Add modules IOXIDResolver & MS17-010
parent
66621b9014
commit
c259a42c6c
|
@ -0,0 +1,47 @@
|
|||
# Credit to https://airbus-cyber-security.com/fr/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/
|
||||
# Airbus CERT
|
||||
# module by @mpgn_x64
|
||||
|
||||
from ipaddress import ip_address
|
||||
from impacket.dcerpc.v5 import transport
|
||||
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
|
||||
from impacket.dcerpc.v5.dcomrt import IObjectExporter
|
||||
|
||||
class CMEModule:
|
||||
|
||||
name = 'ioxidresolver'
|
||||
description = "Thie module helps you to identify hosts that have additional active interfaces"
|
||||
supported_protocols = ['smb']
|
||||
opsec_safe = True
|
||||
multiple_hosts = False
|
||||
|
||||
def options(self, context, module_options):
|
||||
'''
|
||||
'''
|
||||
|
||||
|
||||
def on_login(self, context, connection):
|
||||
authLevel = RPC_C_AUTHN_LEVEL_NONE
|
||||
|
||||
stringBinding = r'ncacn_ip_tcp:%s' % connection.host
|
||||
rpctransport = transport.DCERPCTransportFactory(stringBinding)
|
||||
|
||||
portmap = rpctransport.get_dce_rpc()
|
||||
portmap.set_auth_level(authLevel)
|
||||
portmap.connect()
|
||||
|
||||
objExporter = IObjectExporter(portmap)
|
||||
bindings = objExporter.ServerAlive2()
|
||||
|
||||
context.log.debug("[*] Retrieving network interface of " + connection.host)
|
||||
|
||||
#NetworkAddr = bindings[0]['aNetworkAddr']
|
||||
for binding in bindings:
|
||||
NetworkAddr = binding['aNetworkAddr']
|
||||
try:
|
||||
ip_address(NetworkAddr[:-1])
|
||||
context.log.highlight("Address: " + NetworkAddr)
|
||||
except Exception as e:
|
||||
context.log.debug(e)
|
||||
|
||||
|
|
@ -0,0 +1,363 @@
|
|||
# All credits to https://github.com/d4t4s3c/Win7Blue
|
||||
# @d4t4s3c
|
||||
# Module by @mpgn_x64
|
||||
|
||||
from ctypes import *
|
||||
import socket
|
||||
import struct
|
||||
|
||||
class CMEModule:
|
||||
|
||||
name = 'ms17-010'
|
||||
description = "TODO"
|
||||
supported_protocols = ['smb']
|
||||
opsec_safe = True
|
||||
multiple_hosts = True
|
||||
|
||||
def options(self, context, module_options):
|
||||
'''
|
||||
'''
|
||||
|
||||
def on_login(self, context, connection):
|
||||
if check(connection.host):
|
||||
context.log.highlight("VULNERABLE")
|
||||
context.log.highlight("Next step: https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/")
|
||||
|
||||
class SMB_HEADER(Structure):
|
||||
"""SMB Header decoder.
|
||||
"""
|
||||
|
||||
_pack_ = 1
|
||||
|
||||
_fields_ = [
|
||||
("server_component", c_uint32),
|
||||
("smb_command", c_uint8),
|
||||
("error_class", c_uint8),
|
||||
("reserved1", c_uint8),
|
||||
("error_code", c_uint16),
|
||||
("flags", c_uint8),
|
||||
("flags2", c_uint16),
|
||||
("process_id_high", c_uint16),
|
||||
("signature", c_uint64),
|
||||
("reserved2", c_uint16),
|
||||
("tree_id", c_uint16),
|
||||
("process_id", c_uint16),
|
||||
("user_id", c_uint16),
|
||||
("multiplex_id", c_uint16)
|
||||
]
|
||||
|
||||
def __new__(self, buffer=None):
|
||||
return self.from_buffer_copy(buffer)
|
||||
|
||||
def generate_smb_proto_payload(*protos):
|
||||
"""Generate SMB Protocol. Pakcet protos in order.
|
||||
"""
|
||||
hexdata = []
|
||||
for proto in protos:
|
||||
hexdata.extend(proto)
|
||||
return "".join(hexdata)
|
||||
|
||||
|
||||
def calculate_doublepulsar_xor_key(s):
|
||||
"""Calaculate Doublepulsar Xor Key
|
||||
"""
|
||||
x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
|
||||
x = x & 0xffffffff
|
||||
return x
|
||||
|
||||
|
||||
def negotiate_proto_request():
|
||||
"""Generate a negotiate_proto_request packet.
