def parseRequest(self): request = MSRPCHeader(self.data) logging.debug("RPC Bind Request Bytes:", binascii.b2a_hex(self.data)) logging.debug("RPC Bind Request:", request.dump(), MSRPCBind(request['pduData']).dump()) return request
def parseRequest(self): request = MSRPCHeader(self.data) shell_message(nshell = 3) logging.debug("RPC Bind Request Bytes: \n%s\n" % justify(binascii.b2a_hex(self.data))) logging.debug("RPC Bind Request: \n%s\n%s\n" % (justify(request.dump(print_to_stdout = False)), justify(MSRPCBind(request['pduData']).dump(print_to_stdout = False)))) return request
def parseRequest(self): request = MSRPCHeader(self.data) if self.config['debug']: print("RPC Bind Request Bytes:", binascii.b2a_hex(self.data)) print("RPC Bind Request:", request.dump(), MSRPCBind(request['pduData']).dump()) return request
def generateRequest(self): firstCtxItem = CtxItem() firstCtxItem['ContextID'] = 0 firstCtxItem['TransItems'] = 1 firstCtxItem['Pad'] = 0 firstCtxItem['AbstractSyntaxUUID'] = uuid.UUID( '51c82175-844e-4750-b0d8-ec255555bc06').bytes_le firstCtxItem['AbstractSyntaxVer'] = 1 firstCtxItem['TransferSyntaxUUID'] = uuidNDR32.bytes_le firstCtxItem['TransferSyntaxVer'] = 2 secondCtxItem = CtxItem() secondCtxItem['ContextID'] = 1 secondCtxItem['TransItems'] = 1 secondCtxItem['Pad'] = 0 secondCtxItem['AbstractSyntaxUUID'] = uuid.UUID( '51c82175-844e-4750-b0d8-ec255555bc06').bytes_le secondCtxItem['AbstractSyntaxVer'] = 1 secondCtxItem['TransferSyntaxUUID'] = uuidTime.bytes_le secondCtxItem['TransferSyntaxVer'] = 1 bind = MSRPCBind() bind['max_tfrag'] = 5840 bind['max_rfrag'] = 5840 bind['assoc_group'] = 0 bind['ctx_num'] = 2 bind['ctx_items'] = str( bind.CtxItemArray(str(firstCtxItem) + str(secondCtxItem))) #*2to3* request = MSRPCHeader() request['ver_major'] = 5 request['ver_minor'] = 0 request['type'] = self.packetType['bindReq'] request['flags'] = self.packetFlags['firstFrag'] | self.packetFlags[ 'lastFrag'] | self.packetFlags['multiplex'] request['call_id'] = self.config['call_id'] request['pduData'] = str(bind) shell_message(nshell=0) bind = byterize(bind) request = byterize(request) logging.debug( "RPC Bind Request: \n%s\n%s\n" % (justify(request.dump(print_to_stdout=False)), justify( MSRPCBind(request['pduData']).dump(print_to_stdout=False)))) logging.debug("RPC Bind Request Bytes: \n%s\n" % justify( binascii.b2a_hex( str(request).encode('latin-1')).decode('utf-8'))) #*2to3* return request
def generateRequest(self): firstCtxItem = CtxItem() firstCtxItem['ContextID'] = 0 firstCtxItem['TransItems'] = 1 firstCtxItem['Pad'] = 0 firstCtxItem['AbstractSyntaxUUID'] = uuid.UUID( '51c82175-844e-4750-b0d8-ec255555bc06').bytes_le firstCtxItem['AbstractSyntaxVer'] = 1 firstCtxItem['TransferSyntaxUUID'] = uuidNDR32.bytes_le firstCtxItem['TransferSyntaxVer'] = 2 secondCtxItem = CtxItem() secondCtxItem['ContextID'] = 1 secondCtxItem['TransItems'] = 1 secondCtxItem['Pad'] = 0 secondCtxItem['AbstractSyntaxUUID'] = uuid.UUID( '51c82175-844e-4750-b0d8-ec255555bc06').bytes_le secondCtxItem['AbstractSyntaxVer'] = 1 secondCtxItem['TransferSyntaxUUID'] = uuidTime.bytes_le secondCtxItem['TransferSyntaxVer'] = 1 bind = MSRPCBind() bind['max_tfrag'] = 5840 bind['max_rfrag'] = 5840 bind['assoc_group'] = 0 bind['ctx_num'] = 2 bind['ctx_items'] = CtxItemArray( bytes(firstCtxItem) + bytes(secondCtxItem)) request = MSRPCHeader() request['ver_major'] = 5 request['ver_minor'] = 0 request['type'] = MSRPC_BIND request['flags'] = self.packetFlags['firstFrag'] | self.packetFlags[ 'lastFrag'] | self.packetFlags['multiplex'] request['call_id'] = self.config['call_id'] request['pduData'] = bytes(bind) if self.config['debug']: print("RPC Bind Request:", request.dump(), MSRPCBind(request['pduData']).dump()) print("RPC Bind Request Bytes:", binascii.b2a_hex(bytes(request))) return request
