def parseRequest(self):
request = MSRPCHeader(self.data)
logging.debug("RPC Bind Request Bytes:", binascii.b2a_hex(self.data))
logging.debug("RPC Bind Request:", request.dump(), MSRPCBind(request['pduData']).dump())
return request
def parseRequest(self):
request = MSRPCHeader(self.data)
shell_message(nshell = 3)
logging.debug("RPC Bind Request Bytes: \n%s\n" % justify(binascii.b2a_hex(self.data)))
logging.debug("RPC Bind Request: \n%s\n%s\n" % (justify(request.dump(print_to_stdout = False)),
justify(MSRPCBind(request['pduData']).dump(print_to_stdout = False))))
return request
def parseRequest(self):
request = MSRPCHeader(self.data)
if self.config['debug']:
print("RPC Bind Request Bytes:", binascii.b2a_hex(self.data))
print("RPC Bind Request:", request.dump(), MSRPCBind(request['pduData']).dump())
return request
def generateRequest(self):
firstCtxItem = CtxItem()
firstCtxItem['ContextID'] = 0
firstCtxItem['TransItems'] = 1
firstCtxItem['Pad'] = 0
firstCtxItem['AbstractSyntaxUUID'] = uuid.UUID(
'51c82175-844e-4750-b0d8-ec255555bc06').bytes_le
firstCtxItem['AbstractSyntaxVer'] = 1
firstCtxItem['TransferSyntaxUUID'] = uuidNDR32.bytes_le
firstCtxItem['TransferSyntaxVer'] = 2
secondCtxItem = CtxItem()
secondCtxItem['ContextID'] = 1
secondCtxItem['TransItems'] = 1
secondCtxItem['Pad'] = 0
secondCtxItem['AbstractSyntaxUUID'] = uuid.UUID(
'51c82175-844e-4750-b0d8-ec255555bc06').bytes_le
secondCtxItem['AbstractSyntaxVer'] = 1
secondCtxItem['TransferSyntaxUUID'] = uuidTime.bytes_le
secondCtxItem['TransferSyntaxVer'] = 1
bind = MSRPCBind()
bind['max_tfrag'] = 5840
bind['max_rfrag'] = 5840
bind['assoc_group'] = 0
bind['ctx_num'] = 2
bind['ctx_items'] = str(
bind.CtxItemArray(str(firstCtxItem) + str(secondCtxItem))) #*2to3*
request = MSRPCHeader()
request['ver_major'] = 5
request['ver_minor'] = 0
request['type'] = self.packetType['bindReq']
request['flags'] = self.packetFlags['firstFrag'] | self.packetFlags[
'lastFrag'] | self.packetFlags['multiplex']
request['call_id'] = self.config['call_id']
request['pduData'] = str(bind)
shell_message(nshell=0)
bind = byterize(bind)
request = byterize(request)
logging.debug(
"RPC Bind Request: \n%s\n%s\n" %
(justify(request.dump(print_to_stdout=False)),
justify(
MSRPCBind(request['pduData']).dump(print_to_stdout=False))))
logging.debug("RPC Bind Request Bytes: \n%s\n" % justify(
binascii.b2a_hex(
str(request).encode('latin-1')).decode('utf-8'))) #*2to3*
return request
def generateRequest(self):
firstCtxItem = CtxItem()
firstCtxItem['ContextID'] = 0
firstCtxItem['TransItems'] = 1
firstCtxItem['Pad'] = 0
firstCtxItem['AbstractSyntaxUUID'] = uuid.UUID(
'51c82175-844e-4750-b0d8-ec255555bc06').bytes_le
firstCtxItem['AbstractSyntaxVer'] = 1
firstCtxItem['TransferSyntaxUUID'] = uuidNDR32.bytes_le
firstCtxItem['TransferSyntaxVer'] = 2
secondCtxItem = CtxItem()
secondCtxItem['ContextID'] = 1
secondCtxItem['TransItems'] = 1
secondCtxItem['Pad'] = 0
secondCtxItem['AbstractSyntaxUUID'] = uuid.UUID(
'51c82175-844e-4750-b0d8-ec255555bc06').bytes_le
secondCtxItem['AbstractSyntaxVer'] = 1
secondCtxItem['TransferSyntaxUUID'] = uuidTime.bytes_le
secondCtxItem['TransferSyntaxVer'] = 1
bind = MSRPCBind()
bind['max_tfrag'] = 5840
bind['max_rfrag'] = 5840
bind['assoc_group'] = 0
bind['ctx_num'] = 2
bind['ctx_items'] = CtxItemArray(
bytes(firstCtxItem) + bytes(secondCtxItem))
request = MSRPCHeader()
request['ver_major'] = 5
request['ver_minor'] = 0
request['type'] = MSRPC_BIND
request['flags'] = self.packetFlags['firstFrag'] | self.packetFlags[