|
||||
"""
|
||||
netbios = [
|
||||
'\x00',
|
||||
'\x00\x00\x54'
|
||||
]
|
||||
|
||||
smb_header = [
|
||||
'\xFF\x53\x4D\x42',
|
||||
'\x72',
|
||||
'\x00\x00\x00\x00',
|
||||
'\x18',
|
||||
'\x01\x28',
|
||||
'\x00\x00',
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x2F\x4B',
|
||||
'\x00\x00',
|
||||
'\xC5\x5E'
|
||||
]
|
||||
|
||||
negotiate_proto_request = [
|
||||
'\x00',
|
||||
'\x31\x00',
|
||||
|
||||
'\x02',
|
||||
'\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00',
|
||||
|
||||
'\x02',
|
||||
'\x4C\x4D\x31\x2E\x32\x58\x30\x30\x32\x00',
|
||||
|
||||
'\x02',
|
||||
'\x4E\x54\x20\x4C\x41\x4E\x4D\x41\x4E\x20\x31\x2E\x30\x00',
|
||||
|
||||
'\x02',
|
||||
'\x4E\x54\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00'
|
||||
]
|
||||
|
||||
return generate_smb_proto_payload(netbios, smb_header, negotiate_proto_request)
|
||||
|
||||
|
||||
def session_setup_andx_request():
|
||||
"""Generate session setuo andx request.
|
||||
"""
|
||||
netbios = [
|
||||
'\x00',
|
||||
'\x00\x00\x63'
|
||||
]
|
||||
|
||||
smb_header = [
|
||||
'\xFF\x53\x4D\x42',
|
||||
'\x73',
|
||||
'\x00\x00\x00\x00',
|
||||
'\x18',
|
||||
'\x01\x20',
|
||||
'\x00\x00',
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x2F\x4B',
|
||||
'\x00\x00',
|
||||
'\xC5\x5E',
|
||||
]
|
||||
|
||||
session_setup_andx_request = [
|
||||
'\x0D',
|
||||
'\xFF',
|
||||
'\x00',
|
||||
'\x00\x00',
|
||||
'\xDF\xFF',
|
||||
'\x02\x00',
|
||||
'\x01\x00',
|
||||
'\x00\x00\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x00\x00\x00\x00',
|
||||
'\x40\x00\x00\x00',
|
||||
'\x26\x00',
|
||||
'\x00',
|
||||
'\x2e\x00',
|
||||
'\x57\x69\x6e\x64\x6f\x77\x73\x20\x32\x30\x30\x30\x20\x32\x31\x39\x35\x00',
|
||||
'\x57\x69\x6e\x64\x6f\x77\x73\x20\x32\x30\x30\x30\x20\x35\x2e\x30\x00',
|
||||
]
|
||||
|
||||
return generate_smb_proto_payload(netbios, smb_header, session_setup_andx_request)
|
||||
|
||||
|
||||
def tree_connect_andx_request(ip, userid):
|
||||
"""Generate tree connect andx request.
|
||||
"""
|
||||
|
||||
netbios = [
|
||||
'\x00',
|
||||
'\x00\x00\x47'
|
||||
]
|
||||
|
||||
smb_header = [
|
||||
'\xFF\x53\x4D\x42',
|
||||
'\x75',
|
||||
'\x00\x00\x00\x00',
|
||||
'\x18',
|
||||
'\x01\x20',
|
||||
'\x00\x00',
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x2F\x4B',
|
||||
userid,
|
||||
'\xC5\x5E'
|
||||
]
|
||||
|
||||
ipc = "\\\\{}\IPC$\x00".format(ip)
|
||||
|
||||
tree_connect_andx_request = [
|
||||
'\x04',
|
||||
'\xFF',
|
||||
'\x00',
|
||||
'\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x01\x00',
|
||||
'\x1A\x00',
|
||||
'\x00',
|
||||
ipc.encode(),
|
||||
'\x3f\x3f\x3f\x3f\x3f\x00'
|
||||
]
|
||||
|
||||
length = len("".join(smb_header)) + len("".join(tree_connect_andx_request))
|
||||
|
||||
netbios[1] = struct.pack(">L", length)[-3:]
|
||||
|
||||
return generate_smb_proto_payload(netbios, smb_header, tree_connect_andx_request)
|
||||
|
||||
|
||||
def peeknamedpipe_request(treeid, processid, userid, multiplex_id):
|
||||
"""Generate tran2 request
|
||||
"""
|
||||
|
||||
netbios = [
|
||||
'\x00',
|
||||
'\x00\x00\x4a'
|
||||
]
|
||||
|
||||
smb_header = [
|
||||
'\xFF\x53\x4D\x42',
|
||||
'\x25',
|
||||
'\x00\x00\x00\x00',
|
||||
'\x18',
|
||||
'\x01\x28',
|
||||
'\x00\x00',
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00',
|
||||
'\x00\x00',
|
||||
treeid,
|
||||
processid,
|
||||
userid,
|
||||
multiplex_id
|
||||
]
|
||||
|
||||
tran_request = [
|
||||
'\x10',
|
||||
'\x00\x00',
|
||||
'\x00\x00',
|
||||
'\xff\xff',
|
||||
'\xff\xff',
|
||||
'\x00',
|
||||
'\x00',
|
||||
'\x00\x00',
|
||||
'\x00\x00\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x00\x00',
|
||||
'\x4a\x00',
|
||||
'\x00\x00',
|
||||
'\x4a\x00',
|
||||
'\x02',
|
||||
'\x00',
|
||||
'\x23\x00',
|
||||
'\x00\x00',
|
||||
'\x07\x00',
|
||||
'\x5c\x50\x49\x50\x45\x5c\x00'
|
||||
]
|
||||
|
||||
return generate_smb_proto_payload(netbios, smb_header, tran_request)
|
||||
|
||||
|
||||
def trans2_request(treeid, processid, userid, multiplex_id):
|
||||
"""Generate trans2 request.
