Porting the leaked Equation Group (EQGRP) "Fuzzbunch" tool to Linux

([email protected] [email protected]) #1

Note: I did not do the original work for this. This is an adaptation from Sheila A. Berta’s Exploit DB guide and mdiazcl from github on how to do it.

With out further ado, let’s get right on into it shall we?!

So, everyone by now (unless you live under a rock) has heard about the NSA tools leaked by the Shadow Brokers, correct? Well, FuzzBunch is an exploit framework for Spooks. That’s right everyone…Metasploit for the government! No, it’s not a replica of Metasploit or anything but it is similar to it in the sense of what it’s used for.

Unfortunately, this toolset was meant to be used on an x32bit windows machine, however with some figuring we can get it to work on Linux with an application called Wine. If you’ve never used Wine before, it’s basically just a windows emulator that allows you to run individual programs meant for a windows system.

The first thing you’re going to want to do is install some programs. (I’ll be using Kali Linux for the duration of this tutorial.)

sudo apt-get install wine winbind winetricks

Here, we installed Wine (our base emulator), winbind (resolves user and group information from a Windows NT server), and winetricks (allows us to manage virtual Eindows environments using Wine).

Next, we’re going to install and setup a wine32 environment because FuzzBunch is setup to use Windows x32-bit binaries. This will also prevent you from screwing up any Wine environment you have going on.


dpkg --add-architecture i386 && apt-get update && apt-get install wine32

Setting up the environment:

WINEPREFIX="$HOME/.wine-fuzzbunch" WINEARCH=win32 wine wineboot

Changing WinePrefix for your current session:

export WINEPREFIX=$HOME/.wine-fuzzbunch

Next up, we have to add Python2.6 and FuzzBunch to the Windows PATH variable.


wine regedit

Select the folder: “HKEY_CURRENT_USER
Under that folder, select: “Environment

Right Click in the registry editor.
Select “New”, then “String Value

In the text box that just appeared, type “PATH
Right click the item you just created and click “Modify

Under the field labeled “Value Data” type (or copy /paste):


Then click “Registry” in the upper left hand corner, and click “Exit” to exit the registry editor.

Now, we’re going to CD into our newly created Wine folder, and grab the files we need from github.

cd $HOME/.wine-fuzzbunch/drive_c

You will need to apt-get install git if it isn’t already.

git clone https://github.com/mdiazcl/fuzzbunch-debian.git

Now, we’re going to install Python2.6 and pywin32 into our Wine environment. (Have no fear, for WINETRICKS IS HERE!)

Simply type:

winetricks python26

Winetricks will install both Python2.6 and pywin32 for you with that one command. All you need to do is select “For all users” and keep on hitting next.

Now, we’re going to inspect our final product! The FuzzBunch python application.

First, we need to CD into where the program is located.

cd $HOME/.wine-fuzzbunch/drive_c/fuzzbunch-debian/windows

Now, we type “wine cmd.exe” and then “python fb.py

There you have it folks!! You now have a functional NSA exploit framework at your fingertips. (Remember, neither I nor 0x00sec are responsible for what you do with this!)

In my next article, I’ll teach you how to use this wonderful piece of software and what exactly you can accomplish with it! (Hint, it will require Powershell Empire)

Stay paranoid, happy hacking, and use responsibly!


(Not a N00b, but still learning) #2

Will be useful on unpatched machines! :stuck_out_tongue:

1 Like

(Leader & Offsec Engineer & Forum Daddy) #3

“Stay Paranoid”, ha, loving it.

Wine is a actually a dope tool in the right hands. Nice article :wink:

1 Like


I wouldn’t exactly call this porting, but decent article nonetheless.

1 Like

([email protected] [email protected]) #5

It’s porting in the sense that you’re running it in an OS that the script was originally not intended for, and without the use of a full fledged emulated machine (like Virtualbox or VMWare).

Thank you! :smiley:



Nicely done!

Really looking forward for some Eternalblue and DoublePulsar action :wink:

1 Like

([email protected] [email protected]) #7

It’s coming! eventually lol Don’t you worry! :wink:

1 Like

(system) closed #8

This topic was automatically closed after 30 days. New replies are no longer allowed.