dev-zzo · January 9, 2021 20:15
diff --git a/wcf_net_probe.py b/wcf_net_probe.py
 """A simple test for presence of a WCF net.tcp handler on a port"""

 import sys
 import socket
 import struct

 def hexdump(data):
    """Pretty print a hex dump of data, similar to xxd"""
    lines = []
    offset = 0
    while offset < len(data):
        piece = data[offset:offset + 16]
        bytes = ''.join([('%02x ' % ord(x)) for x in piece])
        chars = ''.join([(x if 0x20 < ord(x) < 0x7f else '.') for x in piece])
        lines.append('%04x  %-24s %-24s %-16s' % (offset, bytes[:24], bytes[24:], chars))
        offset += len(piece)
    return "\n".join(lines)

 #
 # .NET Message Framing stuff
 # See [MC-NMF]
 #

 def nmf_version(major, minor):
    return struct.pack("<BBB", 0x00, major, minor)

 def nmf_mode(mode):
    return struct.pack("<BB", 0x01, mode)

 def nmf_via(uri):
    return struct.pack("<BB", 0x02, len(uri)) + uri

 def nmf_encoding(enc):
    return struct.pack("<BB", 0x03, enc)

 def nmf_preamble_end():
    return "\x0C"

 #
 # 1337 script
 #

 def probe(addr):
    try:
        print "Connecting ..."
        s = socket.create_connection(addr, 10)
    except socket.timeout:
        print "Connect timed out."
        return
    msg = nmf_version(1,0) + nmf_mode(2) + nmf_via('net.tcp://idontexist.lol:2020/dummy/') + nmf_encoding(8) + nmf_preamble_end()
    print "Sending a probe request ..."
    print hexdump(msg)
    s.send(msg)
    try:
        print "Receiving response ..."
        rsp = s.recv(1024)
        if rsp:
            if rsp[0] == "\x08":
                print "Gratz! There is a proper WCF net.tcp handler there. Go hack it."
            else:
                print "Odd; received something I don't know how to parse. Check it out:"
                print hexdump(rsp)
        else:
            print "Meh, no response received whatsoever."
    except socket.timeout:
        print "Meh, timed out."
    except:
        print "Failed to receive for another weird reason."
    s.close()

 if __name__ == '__main__':
    if len(sys.argv) < 3:
        print "Usage: %s <host> <port>" % (sys.argv[0])
    else:
        addr = (sys.argv[1], int(sys.argv[2]))
        probe(addr)
	"""A simple test for presence of a WCF net.tcp handler on a port"""

	import sys
	import socket
	import struct

	def hexdump(data):
	"""Pretty print a hex dump of data, similar to xxd"""
	lines = []
	offset = 0
	while offset < len(data):
	piece = data[offset:offset + 16]
	bytes = ''.join([('%02x ' % ord(x)) for x in piece])
	chars = ''.join([(x if 0x20 < ord(x) < 0x7f else '.') for x in piece])
	lines.append('%04x %-24s %-24s %-16s' % (offset, bytes[:24], bytes[24:], chars))
	offset += len(piece)
	return "\n".join(lines)

	#
	# .NET Message Framing stuff
	# See [MC-NMF]
	#

	def nmf_version(major, minor):
	return struct.pack("<BBB", 0x00, major, minor)

	def nmf_mode(mode):
	return struct.pack("<BB", 0x01, mode)

	def nmf_via(uri):
	return struct.pack("<BB", 0x02, len(uri)) + uri

	def nmf_encoding(enc):
	return struct.pack("<BB", 0x03, enc)

	def nmf_preamble_end():
	return "\x0C"

	#
	# 1337 script
	#

	def probe(addr):
	try:
	print "Connecting ..."
	s = socket.create_connection(addr, 10)
	except socket.timeout:
	print "Connect timed out."
	return
	msg = nmf_version(1,0) + nmf_mode(2) + nmf_via('net.tcp://idontexist.lol:2020/dummy/') + nmf_encoding(8) + nmf_preamble_end()
	print "Sending a probe request ..."
	print hexdump(msg)
	s.send(msg)
	try:
	print "Receiving response ..."
	rsp = s.recv(1024)
	if rsp:
	if rsp[0] == "\x08":
	print "Gratz! There is a proper WCF net.tcp handler there. Go hack it."
	else:
	print "Odd; received something I don't know how to parse. Check it out:"
	print hexdump(rsp)
	else:
	print "Meh, no response received whatsoever."
	except socket.timeout:
	print "Meh, timed out."
	except:
	print "Failed to receive for another weird reason."
	s.close()

	if __name__ == '__main__':
	if len(sys.argv) < 3:
	print "Usage: %s <host> <port>" % (sys.argv[0])
	else:
	addr = (sys.argv[1], int(sys.argv[2]))
	probe(addr)
No results found