def generateRequest(self): firstCtxItem = CtxItem() firstCtxItem['ContextID'] = 0 firstCtxItem['TransItems'] = 1 firstCtxItem['Pad'] = 0 firstCtxItem['AbstractSyntaxUUID'] = uuid.UUID('51c82175-844e-4750-b0d8-ec255555bc06').bytes_le firstCtxItem['AbstractSyntaxVer'] = 1 firstCtxItem['TransferSyntaxUUID'] = uuidNDR32.bytes_le firstCtxItem['TransferSyntaxVer'] = 2 secondCtxItem = CtxItem() secondCtxItem['ContextID'] = 1 secondCtxItem['TransItems'] = 1 secondCtxItem['Pad'] = 0 secondCtxItem['AbstractSyntaxUUID'] = uuid.UUID('51c82175-844e-4750-b0d8-ec255555bc06').bytes_le secondCtxItem['AbstractSyntaxVer'] = 1 secondCtxItem['TransferSyntaxUUID'] = uuidTime.bytes_le secondCtxItem['TransferSyntaxVer'] = 1 bind = MSRPCBind() bind['max_tfrag'] = 5840 bind['max_rfrag'] = 5840 bind['assoc_group'] = 0 bind['ctx_num'] = 2 bind['ctx_items'] = str(bind.CtxItemArray(str(firstCtxItem) + str(secondCtxItem))) #*2to3* request = MSRPCHeader() request['ver_major'] = 5 request['ver_minor'] = 0 request['type'] = self.packetType['bindReq'] request['flags'] = self.packetFlags['firstFrag'] | self.packetFlags['lastFrag'] | self.packetFlags['multiplex'] request['call_id'] = self.config['call_id'] request['pduData'] = str(bind) shell_message(nshell = 0) bind = byterize(bind) request = byterize(request) logging.debug("RPC Bind Request: \n%s\n%s\n" % (justify(request.dump(print_to_stdout = False)), justify(MSRPCBind(request['pduData']).dump(print_to_stdout = False)))) logging.debug("RPC Bind Request Bytes: \n%s\n" % justify(binascii.b2a_hex(str(request).encode('latin-1')).decode('utf-8'))) #*2to3* return request
def generateRequest(self): firstCtxItem = CtxItem() firstCtxItem['ContextID'] = 0 firstCtxItem['TransItems'] = 1 firstCtxItem['Pad'] = 0 firstCtxItem['AbstractSyntaxUUID'] = uuid.UUID('51c82175-844e-4750-b0d8-ec255555bc06').bytes_le firstCtxItem['AbstractSyntaxVer'] = 1 firstCtxItem['TransferSyntaxUUID'] = uuidNDR32.bytes_le firstCtxItem['TransferSyntaxVer'] = 2 secondCtxItem = CtxItem() secondCtxItem['ContextID'] = 1 secondCtxItem['TransItems'] = 1 secondCtxItem['Pad'] = 0 secondCtxItem['AbstractSyntaxUUID'] = uuid.UUID('51c82175-844e-4750-b0d8-ec255555bc06').bytes_le secondCtxItem['AbstractSyntaxVer'] = 1 secondCtxItem['TransferSyntaxUUID'] = uuidTime.bytes_le secondCtxItem['TransferSyntaxVer'] = 1 bind = MSRPCBind() bind['max_tfrag'] = 5840 bind['max_rfrag'] = 5840 bind['assoc_group'] = 0 bind['ctx_num'] = 2 bind['ctx_items'] = CtxItemArray(bytes(firstCtxItem)+bytes(secondCtxItem)) request = MSRPCHeader() request['ver_major'] = 5 request['ver_minor'] = 0 request['type'] = self.packetType['bindReq'] request['flags'] = self.packetFlags['firstFrag'] | self.packetFlags['lastFrag'] | self.packetFlags['multiplex'] request['call_id'] = self.config['call_id'] request['pduData'] = bytes(bind) if self.config['debug']: print("RPC Bind Request:", request.dump(), MSRPCBind(request['pduData']).dump()) print("RPC Bind Request Bytes:", binascii.b2a_hex(bytes(request))) return request
def handle(self): while True: # self.request is the TCP socket connected to the client try: self.data = self.connection.recv(1024) except socket.error as e: if e[0] == 104: print("Error: Connection reset by peer.") break else: raise if self.data == '' or not self.data: print("No data received!") break # self.data = bytearray(self.data.strip()) # print binascii.b2a_hex(str(self.data)) packetType = MSRPCHeader(self.data)['type'] if packetType == rpcBase.packetType['bindReq']: if config['verbose']: print("RPC bind request received.") handler = rpcBind.handler(self.data, config) elif packetType == rpcBase.packetType['request']: if config['verbose']: print("Received activation request.") handler = rpcRequest.handler(self.data, config) else: print("Error: Invalid RPC request type", packetType) break handler.populate() res = str(handler.getResponse()) self.connection.send(res) if packetType == rpcBase.packetType['bindReq']: if config['verbose']: print("RPC bind acknowledged.") elif packetType == rpcBase.packetType['request']: if config['verbose']: print("Responded to activation request.") break