'lastFrag'] | self.packetFlags['multiplex']
request['call_id'] = self.config['call_id']
request['pduData'] = bytes(bind)
if self.config['debug']:
print("RPC Bind Request:", request.dump(),
MSRPCBind(request['pduData']).dump())
print("RPC Bind Request Bytes:", binascii.b2a_hex(bytes(request)))
return request
def generateRequest(self):
firstCtxItem = CtxItem()
firstCtxItem['ContextID'] = 0
firstCtxItem['TransItems'] = 1
firstCtxItem['Pad'] = 0
firstCtxItem['AbstractSyntaxUUID'] = uuid.UUID('51c82175-844e-4750-b0d8-ec255555bc06').bytes_le
firstCtxItem['AbstractSyntaxVer'] = 1
firstCtxItem['TransferSyntaxUUID'] = uuidNDR32.bytes_le
firstCtxItem['TransferSyntaxVer'] = 2
secondCtxItem = CtxItem()
secondCtxItem['ContextID'] = 1
secondCtxItem['TransItems'] = 1
secondCtxItem['Pad'] = 0
secondCtxItem['AbstractSyntaxUUID'] = uuid.UUID('51c82175-844e-4750-b0d8-ec255555bc06').bytes_le
secondCtxItem['AbstractSyntaxVer'] = 1
secondCtxItem['TransferSyntaxUUID'] = uuidTime.bytes_le
secondCtxItem['TransferSyntaxVer'] = 1
bind = MSRPCBind()
bind['max_tfrag'] = 5840
bind['max_rfrag'] = 5840
bind['assoc_group'] = 0
bind['ctx_num'] = 2
bind['ctx_items'] = str(bind.CtxItemArray(str(firstCtxItem) + str(secondCtxItem))) #*2to3*
request = MSRPCHeader()
request['ver_major'] = 5
request['ver_minor'] = 0
request['type'] = self.packetType['bindReq']
request['flags'] = self.packetFlags['firstFrag'] | self.packetFlags['lastFrag'] | self.packetFlags['multiplex']
request['call_id'] = self.config['call_id']
request['pduData'] = str(bind)
shell_message(nshell = 0)
bind = byterize(bind)
request = byterize(request)
logging.debug("RPC Bind Request: \n%s\n%s\n" % (justify(request.dump(print_to_stdout = False)),
justify(MSRPCBind(request['pduData']).dump(print_to_stdout = False))))
logging.debug("RPC Bind Request Bytes: \n%s\n" % justify(binascii.b2a_hex(str(request).encode('latin-1')).decode('utf-8'))) #*2to3*
return request
def generateRequest(self):
firstCtxItem = CtxItem()
firstCtxItem['ContextID'] = 0
firstCtxItem['TransItems'] = 1
firstCtxItem['Pad'] = 0
firstCtxItem['AbstractSyntaxUUID'] = uuid.UUID('51c82175-844e-4750-b0d8-ec255555bc06').bytes_le
firstCtxItem['AbstractSyntaxVer'] = 1
firstCtxItem['TransferSyntaxUUID'] = uuidNDR32.bytes_le
firstCtxItem['TransferSyntaxVer'] = 2
secondCtxItem = CtxItem()
secondCtxItem['ContextID'] = 1
secondCtxItem['TransItems'] = 1
secondCtxItem['Pad'] = 0
secondCtxItem['AbstractSyntaxUUID'] = uuid.UUID('51c82175-844e-4750-b0d8-ec255555bc06').bytes_le
secondCtxItem['AbstractSyntaxVer'] = 1
secondCtxItem['TransferSyntaxUUID'] = uuidTime.bytes_le
secondCtxItem['TransferSyntaxVer'] = 1
bind = MSRPCBind()
bind['max_tfrag'] = 5840
bind['max_rfrag'] = 5840
bind['assoc_group'] = 0
bind['ctx_num'] = 2
bind['ctx_items'] = CtxItemArray(bytes(firstCtxItem)+bytes(secondCtxItem))
request = MSRPCHeader()
request['ver_major'] = 5
request['ver_minor'] = 0
request['type'] = self.packetType['bindReq']
request['flags'] = self.packetFlags['firstFrag'] | self.packetFlags['lastFrag'] | self.packetFlags['multiplex']
request['call_id'] = self.config['call_id']
request['pduData'] = bytes(bind)
if self.config['debug']:
print("RPC Bind Request:", request.dump(), MSRPCBind(request['pduData']).dump())
print("RPC Bind Request Bytes:", binascii.b2a_hex(bytes(request)))
return request
def handle(self):
while True:
# self.request is the TCP socket connected to the client
try:
self.data = self.connection.recv(1024)
except socket.error as e:
if e[0] == 104:
print("Error: Connection reset by peer.")
