add checker.py script for finding accessible named pipe

2017-07-11 22:26:41 +07:00
parent af235b686e
commit 44d8dcccce
2 changed files with 119 additions and 17 deletions
--- a/checker.py
+++ b/checker.py
@@ -0,0 +1,87 @@
+from mysmb import MYSMB
+from impacket import smb, smbconnection, nt_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from struct import pack
+import sys
+
+'''
+Script for
+- check target if MS17-010 is patched or not.
+- find accessible named pipe
+'''
+
+USERNAME = ''
+PASSWORD = ''
+
+NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
+
+MSRPC_UUID_BROWSER  = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
+MSRPC_UUID_SPOOLSS  = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
+MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
+MSRPC_UUID_LSARPC   = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
+MSRPC_UUID_SAMR     = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))
+
+pipes = {
+	'browser'  : MSRPC_UUID_BROWSER,
+	'spoolss'  : MSRPC_UUID_SPOOLSS,
+	'netlogon' : MSRPC_UUID_NETLOGON,
+	'lsarpc'   : MSRPC_UUID_LSARPC,
+	'samr'     : MSRPC_UUID_SAMR,
+}
+
+
+if len(sys.argv) != 2:
+	print("{} <ip>".format(sys.argv[0]))
+	sys.exit(1)
+
+target = sys.argv[1]
+
+conn = MYSMB(target)
+try:
+	conn.login(USERNAME, PASSWORD)
+except smb.SessionError, e:
+	print('Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
+	sys.exit()
+finally:
+	print('Target OS: ' + conn.get_server_os())
+
+tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
+conn.set_default_tid(tid)
+
+
+# test if target is vulnerable
+TRANS_PEEK_NMPIPE = 0x23
+recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
+status = recvPkt.getNTStatus()
+if status == 0xC0000205:  # STATUS_INSUFF_SERVER_RESOURCES
+	print('The target is not patched')
+else:
+	print('The target is patched')
+	sys.exit()
+
+
+print('')
+print('=== Testing named pipes ===')
+for pipe_name, pipe_uuid in pipes.items():
+	try:
+		dce = conn.get_dce_rpc(pipe_name)
+		dce.connect()
+		try:
+			dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
+			print('{}: Ok (64 bit)'.format(pipe_name))
+		except DCERPCException, e:
+			if 'transfer_syntaxes_not_supported' in str(e):
+				print('{}: Ok (32 bit)'.format(pipe_name))
+			else:
+				print('{}: Ok ({})'.format(pipe_name, str(e)))
+		dce.disconnect()
+	except smb.SessionError, e:
+		print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error_code][0]))
+	except smbconnection.SessionError, e:
+		print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error][0]))
+
+
+conn.disconnect_tree(tid)
+conn.logoff()
+conn.get_socket().close()
--- a/mysmb.py
+++ b/mysmb.py
@@ -1,6 +1,7 @@
 # impacket SMB extension for MS17-010 exploit.
 # this file contains only valid SMB packet format operation.
-from impacket import smb
+from impacket import smb, smbconnection
+from impacket.dcerpc.v5 import transport
 from struct import pack
 import os
 import random
@@ -113,11 +114,15 @@ class MYSMB(smb.SMB):
 		self._pkt_flags2 = 0
 		self._last_tid = 0  # last tid from connect_tree()
 		self._last_fid = 0  # last fid from nt_create_andx()
+		self._smbConn = None
 		smb.SMB.__init__(self, remote_host, remote_host, timeout=timeout)

 	def set_pid(self, pid):
 		self._pid = pid

+	def get_pid(self):
+		return self._pid
+
 	def set_last_mid(self, mid):
 		self._last_mid = mid

@@ -127,6 +132,16 @@ class MYSMB(smb.SMB):
 			self._last_mid += 0x120
 		return self._last_mid

+	def get_smbconnection(self):
+		if self._smbConn is None:
+			self.smbConn = smbconnection.SMBConnection(self.get_remote_host(), self.get_remote_host(), existingConnection=self, manualNegotiate=True)
+		return self.smbConn
+
+	def get_dce_rpc(self, named_pipe):
+		smbConn = self.get_smbconnection()
+		rpctransport = transport.SMBTransport(self.get_remote_host(), self.get_remote_host(), filename='\\'+named_pipe, smb_connection=smbConn)
+		return rpctransport.get_dce_rpc()
+
 	# override SMB.neg_session() to allow forcing ntlm authentication
 	def neg_session(self, extended_security=True, negPacket=None):
 		smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)