def handle(self): while True: # self.request is the TCP socket connected to the client try: self.data = self.connection.recv(1024) except socket.error as e: #*2to3* if e[0] == 104: logging.error("Connection reset by peer.") break else: raise if self.data == '' or not self.data: logging.warning("No data received !") break # self.data = bytearray(self.data.strip()) # logging.debug(binascii.b2a_hex(str(self.data))) packetType = MSRPCHeader(self.data)['type'] if packetType == rpcBase.packetType['bindReq']: logging.info("RPC bind request received.") shell_message(nshell=[-2, 2]) handler = rpcBind.handler(self.data, config) elif packetType == rpcBase.packetType['request']: logging.info("Received activation request.") shell_message(nshell=[-2, 13]) handler = rpcRequest.handler(self.data, config) else: logging.error("Invalid RPC request type ", packetType) break handler.populate() res = str(handler.getResponse()).encode('latin-1') #*2to3* self.connection.send(res) if packetType == rpcBase.packetType['bindReq']: logging.info("RPC bind acknowledged.") shell_message(nshell=[-3, 5, 6]) elif packetType == rpcBase.packetType['request']: logging.info("Responded to activation request.") shell_message(nshell=[-3, 18, 19]) break
def handle(self): while True: # self.request is the TCP socket connected to the client try: data = self.request.recv(1024) except socket.error, e: if e.errno == errno.ECONNRESET: logging.error("Connection reset by peer.") break else: raise if not data: logging.warning("No data received !") break # data = bytearray(self.data.strip()) # logging.debug(binascii.b2a_hex(str(data))) packetType = MSRPCHeader(data)['type'] if packetType == rpcBase.packetType['bindReq']: logging.info("RPC bind request received.") shell_message(nshell=[-2, 2]) handler = rpcBind.handler(data, config) elif packetType == rpcBase.packetType['request']: logging.info("Received activation request.") shell_message(nshell=[-2, 13]) handler = rpcRequest.handler(data, config) else: logging.error("Error: Invalid RPC request type ", packetType) break res = str(handler.populate()) self.request.send(res) if packetType == rpcBase.packetType['bindReq']: logging.info("RPC bind acknowledged.") shell_message(nshell=[-3, 5, 6]) elif packetType == rpcBase.packetType['request']: logging.info("Responded to activation request.") shell_message(nshell=[-3, 18, 19]) break
def handle(self): while True: # self.request is the TCP socket connected to the client try: data = self.request.recv(1024) except socket.error as e: if e.errno == errno.ECONNRESET: print("Error: Connection reset by peer.") break else: raise if not data: print("No data received!") break # data = bytearray(data.strip()) # print binascii.b2a_hex(str(data)) packetType = MSRPCHeader(data)['type'] if packetType in (MSRPC_BIND, MSRPC_ALTERCTX): if config['verbose']: print("RPC bind request received.") handler = rpcBind.handler(data, config) elif packetType == MSRPC_REQUEST: if config['verbose']: print("Received activation request.") handler = rpcRequest.handler(data, config) else: print("Error: Invalid RPC request type", packetType) break res = handler.populate().__bytes__() self.request.send(res) if packetType == MSRPC_BIND: if config['verbose']: print("RPC bind acknowledged.") elif packetType == MSRPC_REQUEST: if config['verbose']: print("Responded to activation request.") break
