from mysmb import MYSMBfrom impacket import smb, smbconnection, nt_errorsfro

1. from mysmb import MYSMB
2. from impacket import smb, smbconnection, nt_errors
3. from impacket.uuid import uuidtup_to_bin
4. from impacket.dcerpc.v5.rpcrt import DCERPCException
5. from struct import pack
6. import sys
7.  
8. '''
9. Script for
10. - check target if MS17-010 is patched or not.
11. - find accessible named pipe
12. '''
13.  
14. USERNAME = ''
15. PASSWORD = ''
16.  
17. NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
18.  
19. MSRPC_UUID_BROWSER = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
20. MSRPC_UUID_SPOOLSS = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
21. MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
22. MSRPC_UUID_LSARPC = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
23. MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))
24.  
25. pipes = {
26. 'browser' : MSRPC_UUID_BROWSER,
27. 'spoolss' : MSRPC_UUID_SPOOLSS,
28. 'netlogon' : MSRPC_UUID_NETLOGON,
29. 'lsarpc' : MSRPC_UUID_LSARPC,
30. 'samr' : MSRPC_UUID_SAMR,
31. }
32.  
33.  
34. if len(sys.argv) != 2:
35. print("{} <ip>".format(sys.argv[0]))
36. sys.exit(1)
37.  
38. target = sys.argv[1]
39.  
40. conn = MYSMB(target)
41. try:
42. conn.login(USERNAME, PASSWORD)
43. except smb.SessionError as e:
44. print('Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
45. sys.exit()
46. finally:
47. print('Target OS: ' + conn.get_server_os())
48.  
49. tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
50. conn.set_default_tid(tid)
51.  
52.  
53. # test if target is vulnerable
54. TRANS_PEEK_NMPIPE = 0x23
55. recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
56. status = recvPkt.getNTStatus()
57. if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
58. print('The target is not patched')
59. else:
60. print('The target is patched')
61. sys.exit()
62.  
63.  
64. print('')
65. print('=== Testing named pipes ===')
66. for pipe_name, pipe_uuid in pipes.items():
67. try:
68. dce = conn.get_dce_rpc(pipe_name)
69. dce.connect()
70. try:
71. dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
72. print('{}: Ok (64 bit)'.format(pipe_name))
73. except DCERPCException as e:
74. if 'transfer_syntaxes_not_supported' in str(e):
75. print('{}: Ok (32 bit)'.format(pipe_name))
76. else:
77. print('{}: Ok ({})'.format(pipe_name, str(e)))
78. dce.disconnect()
79. except smb.SessionError as e:
80. print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error_code][0]))
81. except smbconnection.SessionError as e:
82. print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error][0]))
83.  
84.  
85. conn.disconnect_tree(tid)
86. conn.logoff()
87. conn.get_socket().close()