mirror of
https://github.com/SleepingBag945/dddd.git
synced 2025-06-08 05:57:10 +00:00
175 lines
6.6 KiB
Go
Executable File
175 lines
6.6 KiB
Go
Executable File
package gopocs
|
|
|
|
import (
|
|
"dddd/common"
|
|
"dddd/ddout"
|
|
"dddd/structs"
|
|
"encoding/binary"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
"github.com/projectdiscovery/gologger"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
var (
|
|
negotiateProtocolRequest_enc = "G8o+kd/4y8chPCaObKK8L9+tJVFBb7ntWH/EXJ74635V3UTXA4TFOc6uabZfuLr0Xisnk7OsKJZ2Xdd3l8HNLdMOYZXAX5ZXnMC4qI+1d/MXA2TmidXeqGt8d9UEF5VesQlhP051GGBSldkJkVrP/fzn4gvLXcwgAYee3Zi2opAvuM6ScXrMkcbx200ThnOOEx98/7ArteornbRiXQjnr6dkJEUDTS43AW6Jl3OK2876Yaz5iYBx+DW5WjiLcMR+b58NJRxm4FlVpusZjBpzEs4XOEqglk6QIWfWbFZYgdNLy3WaFkkgDjmB1+6LhpYSOaTsh4EM0rwZq2Z4Lr8TE5WcPkb/JNsWNbibKlwtNtp94fIYvAWgxt5mn/oXpfUD"
|
|
sessionSetupRequest_enc = "52HeCQEbsSwiSXg98sdD64qyRou0jARlvfQi1ekDHS77Nk/8dYftNXlFahLEYWIxYYJ8u53db9OaDfAvOEkuox+p+Ic1VL70r9Q5HuL+NMyeyeN5T5el07X5cT66oBDJnScs1XdvM6CBRtj1kUs2h40Z5Vj9EGzGk99SFXjSqbtGfKFBp0DhL5wPQKsoiXYLKKh9NQiOhOMWHYy/C+Iwhf3Qr8d1Wbs2vgEzaWZqIJ3BM3z+dhRBszQoQftszC16TUhGQc48XPFHN74VRxXgVe6xNQwqrWEpA4hcQeF1+QqRVHxuN+PFR7qwEcU1JbnTNISaSrqEe8GtRo1r2rs7+lOFmbe4qqyUMgHhZ6Pwu1bkhrocMUUzWQBogAvXwFb8"
|
|
treeConnectRequest_enc = "+b/lRcmLzH0c0BYhiTaYNvTVdYz1OdYYDKhzGn/3T3P4b6pAR8D+xPdlb7O4D4A9KMyeIBphDPmEtFy44rtto2dadFoit350nghebxbYA0pTCWIBd1kN0BGMEidRDBwLOpZE6Qpph/DlziDjjfXUz955dr0cigc9ETHD/+f3fELKsopTPkbCsudgCs48mlbXcL13GVG5cGwKzRuP4ezcdKbYzq1DX2I7RNeBtw/vAlYh6etKLv7s+YyZ/r8m0fBY9A57j+XrsmZAyTWbhPJkCg=="
|
|
transNamedPipeRequest_enc = "k/RGiUQ/tw1yiqioUIqirzGC1SxTAmQmtnfKd1qiLish7FQYxvE+h4/p7RKgWemIWRXDf2XSJ3K0LUIX0vv1gx2eb4NatU7Qosnrhebz3gUo7u25P5BZH1QKdagzPqtitVjASpxIjB3uNWtYMrXGkkuAm8QEitberc+mP0vnzZ8Nv/xiiGBko8O4P/wCKaN2KZVDLbv2jrN8V/1zY6fvWA=="
|
|
trans2SessionSetupRequest_enc = "JqNw6PUKcWOYFisUoUCyD24wnML2Yd8kumx9hJnFWbhM2TQkRvKHsOMWzPVfggRrLl8sLQFqzk8bv8Rpox3uS61l480Mv7HdBPeBeBeFudZMntXBUa4pWUH8D9EXCjoUqgAdvw6kGbPOOKUq3WmNb0GDCZapqQwyUKKMHmNIUMVMAOyVfKeEMJA6LViGwyvHVMNZ1XWLr0xafKfEuz4qoHiDyVWomGjJt8DQd6+jgLk="
|
|
negotiateProtocolRequest, _ = hex.DecodeString(AesDecrypt(negotiateProtocolRequest_enc, key))
|
|
sessionSetupRequest, _ = hex.DecodeString(AesDecrypt(sessionSetupRequest_enc, key))
|
|
treeConnectRequest, _ = hex.DecodeString(AesDecrypt(treeConnectRequest_enc, key))
|
|
transNamedPipeRequest, _ = hex.DecodeString(AesDecrypt(transNamedPipeRequest_enc, key))
|
|
trans2SessionSetupRequest, _ = hex.DecodeString(AesDecrypt(trans2SessionSetupRequest_enc, key))
|
|
)
|
|
|
|
func MS17010(info *structs.HostInfo) error {
|
|
err := MS17010Scan(info)
|
|
return err
|
|
}
|
|
|
|
func MS17010Scan(info *structs.HostInfo) error {