break
else:
raise
if self.data == '' or not self.data:
print("No data received!")
break
# self.data = bytearray(self.data.strip())
# print binascii.b2a_hex(str(self.data))
packetType = MSRPCHeader(self.data)['type']
if packetType == rpcBase.packetType['bindReq']:
if config['verbose']:
print("RPC bind request received.")
handler = rpcBind.handler(self.data, config)
elif packetType == rpcBase.packetType['request']:
if config['verbose']:
print("Received activation request.")
handler = rpcRequest.handler(self.data, config)
else:
print("Error: Invalid RPC request type", packetType)
break
handler.populate()
res = str(handler.getResponse())
self.connection.send(res)
if packetType == rpcBase.packetType['bindReq']:
if config['verbose']:
print("RPC bind acknowledged.")
elif packetType == rpcBase.packetType['request']:
if config['verbose']:
print("Responded to activation request.")
break
def handle(self):
while True:
# self.request is the TCP socket connected to the client
try:
self.data = self.connection.recv(1024)
except socket.error as e: #*2to3*
if e[0] == 104:
logging.error("Connection reset by peer.")
break
else:
raise
if self.data == '' or not self.data:
logging.warning("No data received !")
break
# self.data = bytearray(self.data.strip())
# logging.debug(binascii.b2a_hex(str(self.data)))
packetType = MSRPCHeader(self.data)['type']
if packetType == rpcBase.packetType['bindReq']:
logging.info("RPC bind request received.")
shell_message(nshell=[-2, 2])
handler = rpcBind.handler(self.data, config)
elif packetType == rpcBase.packetType['request']:
logging.info("Received activation request.")
shell_message(nshell=[-2, 13])
handler = rpcRequest.handler(self.data, config)
else:
logging.error("Invalid RPC request type ", packetType)
break
handler.populate()
res = str(handler.getResponse()).encode('latin-1') #*2to3*
self.connection.send(res)
if packetType == rpcBase.packetType['bindReq']:
logging.info("RPC bind acknowledged.")
shell_message(nshell=[-3, 5, 6])
elif packetType == rpcBase.packetType['request']:
logging.info("Responded to activation request.")
shell_message(nshell=[-3, 18, 19])
break
def handle(self):
while True:
# self.request is the TCP socket connected to the client
try:
data = self.request.recv(1024)
except socket.error, e:
if e.errno == errno.ECONNRESET:
logging.error("Connection reset by peer.")
break
else:
raise
if not data:
logging.warning("No data received !")
break
# data = bytearray(self.data.strip())
# logging.debug(binascii.b2a_hex(str(data)))
packetType = MSRPCHeader(data)['type']
if packetType == rpcBase.packetType['bindReq']:
logging.info("RPC bind request received.")
shell_message(nshell=[-2, 2])
handler = rpcBind.handler(data, config)
elif packetType == rpcBase.packetType['request']:
logging.info("Received activation request.")
shell_message(nshell=[-2, 13])
handler = rpcRequest.handler(data, config)
else:
logging.error("Error: Invalid RPC request type ", packetType)
break
res = str(handler.populate())
self.request.send(res)
if packetType == rpcBase.packetType['bindReq']:
logging.info("RPC bind acknowledged.")
shell_message(nshell=[-3, 5, 6])
elif packetType == rpcBase.packetType['request']:
logging.info("Responded to activation request.")
shell_message(nshell=[-3, 18, 19])
break
def handle(self):
while True:
# self.request is the TCP socket connected to the client
try:
data = self.request.recv(1024)
except socket.error as e:
if e.errno == errno.ECONNRESET:
print("Error: Connection reset by peer.")
break
else:
raise
if not data:
print("No data received!")
break
# data = bytearray(data.strip())
# print binascii.b2a_hex(str(data))
packetType = MSRPCHeader(data)['type']
if packetType in (MSRPC_BIND, MSRPC_ALTERCTX):
if config['verbose']:
print("RPC bind request received.")
handler = rpcBind.handler(data, config)
elif packetType == MSRPC_REQUEST:
if config['verbose']:
print("Received activation request.")
