def checker():
print ''
print(
logger.RED(
' █ █░ ▒█████ ██▀███ ▄▄▄ █ █░ ██▓▄▄▄█████▓') +
logger.YELLOW(' ...zzz_checker'))
print(
logger.RED(
'▓█░ █ ░█░▒██▒ ██▒▓██ ▒ ██▒▒████▄ ▓█░ █ ░█░▓██▒▓ ██▒ ▓▒'))
print(
logger.RED(
'▒█░ █ ░█ ▒██░ ██▒▓██ ░▄█ ▒▒██ ▀█▄ ▒█░ █ ░█ ▒██▒▒ ▓██░ ▒░'))
print(
logger.RED(
'░█░ █ ░█ ▒██ ██░▒██▀▀█▄ ░██▄▄▄▄██ ░█░ █ ░█ ░██░░ ▓██▓ ░ '))
print(
logger.RED(
'░░██▒██▓ ░ ████▓▒░░██▓ ▒██▒ ▓█ ▓██▒░░██▒██▓ ░██░ ▒██▒ ░ '))
print(
logger.RED(
'░ ▓░▒ ▒ ░ ▒░▒░▒░ ░ ▒▓ ░▒▓░ ▒▒ ▓▒█░░ ▓░▒ ▒ ░▓ ▒ ░░ '))
print(
logger.RED(
' ▒ ░ ░ ░ ▒ ▒░ ░▒ ░ ▒░ ▒ ▒▒ ░ ▒ ░ ░ ▒ ░ ░ '))
print(
logger.RED(
' ░ ░ ░ ░ ░ ▒ ░░ ░ ░ ▒ ░ ░ ▒ ░ ░ '))
print(
logger.RED(
' ░ ░ ░ ░ ░ ░ ░ ░ '))
print(
logger.RED(
' '))
print ''
def checker(host):
try:
conn = MYSMB(host)
try:
conn.login(USERNAME, PASSWORD)
except smb.SessionError as e:
logger.error('LOGIN FAILED: ' +
nt_errors.ERROR_MESSAGES[e.error_code][0])
sys.exit()
finally:
logger.info('CONNECTED TO {}'.format(logger.BLUE(host)))
logger.info('TARGET OS: ' + conn.get_server_os())
tid = conn.tree_connect_andx('\\\\' + target + '\\' + 'IPC$')
conn.set_default_tid(tid)
# test if target is vulnerable
TRANS_PEEK_NMPIPE = 0x23
recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE),
maxParameterCount=0xffff,
maxDataCount=0x800)
status = recvPkt.getNTStatus()
if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
logger.success('{} IS NOT PATCHED!'.format(logger.GREEN(target)))
else:
logger.error('{} IS PATCHED!'.format(target))
sys.exit()
logger.action('CHECKING NAMED PIPES...')
for pipe_name, pipe_uuid in pipes.items():
try:
dce = conn.get_dce_rpc(pipe_name)
dce.connect()
try:
dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
logger.success('{}: OK (64 bit)'.format(pipe_name))
except DCERPCException as e:
if 'transfer_syntaxes_not_supported' in str(e):
logger.success('{}: OK (32 bit)'.format(pipe_name))
else:
logger.success('{}: OK ({})'.format(pipe_name, str(e)))
dce.disconnect()
except smb.SessionError as e:
logger.error('{}: {}'.format(
pipe_name, nt_errors.ERROR_MESSAGES[e.error_code][0]))
except smbconnection.SessionError as e:
logger.error('{}: {}'.format(
pipe_name, nt_errors.ERROR_MESSAGES[e.error][0]))
conn.disconnect_tree(tid)
conn.logoff()
conn.get_socket().close()
except:
logger.error('COULD NOT CONNECT TO {}'.format(logger.RED(host)))
def worawit(target):
try:
logger.blue('Connecting to: [{}]'.format(logger.BLUE(target)))
try:
conn = MYSMB(target, timeout=5)
except:
logger.red('Failed to connect to [{}]'.format(logger.RED(target)))
return False
try:
conn.login(USERNAME, PASSWORD)
except:
logger.red('Authentication failed: [{}]'.format(logger.RED(nt_errors.ERROR_MESSAGES[e.error_code][0])))
quit()
finally:
logger.blue('Got OS: [{}]'.format(logger.BLUE(conn.get_server_os())))
tid = conn.tree_connect_andx('\\\\' + target + '\\' + 'IPC$')
conn.set_default_tid(tid)
# test if target is vulnerable
TRANS_PEEK_NMPIPE = 0x23
recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
status = recvPkt.getNTStatus()
if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
logger.green('[{}] IS NOT PATCHED!'.format(logger.GREEN(target)))
else:
logger.red('[{}] IS PATCHED!'.format(logger.RED(target)))
quit()
logger.blue('Checking named pipes...')
