checker.py

from mysmb import MYSMB
from impacket import smb, smbconnection, nt_errors
from impacket.uuid import uuidtup_to_bin
from impacket.dcerpc.v5.rpcrt import DCERPCException
from struct import pack
import sys

'''
Script for
- check target if MS17-010 is patched or not.
- find accessible named pipe
'''

USERNAME = ''
PASSWORD = ''

NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')

MSRPC_UUID_BROWSER  = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
MSRPC_UUID_SPOOLSS  = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
MSRPC_UUID_LSARPC   = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
MSRPC_UUID_SAMR     = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))

pipes = {
	'browser'  : MSRPC_UUID_BROWSER,
	'spoolss'  : MSRPC_UUID_SPOOLSS,
	'netlogon' : MSRPC_UUID_NETLOGON,
	'lsarpc'   : MSRPC_UUID_LSARPC,
	'samr'     : MSRPC_UUID_SAMR,
}


if len(sys.argv) != 2:
	print("{} <ip>".format(sys.argv[0]))
	sys.exit(1)

target = sys.argv[1]

conn = MYSMB(target)
try:
	conn.login(USERNAME, PASSWORD)
except smb.SessionError as e:
	print('Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
	sys.exit()
finally:
	print('Target OS: ' + conn.get_server_os())

tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
conn.set_default_tid(tid)


# test if target is vulnerable
TRANS_PEEK_NMPIPE = 0x23
recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
status = recvPkt.getNTStatus()
if status == 0xC0000205:  # STATUS_INSUFF_SERVER_RESOURCES
	print('The target is not patched')
else:
	print('The target is patched')
	sys.exit()


print('')
print('=== Testing named pipes ===')
for pipe_name, pipe_uuid in pipes.items():
	try:
		dce = conn.get_dce_rpc(pipe_name)
		dce.connect()
		try:
			dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
			print('{}: Ok (64 bit)'.format(pipe_name))
		except DCERPCException as e:
			if 'transfer_syntaxes_not_supported' in str(e):
				print('{}: Ok (32 bit)'.format(pipe_name))
			else:
				print('{}: Ok ({})'.format(pipe_name, str(e)))
		dce.disconnect()
	except smb.SessionError as e:
		print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error_code][0]))
	except smbconnection.SessionError as e:
		print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error][0]))


conn.disconnect_tree(tid)
conn.logoff()
conn.get_socket().close()
	from mysmb import MYSMB
	from impacket import smb, smbconnection, nt_errors
	from impacket.uuid import uuidtup_to_bin
	from impacket.dcerpc.v5.rpcrt import DCERPCException
	from struct import pack
	import sys

	'''
	Script for
	- check target if MS17-010 is patched or not.
	- find accessible named pipe
	'''

	USERNAME = ''
	PASSWORD = ''

	NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')

	MSRPC_UUID_BROWSER = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
	MSRPC_UUID_SPOOLSS = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
	MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
	MSRPC_UUID_LSARPC = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
	MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))

	pipes = {
	'browser' : MSRPC_UUID_BROWSER,
	'spoolss' : MSRPC_UUID_SPOOLSS,
	'netlogon' : MSRPC_UUID_NETLOGON,
	'lsarpc' : MSRPC_UUID_LSARPC,
	'samr' : MSRPC_UUID_SAMR,
	}


	if len(sys.argv) != 2:
	print("{} <ip>".format(sys.argv[0]))
	sys.exit(1)

	target = sys.argv[1]

	conn = MYSMB(target)
	try:
	conn.login(USERNAME, PASSWORD)
	except smb.SessionError as e:
	print('Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
	sys.exit()
	finally:
	print('Target OS: ' + conn.get_server_os())

	tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
	conn.set_default_tid(tid)


	# test if target is vulnerable
	TRANS_PEEK_NMPIPE = 0x23
	recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
	status = recvPkt.getNTStatus()
	if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
	print('The target is not patched')
	else:
	print('The target is patched')
	sys.exit()


	print('')
	print('=== Testing named pipes ===')
	for pipe_name, pipe_uuid in pipes.items():
	try:
	dce = conn.get_dce_rpc(pipe_name)
	dce.connect()
	try:
	dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
	print('{}: Ok (64 bit)'.format(pipe_name))
	except DCERPCException as e:
	if 'transfer_syntaxes_not_supported' in str(e):
	print('{}: Ok (32 bit)'.format(pipe_name))
	else:
	print('{}: Ok ({})'.format(pipe_name, str(e)))
	dce.disconnect()
	except smb.SessionError as e:
	print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error_code][0]))
	except smbconnection.SessionError as e:
	print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error][0]))


	conn.disconnect_tree(tid)
	conn.logoff()
	conn.get_socket().close()