handler = rpcRequest.handler(data, config)
else:
print("Error: Invalid RPC request type", packetType)
break
res = handler.populate().__bytes__()
self.request.send(res)
if packetType == MSRPC_BIND:
if config['verbose']:
print("RPC bind acknowledged.")
elif packetType == MSRPC_REQUEST:
if config['verbose']:
print("Responded to activation request.")
break
def main():
parser = argparse.ArgumentParser()
parser.add_argument("ip",
action="store",
help="The IP address or hostname of the KMS host.",
type=str)
parser.add_argument(
"port",
nargs="?",
action="store",
default=1688,
help=
"The port the KMS service is listening on. The default is \"1688\".",
type=int)
parser.add_argument("-m",
"--mode",
dest="mode",
choices=[
"WindowsVista", "Windows7", "Windows8",
"Windows81", "Windows10", "Office2010",
"Office2013", "Office2016"
],
default="Windows7")
parser.add_argument(
"-c",
"--cmid",
dest="cmid",
default=None,
help=
"Use this flag to manually specify a CMID to use. If no CMID is specified, a random CMID will be generated.",
type=str)
parser.add_argument(
"-n",
"--name",
dest="machineName",
default=None,
help=
"Use this flag to manually specify an ASCII machineName to use. If no machineName is specified, a random machineName will be generated.",
type=str)
parser.add_argument("-v",
"--verbose",
dest="verbose",
action="store_const",
const=True,
default=False,
help="Use this flag to enable verbose output.")
parser.add_argument(
"-d",
"--debug",
dest="debug",
action="store_const",
const=True,
default=False,
help="Use this flag to enable debug output. Implies \"-v\".")
config.update(vars(parser.parse_args()))
checkConfig()
config['call_id'] = 1
if config['debug']:
config['verbose'] = True
updateConfig()
try:
socket.inet_pton(socket.AF_INET6, config['ip'])
except OSError:
s = socket.socket()
else:
s = socket.socket(socket.AF_INET6)
print("Connecting to %s on port %d..." % (config['ip'], config['port']))
s.connect((config['ip'], config['port']))
if config['verbose']:
print("Connection successful!")
binder = rpcBind.handler(None, config)
RPC_Bind = bytes(binder.generateRequest())
if config['verbose']:
print("Sending RPC bind request...")
s.send(RPC_Bind)
try:
bindResponse = s.recv(1024)
except socket.error as e:
if e.errno == errno.ECONNRESET:
print("Error: Connection reset by peer. Exiting...")
sys.exit()
else:
raise
if bindResponse == '' or not bindResponse:
print("No data received! Exiting...")
sys.exit()
packetType = MSRPCHeader(bindResponse)['type']
if packetType == rpcBase.packetType['bindAck']:
if config['verbose']:
print("RPC bind acknowledged.")
kmsRequest = createKmsRequest()
requester = rpcRequest.handler(kmsRequest, config)
s.send(bytes(requester.generateRequest()))
response = s.recv(1024)
if config['debug']:
print("Response:", binascii.b2a_hex(response))
parsed = MSRPCRespHeader(response)
kmsData = readKmsResponse(parsed['pduData'], kmsRequest, config)
kmsResp = kmsData['response']
try:
hwid = kmsData['hwid']
print("KMS Host HWID:", binascii.b2a_hex(hwid).upper())
except KeyError:
pass
print("KMS Host ePID:", kmsResp['kmsEpid'])
print("KMS Host Current Client Count:", kmsResp['currentClientCount'])
print("KMS VL Activation Interval:", kmsResp['vLActivationInterval'])
print("KMS VL Renewal Interval:", kmsResp['vLRenewalInterval'])
elif packetType == rpcBase.packetType['bindNak']:
print(MSRPCBindNak(bindResponse).dump())
sys.exit()
else:
print("Something went wrong.")