def main(): parser = argparse.ArgumentParser() parser.add_argument("ip", action="store", help="The IP address or hostname of the KMS host.", type=str) parser.add_argument( "port", nargs="?", action="store", default=1688, help= "The port the KMS service is listening on. The default is \"1688\".", type=int) parser.add_argument("-m", "--mode", dest="mode", choices=[ "WindowsVista", "Windows7", "Windows8", "Windows81", "Windows10", "Office2010", "Office2013", "Office2016" ], default="Windows7") parser.add_argument( "-c", "--cmid", dest="cmid", default=None, help= "Use this flag to manually specify a CMID to use. If no CMID is specified, a random CMID will be generated.", type=str) parser.add_argument( "-n", "--name", dest="machineName", default=None, help= "Use this flag to manually specify an ASCII machineName to use. If no machineName is specified, a random machineName will be generated.", type=str) parser.add_argument("-v", "--verbose", dest="verbose", action="store_const", const=True, default=False, help="Use this flag to enable verbose output.") parser.add_argument( "-d", "--debug", dest="debug", action="store_const", const=True, default=False, help="Use this flag to enable debug output. Implies \"-v\".") config.update(vars(parser.parse_args())) checkConfig() config['call_id'] = 1 if config['debug']: config['verbose'] = True updateConfig() try: socket.inet_pton(socket.AF_INET6, config['ip']) except OSError: s = socket.socket() else: s = socket.socket(socket.AF_INET6) print("Connecting to %s on port %d..." % (config['ip'], config['port'])) s.connect((config['ip'], config['port'])) if config['verbose']: print("Connection successful!") binder = rpcBind.handler(None, config) RPC_Bind = bytes(binder.generateRequest()) if config['verbose']: print("Sending RPC bind request...") s.send(RPC_Bind) try: bindResponse = s.recv(1024) except socket.error as e: if e.errno == errno.ECONNRESET: print("Error: Connection reset by peer. Exiting...") sys.exit() else: raise if bindResponse == '' or not bindResponse: print("No data received! Exiting...") sys.exit() packetType = MSRPCHeader(bindResponse)['type'] if packetType == rpcBase.packetType['bindAck']: if config['verbose']: print("RPC bind acknowledged.") kmsRequest = createKmsRequest() requester = rpcRequest.handler(kmsRequest, config) s.send(bytes(requester.generateRequest())) response = s.recv(1024) if config['debug']: print("Response:", binascii.b2a_hex(response)) parsed = MSRPCRespHeader(response) kmsData = readKmsResponse(parsed['pduData'], kmsRequest, config) kmsResp = kmsData['response'] try: hwid = kmsData['hwid'] print("KMS Host HWID:", binascii.b2a_hex(hwid).upper()) except KeyError: pass print("KMS Host ePID:", kmsResp['kmsEpid']) print("KMS Host Current Client Count:", kmsResp['currentClientCount']) print("KMS VL Activation Interval:", kmsResp['vLActivationInterval']) print("KMS VL Renewal Interval:", kmsResp['vLRenewalInterval']) elif packetType == rpcBase.packetType['bindNak']: print(MSRPCBindNak(bindResponse).dump()) sys.exit() else: print("Something went wrong.") sys.exit()
def main(): parser = argparse.ArgumentParser() parser.add_argument("ip", action="store", help='The IP address or hostname of the KMS server.', type=str) parser.add_argument( "port", nargs="?", action="store", default=1688, help= 'The port the KMS service is listening on. The default is \"1688\".', type=int) parser.add_argument( "-m", "--mode", dest="mode", choices=[ "WindowsVista", "Windows7", "Windows8", "Windows81", "Windows10", "Office2010", "Office2013", "Office2016" ], default="Windows7", help= 'Use this flag to manually specify a Microsoft product for testing the server. The default is \"Windows81\".', type=str) parser.add_argument( "-c", "--cmid", dest="cmid", default=None, help= 'Use this flag to manually specify a CMID to use. If no CMID is specified, a random CMID will be generated.', type=str) parser.add_argument( "-n", "--name", dest="machineName", default=None, help= 