for pipe_name, pipe_uuid in pipes.items():
try:
dce = conn.get_dce_rpc(pipe_name)
dce.connect()
try:
dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
logger.green('\t-\t{}: OK (64 bit)'.format(logger.GREEN(pipe_name)))
except DCERPCException as e:
if 'transfer_syntaxes_not_supported' in str(e):
logger.green('\t-\t{}: OK (32 bit)'.format(logger.GREEN(pipe_name)))
else:
logger.green('\t-\t{}: OK ({})'.format(logger.GREEN(pipe_name), str(e)))
dce.disconnect()
except smb.SessionError as e:
logger.red('{}: {}'.format(logger.RED(pipe_name), logger.RED(nt_errors.ERROR_MESSAGES[e.error_code][0])))
except smbconnection.SessionError as e:
logger.red('{}: {}'.format(logger.RED(pipe_name), logger.RED(nt_errors.ERROR_MESSAGES[e.error][0])))
conn.disconnect_tree(tid)
conn.logoff()
conn.get_socket().close()
except (KeyboardInterrupt, SystemExit):
logger.red('Keyboard interrupt received..')
quit()
def worawit():
target = args.target
logger.blue('Connecting to: [{}]'.format(logger.BLUE(args.target)))
if args.pipe:
pipe_name = args.pipe
logger.blue('Using specified pipe: [{}]'.format(logger.BLUE(args.pipe)))
else:
pipe_name = None
try:
exploit(target, pipe_name)
logger.green('FINISHED!')
except:
logger.red('Could not connect to: [{}]'.format(logger.RED(target)))
def show(mode):
print(logger.RED(''))
print(
logger.RED(
'███╗ ███╗███████╗ ██╗███████╗ ██████╗ ██╗ ██████╗ ...zzz_%s'
% logger.RED(mode)))
print(
logger.RED(
'████╗ ████║██╔════╝███║╚════██║ ██╔═████╗███║██╔═████╗'))
print(
logger.RED(
'██╔████╔██║███████╗╚██║ ██╔╝█████╗██║██╔██║╚██║██║██╔██║'))
print(
logger.RED(
'██║╚██╔╝██║╚════██║ ██║ ██╔╝ ╚════╝████╔╝██║ ██║████╔╝██║'))
print(
logger.RED(
'██║ ╚═╝ ██║███████║ ██║ ██║ ╚██████╔╝ ██║╚██████╔╝'))
print(
logger.RED(
'╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ '))
print(logger.RED(''))
def worawit(target):
try:
try:
conn = MYSMB(target, timeout=5)
except:
logger.red('Unable to connect to [{}]'.format(logger.RED(target)))
return False
try:
conn.login(USERNAME, PASSWORD)
except:
logger.red('Failed to authenticate to [{}]'.format(
logger.RED(target)))
return False
finally:
try:
OS = conn.get_server_os()
except Exception as e:
logger.red(str(e))
return False
tid = conn.tree_connect_andx('\\\\' + target + '\\' + 'IPC$')
conn.set_default_tid(tid)
# test if target is vulnerable
TRANS_PEEK_NMPIPE = 0x23
recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE),
maxParameterCount=0xffff,
maxDataCount=0x800)
status = recvPkt.getNTStatus()
if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
logger.green('[%s] VULNERABLE' % logger.GREEN(target))
vulnerable[target] = []
else:
logger.red('[%s] PATCHED' % logger.RED(target))
pipes_found = []
for pipe_name, pipe_uuid in pipes.items():
try:
dce = conn.get_dce_rpc(pipe_name)
dce.connect()
try:
dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
try:
pipes_found.append(pipe_name)
except:
pass
except DCERPCException as e:
if 'transfer_syntaxes_not_supported' in str(e):
try:
pipes_found.append(pipe_name)
except:
pass
else:
try:
pipes_found.append(pipe_name)
except:
pass
dce.disconnect()
vulnerable[target] = pipes_found
except smb.SessionError as e:
continue
except smbconnection.SessionError as e:
continue
conn.disconnect_tree(tid)
conn.logoff()
conn.get_socket().close()
except KeyboardInterrupt:
logger.red('Keyboard interrupt received..')
