Home > Developer > Web Develop
Intranet infiltration time is a bit useful, can detect ms17-010 vulnerability and obtain operating system information, with BURP can be batch detection, pure socket package, no additional expansion.
<?PHP//translate PHP code according to Sufeng python code//2017.08.03 by ice && by T00ls.net;@error_reporting(7);if(@$_get[' Host ']){ $host=Trim($_get[' Host ']); if(Ms17010 ($host, 445)){ Echo' <span style= ' color: #F00 ">[+] vulnerability!</span> '; }Else{ Echo' <span style= ' color: #000 ">[-] No vulnerability!</span> '; } Echo' <br>[+] OS: <span style= "color: #666" > ". Smbos ($host, 445). " </span><br> ";}functionGet_tree_connect_request ($ip,$tree _id){ $IPC= ' 005c5c '.Bin2Hex($ip).‘ 5c49504324003f3f3f3f3f00 '; $IPC _len_hex=Bin2Hex(Pack(' s ',strlen($IPC)/2)); $data= ' ff534d4275000000001801280000000000000000000000000000729c '.$tree _id.‘ C4e104ff00000000000100 '.$IPC _len_hex.$IPC; $tree= ' 000000 '.Bin2Hex(Pack(' s ',strlen($data)/2).$data; $data 5=Pack(' h* ',$tree); return $data 5;}functionms17010 ($host,$port){ $tcp= ' tcp://'.$host.‘:‘.$port; $sock=stream_socket_client($tcp,$errno,$errstr, 3,stream_client_connect); if($sock){ $data 1=Pack(' h* ', ' 00000054ff534d4272000000001801280000000000000000000000000000729c0000c4e1003100024c414e4d414e312e3000024c4d312e32583030320 0024e54204c414e4d414e20312e3000024e54204c4d20302e313200 '); fwrite($sock,$data 1); fread($sock, 1024); $data 2=Pack(' h* ', ' 0000008fff534d4273000000001801280000000000000000000000000000729c0000c4e10cff000000dfff0200010000000000310000000000d400008 054004e544c4d5353500001000000050208a2010001002000000010001000210000002e3431426c7441314e505974624955473057696e646f77732032 30303020323139350057696e646f7773203230303020352e3000 '); fwrite($sock,$data 2); $data 2_data=fread($sock, 1024); $user _id=substr(Bin2Hex($data 2_data), 64,4); $data 3=Pack(' h* ', ' 00000150ff534d4273000000001801280000000000000000000000000000729c '.$user _id.‘ c4e10cff000000dfff0200010000000000f200000000005cd0008015014e544c4d5353500003000000180018004000000078007800580000000200020 0d000000000000000d200000020002000d200000000000000f2000000050208a2ec893eacfc70bba9afefe94ef78908d37597e0202fd6177c0dfa65ed 233b731faf86b02110137dc50101000000000000004724eed7b8d2017597e0202fd6177c0000000002000a0056004b002d005000430001000a0056004 b002d005000430004000a0056004b002d005000430003000a0056004b002d00500043000700080036494bf1d7b8d20100000000000000002e00340031 0042006c007400410031004e005000590074006200490055004700300057696e646f7773203230303020323139350057696e646f77732032303030203 52e3000 '); fwrite($sock,$data 3); fread($sock, 1024); $data 4=Pack(' h* ', ' 00000063ff534d4273000000001801200000000000000000000000000000729c0000c4e10dff000000dfff02000100000000000000000000000000400 000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000 '); fwrite($sock,$data 4); $data 4_data=fread($sock, 1024); $newuser _id=substr(Bin2Hex($data 4_data), 64,4); $data 5=get_tree_connect_request ($host,$newuser _id); fwrite($sock,$data 5); fread($sock, 1024); $poc=Pack(' h* ', ' 0000004aff534d422500000000180128000000000000000000000000 '.$user _id.‘ 729c '.$newuser _id.‘ C4e11000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00 '); fwrite($sock,$poc); $poc _data=fread($sock, 1024); if(substr(Bin2Hex($poc _data), 18,8) = = ' 050200c0 '){ return true; }Else{ return false; } }}functionSmbos ($host,$port){ $tcp= ' tcp://'.$host.‘:‘.$port; $sock=stream_socket_client($tcp,$errno,$errstr, 3,stream_client_connect); if($sock){ $payload 1=Pack(' h* ', ' 00000085ff534d4272000000001853c80000000000000000000000000000fffe00000000006200025043204e4554574f524b2050524f4752414d20312 e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e 322e3100024e54204c4d20302e313200 '); $payload 2=Pack(' h* ', ' 0000010aff534d4273000000001807c80000000000000000000000000000fffe000040000cff000a01044132000000000000004a0000000000d40000a 0cf00604806062b0601050502a03e303ca00e300c060a2b06010401823702020aa22a04284e544c4d5353500001000000078208a20000000000000000 00000000000000000502ce0e0000000f00570069006e0064006f007700730020005300650072007600650072002000320030003000330020003300370 0390030002000530065007200760069006300650020005000610063006b002000320000000000570069006e0064006f00770073002000530065007200 76006500720020003200300030003300200035002e00320000000000 '); fwrite($sock,$payload 1); $out 1=fread($sock, 1024); fwrite($sock,$payload 2); $out 2=fread($sock, 1024); $blob _len_arr=Unpack(' s ',substr($out 2, 36+7,2)); $osarr=Explode(CHR(0),Iconv(' Utf-16le ', ' UTF-8 ',substr($out 2, 36+11+$blob _len_arr[1]))); return $osarr[0]. ' | '.$osarr[1]; }}?>
The usage is simple:
http://127.0.0.1/ms17-010.php?host=10.211.55.10
Paste a Picture:
PHP version ms17-010 detect small scripts
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
