-
Notifications
You must be signed in to change notification settings - Fork 107
/
checker.py
102 lines (84 loc) · 3.27 KB
/
checker.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
from mysmb import MYSMB
from impacket import smb, smbconnection, nt_errors
from impacket.uuid import uuidtup_to_bin
from impacket.dcerpc.v5.rpcrt import DCERPCException
from struct import pack
import sys
import argparse
import logger
'''
Script for
- check target if MS17-010 is patched or not.
- find accessible named pipe
'''
parser = argparse.ArgumentParser(description='MS17-010 Checker script',epilog="Example: python checker.py -t 192.168.0.1")
parser.add_argument("-u", "--user", type=str, metavar="",help="Username to authenticate with")
parser.add_argument("-p", "--password", type=str, metavar="",help="Password for specified user")
parser.add_argument("-t", "--target", required=True, type=str, metavar="", help="Target to check for MS17-010")
parser.add_argument('--version', action='version', version='%(prog)s 0.1')
args = parser.parse_args()
if args.user:
USERNAME = args.user
else:
USERNAME = ''
if args.user:
PASSWORD = args.password
else:
PASSWORD = ''
NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
MSRPC_UUID_BROWSER = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
MSRPC_UUID_SPOOLSS = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
MSRPC_UUID_LSARPC = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))
pipes = {
'browser' : MSRPC_UUID_BROWSER,
'spoolss' : MSRPC_UUID_SPOOLSS,
'netlogon' : MSRPC_UUID_NETLOGON,
'lsarpc' : MSRPC_UUID_LSARPC,
'samr' : MSRPC_UUID_SAMR,
}
target = args.target
try:
conn = MYSMB(target)
try:
conn.login(USERNAME, PASSWORD)
except smb.SessionError as e:
logger.error('LOGIN FAILED: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
sys.exit()
finally:
logger.info('TARGET OS: ' + conn.get_server_os())
tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
conn.set_default_tid(tid)
# test if target is vulnerable
TRANS_PEEK_NMPIPE = 0x23
recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
status = recvPkt.getNTStatus()
if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
logger.success('{} IS NOT PATCHED!'.format(target))
else:
logger.error('{} IS PATCHED!'.format(target))
sys.exit()
logger.action('CHECKING NAMED PIPES...')
for pipe_name, pipe_uuid in pipes.items():
try:
dce = conn.get_dce_rpc(pipe_name)
dce.connect()
try:
dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
logger.success('{}: OK (64 bit)'.format(pipe_name))
except DCERPCException as e:
if 'transfer_syntaxes_not_supported' in str(e):
logger.success('{}: OK (32 bit)'.format(pipe_name))
else:
logger.success('{}: OK ({})'.format(pipe_name, str(e)))
dce.disconnect()
except smb.SessionError as e:
logger.error('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error_code][0]))
except smbconnection.SessionError as e:
logger.error('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error][0]))
conn.disconnect_tree(tid)
conn.logoff()
conn.get_socket().close()
except:
logger.error ('COULD NOT CONNECT TO HOST')