|
||||
"""
|
||||
|
||||
netbios = [
|
||||
'\x00',
|
||||
'\x00\x00\x4f'
|
||||
]
|
||||
|
||||
smb_header = [
|
||||
'\xFF\x53\x4D\x42',
|
||||
'\x32',
|
||||
'\x00\x00\x00\x00',
|
||||
'\x18',
|
||||
'\x07\xc0',
|
||||
'\x00\x00',
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00',
|
||||
'\x00\x00',
|
||||
treeid,
|
||||
processid,
|
||||
userid,
|
||||
multiplex_id
|
||||
]
|
||||
|
||||
trans2_request = [
|
||||
'\x0f',
|
||||
'\x0c\x00',
|
||||
'\x00\x00',
|
||||
'\x01\x00',
|
||||
'\x00\x00',
|
||||
'\x00',
|
||||
'\x00',
|
||||
'\x00\x00',
|
||||
'\xa6\xd9\xa4\x00',
|
||||
'\x00\x00',
|
||||
'\x0c\x00',
|
||||
'\x42\x00',
|
||||
'\x00\x00',
|
||||
'\x4e\x00',
|
||||
'\x01',
|
||||
'\x00',
|
||||
'\x0e\x00',
|
||||
'\x00\x00',
|
||||
'\x0c\x00' + '\x00' * 12
|
||||
]
|
||||
|
||||
return generate_smb_proto_payload(netbios, smb_header, trans2_request)
|
||||
|
||||
def check(ip, port=445):
|
||||
"""Check if MS17_010 SMB Vulnerability exists.
|
||||
"""
|
||||
try:
|
||||
buffersize = 1024
|
||||
timeout = 5.0
|
||||
|
||||
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
client.settimeout(timeout)
|
||||
client.connect((ip, port))
|
||||
|
||||
raw_proto = negotiate_proto_request()
|
||||
client.send(raw_proto)
|
||||
tcp_response = client.recv(buffersize)
|
||||
|
||||
raw_proto = session_setup_andx_request()
|
||||
client.send(raw_proto)
|
||||
tcp_response = client.recv(buffersize)
|
||||
netbios = tcp_response[:4]
|
||||
smb_header = tcp_response[4:36]
|
||||
smb = SMB_HEADER(smb_header)
|
||||
|
||||
user_id = struct.pack('<H', smb.user_id)
|
||||
|
||||
session_setup_andx_response = tcp_response[36:]
|
||||
native_os = session_setup_andx_response[9:].split('\x00')[0]
|
||||
|
||||
raw_proto = tree_connect_andx_request(ip, user_id)
|
||||
client.send(raw_proto)
|
||||
tcp_response = client.recv(buffersize)
|
||||
|
||||
netbios = tcp_response[:4]
|
||||
smb_header = tcp_response[4:36]
|
||||
smb = SMB_HEADER(smb_header)
|
||||
|
||||
tree_id = struct.pack('<H', smb.tree_id)
|
||||
process_id = struct.pack('<H', smb.process_id)
|
||||
user_id = struct.pack('<H', smb.user_id)
|
||||
multiplex_id = struct.pack('<H', smb.multiplex_id)
|
||||
|
||||
raw_proto = peeknamedpipe_request(tree_id, process_id, user_id, multiplex_id)
|
||||
client.send(raw_proto)
|
||||
tcp_response = client.recv(buffersize)
|
||||
|
||||
netbios = tcp_response[:4]
|
||||
smb_header = tcp_response[4:36]
|
||||
smb = SMB_HEADER(smb_header)
|
||||
|
||||
nt_status = struct.pack('BBH', smb.error_class, smb.reserved1, smb.error_code)
|
||||
|
||||
|
||||
if nt_status == '\x05\x02\x00\xc0':
|
||||
return True
|
||||
elif nt_status in ('\x08\x00\x00\xc0', '\x22\x00\x00\xc0'):
|
||||
return False
|
||||
else:
|
||||
return False
|
||||
|
||||
except Exception as err:
|
||||
return False
|
||||
finally:
|
||||
client.close()
|
|
@ -36,6 +36,7 @@ class CMEModule:
|
|||
dce = plop.connect(connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, pipe=self.pipe, targetIp=connection.host)
|
||||
if plop.EfsRpcOpenFileRaw(dce, self.listener):
|
||||
context.log.highlight("VULNERABLE")
|
||||
context.log.highlight("Next step: https://github.com/topotam/PetitPotam")
|
||||
|
||||
|
||||
class DCERPCSessionError(DCERPCException):
|
||||
|
|
Loading…
Reference in New Issue