages both Metasploit-Framework and custom exploit scripts to exploit its targets based on the stability of the exploit in other words the user gets best of both worlds.
Installation
Blitz comes with a install script so you don't have to manually set it up and in few minutes blitz is ready for attack. User just needs to run install.sh and wait for it to finish.
Start-Up
For ease of use user can just type blitz in any terminal to launch Blitz after it’s installed.
On its first start Blitz asks user to choose an interface, it shows all available active interfaces.
After choosing an interface Blitz immediately displays the internal IP of the user and the Main Menu.
Blitz currently supports :
- Windows XP
- Windows 7
- Windows 8/8.1
- Windows 10 Build 10240
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2016
Along with these options if the user wants some help, he/she can just type help and a help menu will be displayed.
If the user wish to change the interface, he/she can easily change it with interface option.
Now let's explore the Main Menu…
Option 1 : Windows XP
If the user chooses option 1 i.e. Windows XP, Blitz will immediately ask the user to input an IP address or a range.
After user input Blitz will start scanning the network for vulnerable WIndows XP Machines, it supports all variants of Windows XP.
Now as we can see Blitz found two vulnerable IPs and then it displayed an Attack Menu.
In case of Windows XP the user gets to choose from :
- MS12-020 Microsoft Remote Desktop Use-After-Free DoS
- MS08-067 Microsoft Server Service Relative Path Stack Corruption
Now let’s see what happens if the user chooses any option…
In case of option 1 we can see that Blitz automatically opens another terminal and launches MS12-020 Metasploit module against it and the target machine instantly crashes, this whole process is completely automated.
This is what happens when the user chooses option 2, Blitz found two vulnerable machines so it automatically launched two separate terminals with two instances of Metasploit MS08-067 module and we get two meterpreter sessions, similarly if we have more vulnerable machines we will get more sessions.
Option 2 : Windows 7
For Windows 7 Blitz displays two options :
- MS17-010 Eternal Blue
- MS12-020 Microsoft Remote Desktop Use-After-Free DoS
If the user chooses option 1…
Blitz automatically launches MS17-010 Metasploit Module and we get a shell, there are custom python scripts available for this exploit but I used Metasploit because its more stable.
If user chooses option 2
Now as you can see there is no Metasploit this time, this is a custom MS12-020 script as in case of windows 7 this was more stable in my testing, it immediately crashes the target, Now imagine if we get more number of vulnerable machines, all of them will see a Blue Screen Of Death aka BSOD immediately.
Option 3 : Windows 8/8.1
For Windows 8/8.1 Blitz displays two options :
- MS17-010 Eternal Blue
- MS17-010 Instant Crash BadShell
If user chooses option 1…
Now as you can see this time Blitz is using both Metasploit for a multi/handler and a custom script for payload generation and exploit, this whole process is again automated.
If the user chooses option 2
In this case MS12-020 module or script doesn’t support Windows 8/8.1 so i was able to crash it if i used a badly generated shellcode because when the shellcode is overwritten on the target machine its not what its expecting and it crashes immediately, in the traceback we can see the NETBIOS connection timed out, this means the machine is now crashed and offline.
Option 4 : Windows 10
This option only works if the target is a Windows 10 Build 10240 because after this version all Remote Code Vulnerabilities were patched by Microsoft, but lets see what happens if someone in our network is using this version…
Note : Eternal Romance only works if the target machine has a Guest Account Enabled.
Once again Blitz launches a multi/handler instance and then generates a payload and uses it to exploit Windows 10 and we get a meterpreter session.
Option 5 : Windows Server 2003
For Windows Server 2003 Blitz shows us three options :
- MS08-067 Net_Api
- MS12-020 Microsoft Remote Desktop Use-After-Free DoS
- EsteemAudit
If the user chooses option 1
Since MS08-067 Metasploit Module is extremely stable i am using it for the exploit.
If the user chooses option 2
In this case also MS12-020 Metasploit module is working with greater stability as compared to custom scripts.
If the user chooses option 3
After testing many custom scripts I found this custom Metasploit module for EsteemAudit,
As you can see its using wine in its exploit process, the install script which the user executes in the beginning takes care of this, it automatically installs and setup wine.
Option 6 : Windows Server 2008
For Windows Server 2008 Blitz uses MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference module in Metasploit-Framework with WAIT TIME set to zero seconds for a faster exploit, it can run with the default 180 seconds but when i tested with 0 seconds it was working fine.
Option 7 : Windows Server 2012
For Windows Server 2012, Eternal Romance was the most stable exploit and it almost never crashes the target and like Windows 10 it can be exploited in a similar manner in Blitz.
Option 8 : Windows Server 2016
Windows Server 2016 is also being exploited using Eternal Romance just like Windows 10 and Windows Server 2012 and in my last testing it was able to bypass Windows Defender because it uses Powershell Memory Injection payload.
Conclusion
Blitz is in its initial stages at this point of time and it will be updated with new Remote Exploits as they come and it will be optimised for the best user experience.
We will release the source code of Blitz soon on Github Stay tuned :)