NSA Cyber Weapon DoublePulsar to Exploit the Windows Embedded Devices


New Research revealed that NSA Cyber Weapon DoublePulsar can able to exploit the Windows Embedded system that affected by the MS17-010 vulnerability.

The NSA Tool Called DOUBLEPULSAR that is designed to provide a covert, backdoor access to a Windows system, have been immediately utilized by attackers. It was leaked by the Shadow Brokers last year.

In this case, researcher tested this DoublePulsar exploit on Embedded Windows device and it revealed that authors of the DoublePulsar exploit don’t add support to the embedded devices, they have written the exploit only for Windows OS.

So Exploit only work against vulnerable windows OS and it doesn’t support against  Windows Embedded operating system and it just throws the error as “target OS is not supported”.

Vulnerability Checking on Target

So researcher decided to check the target to confirm whether it is vulnerable or not. so he used SMBTouch and got the result that the target is vulnerable to EternalBlue.

So the backdoor is was successfully installed on the target and confirmed that the authors of the MSF exploit modules just forgot to add the support for Windows Embedded version.

Gain a Shell Access using DoublePulsar 

Before injecting the Doublepulsar exploit into target embedded system, researchers create a DLL to the target host.

But throw the error “[-] ERROR unrecognized OS string” since all the windows embedded devices are not supported.

To find out a solution, he decided to go deep with the error using IDA Tool graphical view.

According to researcher,As seen from the graphical view, if the target machine is running Windows 7, it will take the left path, then proceed to detect whether its architecture is x86 or x64. If the target is not Windows 7, it will take the right path and do the other OS checks. Since there’s no check for Windows Embedded, the program ended up outputting the error message [-] ERROR unrecognized OS string.  

In this case, he found the Error due to no check for Windows Embedded devices when the exploit starts against the target.

So he made few modifications in the exploit and patch it using @stalkr_’s script (https://stalkr.net/files/ida/idadif.py)  and moved back the modified Doublepulsar-1.3.1.exe to its original location.

Finally, the modified version of DoublePulsar exploit has been successfully injected to the target host and gain the system shell.

Also Read:

Mass Scan Revealed More Than 30000 Windows Computers Infected by NSA backdoor DoublePulsar

GZipDe – A Sophisticated Malware Attack using Metasploit Backdoor with Encrypted Payload

Bypassing an Antivirus & Hack Windows Computer Using VEIL-Framework in Kali Linux