quit()
def run(target):
try:
try:
logger.verbose('Attempting to connect to %s' % logger.BLUE(target))
conn = MYSMB(target, timeout=5)
logger.verbose('Successfully connected to %s' %
logger.BLUE(target))
except Exception as e:
logger.red('Failed to connect to [{}]'.format(logger.RED(target)))
logger.verbose('Got error whilst connecting: %s' %
logger.BLUE(str(e)))
return False
try:
# login(self, user, password, domain='', lmhash='', nthash='', ntlm_fallback=True, maxBufferSize=None)
# can add passthehash at some point
logger.verbose('Attempting to authenticate to %s' %
logger.BLUE(target))
conn.login(username, password, domain)
logger.verbose('Successfully authenticated to %s' %
logger.BLUE(target))
except Exception as e:
logger.red('Failed to authenticate to [{}]'.format(
logger.RED(target)))
return False
try:
logger.verbose('Attempting to get OS for %s' % logger.BLUE(target))
OS = conn.get_server_os()
logger.verbose('Got Operting System: %s' % logger.BLUE(OS))
except Exception as e:
logger.verbose('Got error whilst getting Operting System: %s' %
logger.BLUE(str(e)))
logger.red('Failed to obtain operating system')
try:
tree_connect_andx = '\\\\' + target + '\\' + 'IPC$'
logger.verbose('Attempting to connect to %s' %
logger.BLUE(tree_connect_andx))
tid = conn.tree_connect_andx(tree_connect_andx)
conn.set_default_tid(tid)
logger.verbose('Successfully connected to %s' %
logger.BLUE(tree_connect_andx))
except Exception as e:
logger.verbose('Got error whilst connecting to %s: %s' %
(tree_connect_andx, logger.BLUE(str(e))))
return False
# test if target is vulnerable
logger.verbose('Testing if %s is vulnerable...' % logger.BLUE(target))
try:
TRANS_PEEK_NMPIPE = 0x23
recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE),
maxParameterCount=0xffff,
maxDataCount=0x800)
status = recvPkt.getNTStatus()
if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
logger.green('[%s] VULNERABLE' % logger.GREEN(target))
vulnerable[target] = []
else:
logger.red('[%s] PATCHED' % logger.RED(target))
except Exception as e:
logger.verbose(
'Got error whilst checking vulnerability status %s' %
logger.BLUE(str(e)))
return Falses
pipes_found = []
if target in vulnerable:
logger.verbose('Checking pipes on %s' % logger.BLUE(target))
for pipe_name, pipe_uuid in pipes.items():
try:
dce = conn.get_dce_rpc(pipe_name)
dce.connect()
try:
dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
try:
pipes_found.append(pipe_name)
except Exception as e:
logger.verbose(
'Got error whilst appending pipe to list %s' %
logger.BLUE(str(e)))
pass
except DCERPCException as e:
logger.verbose('Got error whilst binding to rpc: %s' %
logger.BLUE(str(e)))
if 'transfer_syntaxes_not_supported' in str(e):
try:
pipes_found.append(pipe_name)
except Exception as e:
logger.verbose(
'Got error whilst appending pipe to list %s (transfer_syntaxes_not_supported)'
% logger.BLUE(str(e)))
pass
else:
try:
pipes_found.append(pipe_name)
except Exception as e:
logger.verbose(
'Got error whilst appending pipe to list %s !(transfer_syntaxes_not_supported)'
% logger.BLUE(str(e)))
pass
except Exception as e:
logger.verbose('Got error whilst binding to rpc: %s' %
logger.BLUE(str(e)))
pass
finally:
dce.disconnect()
vulnerable[target] = pipes_found
except smb.SessionError as e:
logger.verbose(
'Got SMB Session error whilst connecting %s' %
logger.BLUE(str(e)))
continue
except smbconnection.SessionError as e:
logger.verbose(
'Got SMB Session error whilst connecting %s' %
logger.BLUE(str(e)))
continue
except Exception as e:
logger.verbose(
'Got SMB Session error whilst connecting %s' %
logger.BLUE(str(e)))
continue
try:
conn.disconnect_tree(tid)
conn.logoff()
conn.get_socket().close()
except Exception as e:
logger.verbose('Got error whilst disconnecting from rpc %s' %
logger.BLUE(str(e)))
pass
except KeyboardInterrupt:
logger.red('Keyboard interrupt received..')
quit()
conn.get_socket().close()
except Exception as e:
logger.verbose('Got error whilst disconnecting from rpc %s' %
logger.BLUE(str(e)))
pass
except KeyboardInterrupt:
logger.red('Keyboard interrupt received..')
quit()
def do_scan(targets):
for target in targets:
run(target)
banner.show('checker')
t = args.targets
targets = get_targets(t)
if len(targets) == 1:
logger.verbose_switch = True
do_scan(targets)
print('')
if len(vulnerable) == 0:
print(logger.RED('No vulnerable hosts found'))
else:
print(logger.BLUE('Results:'))
logger.dump(vulnerable)