sys.exit()
def main():
parser = argparse.ArgumentParser()
parser.add_argument("ip",
action="store",
help='The IP address or hostname of the KMS server.',
type=str)
parser.add_argument(
"port",
nargs="?",
action="store",
default=1688,
help=
'The port the KMS service is listening on. The default is \"1688\".',
type=int)
parser.add_argument(
"-m",
"--mode",
dest="mode",
choices=[
"WindowsVista", "Windows7", "Windows8", "Windows81", "Windows10",
"Office2010", "Office2013", "Office2016"
],
default="Windows7",
help=
'Use this flag to manually specify a Microsoft product for testing the server. The default is \"Windows81\".',
type=str)
parser.add_argument(
"-c",
"--cmid",
dest="cmid",
default=None,
help=
'Use this flag to manually specify a CMID to use. If no CMID is specified, a random CMID will be generated.',
type=str)
parser.add_argument(
"-n",
"--name",
dest="machineName",
default=None,
help=
'Use this flag to manually specify an ASCII machineName to use. If no machineName is specified,\
a random machineName will be generated.',
type=str)
parser.add_argument(
"-v",
"--loglevel",
dest="loglevel",
action="store",
default="ERROR",
choices=["CRITICAL", "ERROR", "WARNING", "INFO", "DEBUG"],
help='Use this flag to set a Loglevel. The default is \"ERROR\".',
type=str)
parser.add_argument(
"-f",
"--logfile",
dest="logfile",
action="store",
default=os.path.dirname(os.path.abspath(__file__)) +
"/py3kms_client.log",
help=
'Use this flag to set an output Logfile. The default is \"pykms_client.log\".',
type=str)
config.update(vars(parser.parse_args()))
logging.basicConfig(level=config['loglevel'],
format='%(asctime)s %(levelname)-8s %(message)s',
datefmt='%a, %d %b %Y %H:%M:%S',
filename=config['logfile'],
filemode='w')
checkConfig()
config['call_id'] = 1
updateConfig()
s = socket.socket()
logging.info("Connecting to %s on port %d..." %
(config['ip'], config['port']))
s.connect((config['ip'], config['port']))
logging.info("Connection successful !")
binder = rpcBind.handler(None, config)
RPC_Bind = str(binder.generateRequest()).encode('latin-1') #*2to3*
logging.info("Sending RPC bind request...")
shell_message(nshell=[-1, 1])
s.send(RPC_Bind)
try:
shell_message(nshell=[-4, 7])
bindResponse = s.recv(1024)
except socket.error as e: #*2to3*
if e[0] == 104:
logging.error("Connection reset by peer. Exiting...")
sys.exit()
else:
raise
if bindResponse == '' or not bindResponse:
logging.error("No data received ! Exiting...")
sys.exit()
packetType = MSRPCHeader(bindResponse)['type']
if packetType == rpcBase.packetType['bindAck']:
logging.info("RPC bind acknowledged.")
shell_message(nshell=8)
kmsRequest = createKmsRequest()
requester = rpcRequest.handler(kmsRequest, config)
s.send(str(requester.generateRequest()).encode('latin-1')) #*2to3*
shell_message(nshell=[-1, 12])
response = s.recv(1024)
logging.debug(
"Response: \n%s\n" %
justify(binascii.b2a_hex(response).decode('latin-1'))) #*2to3*
shell_message(nshell=[-4, 20])
parsed = MSRPCRespHeader(response)
kmsData = readKmsResponse(parsed['pduData'], kmsRequest, config)
kmsResp = kmsData['response']
try:
hwid = kmsData['hwid']
except:
hwid = None
logging.info(
"KMS Host ePID: %s" %
kmsResp['kmsEpid'].encode('utf-8').decode('utf-16le')) #*2to3*
if hwid is not None:
logging.info("KMS Host HWID: %s" % binascii.b2a_hex(
hwid.encode('latin-1')).upper().decode('utf-8')) #*2to3*
logging.info("KMS Host Current Client Count: %s" %
kmsResp['currentClientCount'])
logging.info("KMS VL Activation Interval: %s" %
kmsResp['vLActivationInterval'])
logging.info("KMS VL Renewal Interval: %s" %
kmsResp['vLRenewalInterval'])
shell_message(nshell=21)
elif packetType == rpcBase.packetType['bindNak']:
logging.info(
justify(MSRPCBindNak(bindResponse).dump(print_to_stdout=False)))
sys.exit()
else:
logging.critical("Something went wrong.")
sys.exit()
RPC_Bind = str(binder.generateRequest())
if config['verbose']:
print "Sending RPC bind request..."
s.send(RPC_Bind)
try:
bindResponse = s.recv(1024)
except socket.error, e:
if e[0] == 104:
print "Error: Connection reset by peer. Exiting..."
sys.exit()
else:
raise
if bindResponse == '' or not bindResponse:
print "No data received! Exiting..."
sys.exit()
packetType = MSRPCHeader(bindResponse)['type']
if packetType == rpcBase.packetType['bindAck']:
if config['verbose']:
print "RPC bind acknowledged."
#config['call_id'] += 1
'''
request = CreateRequest()
requester = rpcRequest.request(request, config)
s.send(request)
response = s.recv(1024)
if config['debug']:
print "Response:", binascii.b2a_hex(response), len(response)
parsed = ReadResponse(response)
'''
elif packetType == rpcBase.packetType['bindNak']:
print MSRPCBindNak(bindResponse).dump()
