Permalink
87 lines (71 sloc)
2.44 KB
from mysmb import MYSMB | |
from impacket import smb, smbconnection, nt_errors | |
from impacket.uuid import uuidtup_to_bin | |
from impacket.dcerpc.v5.rpcrt import DCERPCException | |
from struct import pack | |
import sys | |
''' | |
Script for | |
- check target if MS17-010 is patched or not. | |
- find accessible named pipe | |
''' | |
USERNAME = '' | |
PASSWORD = '' | |
NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0') | |
MSRPC_UUID_BROWSER = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0')) | |
MSRPC_UUID_SPOOLSS = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0')) | |
MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0')) | |
MSRPC_UUID_LSARPC = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0')) | |
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0')) | |
pipes = { | |
'browser' : MSRPC_UUID_BROWSER, | |
'spoolss' : MSRPC_UUID_SPOOLSS, | |
'netlogon' : MSRPC_UUID_NETLOGON, | |
'lsarpc' : MSRPC_UUID_LSARPC, | |
'samr' : MSRPC_UUID_SAMR, | |
} | |
if len(sys.argv) != 2: | |
print("{} <ip>".format(sys.argv[0])) | |
sys.exit(1) | |
target = sys.argv[1] | |
conn = MYSMB(target) | |
try: | |
conn.login(USERNAME, PASSWORD) | |
except smb.SessionError as e: | |
print('Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0]) | |
sys.exit() | |
finally: | |
print('Target OS: ' + conn.get_server_os()) | |
tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$') | |
conn.set_default_tid(tid) | |
# test if target is vulnerable | |
TRANS_PEEK_NMPIPE = 0x23 | |
recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800) | |
status = recvPkt.getNTStatus() | |
if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES | |
print('The target is not patched') | |
else: | |
print('The target is patched') | |
sys.exit() | |
print('') | |
print('=== Testing named pipes ===') | |
for pipe_name, pipe_uuid in pipes.items(): | |
try: | |
dce = conn.get_dce_rpc(pipe_name) | |
dce.connect() | |
try: | |
dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax) | |
print('{}: Ok (64 bit)'.format(pipe_name)) | |
except DCERPCException as e: | |
if 'transfer_syntaxes_not_supported' in str(e): | |
print('{}: Ok (32 bit)'.format(pipe_name)) | |
else: | |
print('{}: Ok ({})'.format(pipe_name, str(e))) | |
dce.disconnect() | |
except smb.SessionError as e: | |
print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error_code][0])) | |
except smbconnection.SessionError as e: | |
print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error][0])) | |
conn.disconnect_tree(tid) | |
conn.logoff() | |
conn.get_socket().close() |