'Use this flag to manually specify an ASCII machineName to use. If no machineName is specified,\ a random machineName will be generated.', type=str) parser.add_argument( "-v", "--loglevel", dest="loglevel", action="store", default="ERROR", choices=["CRITICAL", "ERROR", "WARNING", "INFO", "DEBUG"], help='Use this flag to set a Loglevel. The default is \"ERROR\".', type=str) parser.add_argument( "-f", "--logfile", dest="logfile", action="store", default=os.path.dirname(os.path.abspath(__file__)) + "/py3kms_client.log", help= 'Use this flag to set an output Logfile. The default is \"pykms_client.log\".', type=str) config.update(vars(parser.parse_args())) logging.basicConfig(level=config['loglevel'], format='%(asctime)s %(levelname)-8s %(message)s', datefmt='%a, %d %b %Y %H:%M:%S', filename=config['logfile'], filemode='w') checkConfig() config['call_id'] = 1 updateConfig() s = socket.socket() logging.info("Connecting to %s on port %d..." % (config['ip'], config['port'])) s.connect((config['ip'], config['port'])) logging.info("Connection successful !") binder = rpcBind.handler(None, config) RPC_Bind = str(binder.generateRequest()).encode('latin-1') #*2to3* logging.info("Sending RPC bind request...") shell_message(nshell=[-1, 1]) s.send(RPC_Bind) try: shell_message(nshell=[-4, 7]) bindResponse = s.recv(1024) except socket.error as e: #*2to3* if e[0] == 104: logging.error("Connection reset by peer. Exiting...") sys.exit() else: raise if bindResponse == '' or not bindResponse: logging.error("No data received ! Exiting...") sys.exit() packetType = MSRPCHeader(bindResponse)['type'] if packetType == rpcBase.packetType['bindAck']: logging.info("RPC bind acknowledged.") shell_message(nshell=8) kmsRequest = createKmsRequest() requester = rpcRequest.handler(kmsRequest, config) s.send(str(requester.generateRequest()).encode('latin-1')) #*2to3* shell_message(nshell=[-1, 12]) response = s.recv(1024) logging.debug( "Response: \n%s\n" % justify(binascii.b2a_hex(response).decode('latin-1'))) #*2to3* shell_message(nshell=[-4, 20]) parsed = MSRPCRespHeader(response) kmsData = readKmsResponse(parsed['pduData'], kmsRequest, config) kmsResp = kmsData['response'] try: hwid = kmsData['hwid'] except: hwid = None logging.info( "KMS Host ePID: %s" % kmsResp['kmsEpid'].encode('utf-8').decode('utf-16le')) #*2to3* if hwid is not None: logging.info("KMS Host HWID: %s" % binascii.b2a_hex( hwid.encode('latin-1')).upper().decode('utf-8')) #*2to3* logging.info("KMS Host Current Client Count: %s" % kmsResp['currentClientCount']) logging.info("KMS VL Activation Interval: %s" % kmsResp['vLActivationInterval']) logging.info("KMS VL Renewal Interval: %s" % kmsResp['vLRenewalInterval']) shell_message(nshell=21) elif packetType == rpcBase.packetType['bindNak']: logging.info( justify(MSRPCBindNak(bindResponse).dump(print_to_stdout=False))) sys.exit() else: logging.critical("Something went wrong.") sys.exit()
RPC_Bind = str(binder.generateRequest()) if config['verbose']: print "Sending RPC bind request..." s.send(RPC_Bind) try: bindResponse = s.recv(1024) except socket.error, e: if e[0] == 104: print "Error: Connection reset by peer. Exiting..." sys.exit() else: raise if bindResponse == '' or not bindResponse: print "No data received! Exiting..." sys.exit() packetType = MSRPCHeader(bindResponse)['type'] if packetType == rpcBase.packetType['bindAck']: if config['verbose']: print "RPC bind acknowledged." #config['call_id'] += 1 ''' request = CreateRequest() requester = rpcRequest.request(request, config) s.send(request) response = s.recv(1024) if config['debug']: print "Response:", binascii.b2a_hex(response), len(response) parsed = ReadResponse(response) ''' elif packetType == rpcBase.packetType['bindNak']: print MSRPCBindNak(bindResponse).dump()