bozhihouc/MS17-010
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add checker.py script for finding accessible named pipe

Browse Source
This commit is contained in:
worawit
2017-07-11 22:26:41 +07:00
parent af235b686e
commit 44d8dcccce
2 changed files with 119 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
checker.py Normal file
View File

@@ -0,0 +1,87 @@
from mysmb import MYSMB
from impacket import smb, smbconnection, nt_errors
from impacket.uuid import uuidtup_to_bin
from impacket.dcerpc.v5.rpcrt import DCERPCException
from struct import pack
import sys
'''
Script for
- check target if MS17-010 is patched or not.
- find accessible named pipe
'''
USERNAME = ''
PASSWORD = ''
NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
MSRPC_UUID_BROWSER = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
MSRPC_UUID_SPOOLSS = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
MSRPC_UUID_LSARPC = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))
pipes = {
'browser' : MSRPC_UUID_BROWSER,
'spoolss' : MSRPC_UUID_SPOOLSS,
'netlogon' : MSRPC_UUID_NETLOGON,
'lsarpc' : MSRPC_UUID_LSARPC,
'samr' : MSRPC_UUID_SAMR,
}
if len(sys.argv) != 2:
print("{} <ip>".format(sys.argv[0]))
sys.exit(1)
target = sys.argv[1]
conn = MYSMB(target)
try:
conn.login(USERNAME, PASSWORD)
except smb.SessionError, e:
print('Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
sys.exit()
finally:
print('Target OS: ' + conn.get_server_os())
tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
conn.set_default_tid(tid)
# test if target is vulnerable
TRANS_PEEK_NMPIPE = 0x23
recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
status = recvPkt.getNTStatus()
if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
print('The target is not patched')
else:
print('The target is patched')
sys.exit()
print('')
print('=== Testing named pipes ===')
for pipe_name, pipe_uuid in pipes.items():
try:
dce = conn.get_dce_rpc(pipe_name)
dce.connect()
try:
dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
print('{}: Ok (64 bit)'.format(pipe_name))
except DCERPCException, e:
if 'transfer_syntaxes_not_supported' in str(e):
print('{}: Ok (32 bit)'.format(pipe_name))
else:
print('{}: Ok ({})'.format(pipe_name, str(e)))
dce.disconnect()
except smb.SessionError, e:
print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error_code][0]))
except smbconnection.SessionError, e:
print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error][0]))
conn.disconnect_tree(tid)
conn.logoff()
conn.get_socket().close()

17
mysmb.py
View File

@@ -1,6 +1,7 @@
# impacket SMB extension for MS17-010 exploit. # impacket SMB extension for MS17-010 exploit.
# this file contains only valid SMB packet format operation. # this file contains only valid SMB packet format operation.
from impacket import smb from impacket import smb, smbconnection
from impacket.dcerpc.v5 import transport
from struct import pack from struct import pack
import os import os
import random import random
@@ -113,11 +114,15 @@ class MYSMB(smb.SMB):
self._pkt_flags2 = 0 self._pkt_flags2 = 0
self._last_tid = 0 # last tid from connect_tree() self._last_tid = 0 # last tid from connect_tree()
self._last_fid = 0 # last fid from nt_create_andx() self._last_fid = 0 # last fid from nt_create_andx()
self._smbConn = None
smb.SMB.__init__(self, remote_host, remote_host, timeout=timeout) smb.SMB.__init__(self, remote_host, remote_host, timeout=timeout)
def set_pid(self, pid): def set_pid(self, pid):
self._pid = pid self._pid = pid
def get_pid(self):
return self._pid
def set_last_mid(self, mid): def set_last_mid(self, mid):
self._last_mid = mid self._last_mid = mid
@@ -127,6 +132,16 @@ class MYSMB(smb.SMB):
self._last_mid += 0x120 self._last_mid += 0x120
return self._last_mid return self._last_mid
def get_smbconnection(self):
if self._smbConn is None:
self.smbConn = smbconnection.SMBConnection(self.get_remote_host(), self.get_remote_host(), existingConnection=self, manualNegotiate=True)
return self.smbConn
def get_dce_rpc(self, named_pipe):
smbConn = self.get_smbconnection()
rpctransport = transport.SMBTransport(self.get_remote_host(), self.get_remote_host(), filename='\\'+named_pipe, smb_connection=smbConn)
return rpctransport.get_dce_rpc()
# override SMB.neg_session() to allow forcing ntlm authentication # override SMB.neg_session() to allow forcing ntlm authentication
def neg_session(self, extended_security=True, negPacket=None): def neg_session(self, extended_security=True, negPacket=None):
smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket) smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)