|
|
ip := info.Host
|
|
// connecting to a host in LAN if reachable should be very quick
|
|
conn, err := common.WrapperTcpWithTimeout("tcp", ip+":445", time.Duration(7)*time.Second)
|
|
defer func() {
|
|
if conn != nil {
|
|
conn.Close()
|
|
}
|
|
}()
|
|
if err != nil {
|
|
//fmt.Printf("failed to connect to %s\n", ip)
|
|
return err
|
|
}
|
|
err = conn.SetDeadline(time.Now().Add(time.Duration(7) * time.Second))
|
|
if err != nil {
|
|
//fmt.Printf("failed to connect to %s\n", ip)
|
|
return err
|
|
}
|
|
_, err = conn.Write(negotiateProtocolRequest)
|
|
gologger.AuditTimeLogger("[Go] [MS17-010] [1/4] Dumped TCP request for %s\n\n%s\n", ip+":445", hex.Dump(negotiateProtocolRequest))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
reply := make([]byte, 1024)
|
|
// let alone half packet
|
|
n, errReply := conn.Read(reply)
|
|
if errReply != nil || n < 36 {
|
|
return err
|
|
}
|
|
gologger.AuditTimeLogger("[Go] [MS17-010] [1/4] Dumped TCP response for %s\n\n%s\n", ip+":445", hex.Dump(reply[0:n]))
|
|
|
|
if binary.LittleEndian.Uint32(reply[9:13]) != 0 {
|
|
// status != 0
|
|
return err
|
|
}
|
|
|
|
_, err = conn.Write(sessionSetupRequest)
|
|
gologger.AuditTimeLogger("[Go] [MS17-010] [2/4] Dumped TCP request for %s\n\n%s\n", ip+":445", hex.Dump(sessionSetupRequest))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
n, err = conn.Read(reply)
|
|
if err != nil || n < 36 {
|
|
return err
|
|
}
|
|
gologger.AuditTimeLogger("[Go] [MS17-010] [2/4] Dumped TCP response for %s\n\n%s\n", ip+":445", hex.Dump(reply[0:n]))
|
|
|
|
if binary.LittleEndian.Uint32(reply[9:13]) != 0 {
|
|
// status != 0
|
|
//fmt.Printf("can't determine whether %s is vulnerable or not\n", ip)
|
|
var Err = errors.New("can't determine whether target is vulnerable or not")
|
|
return Err
|
|
}
|
|
|
|
// extract OS info
|
|
var os string
|
|
sessionSetupResponse := reply[36:n]
|
|
if wordCount := sessionSetupResponse[0]; wordCount != 0 {
|
|
// find byte count
|
|
byteCount := binary.LittleEndian.Uint16(sessionSetupResponse[7:9])
|
|
if n != int(byteCount)+45 {
|
|
fmt.Println("[-]", ip+":445", "ms17010 invalid session setup AndX response")
|
|
} else {
|
|
// two continous null bytes indicates end of a unicode string
|
|
for i := 10; i < len(sessionSetupResponse)-1; i++ {
|
|
if sessionSetupResponse[i] == 0 && sessionSetupResponse[i+1] == 0 {
|
|
os = string(sessionSetupResponse[10:i])
|
|
os = strings.Replace(os, string([]byte{0x00}), "", -1)
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
userID := reply[32:34]
|
|
treeConnectRequest[32] = userID[0]
|
|
treeConnectRequest[33] = userID[1]
|
|
// TODO change the ip in tree path though it doesn't matter
|
|
_, err = conn.Write(treeConnectRequest)
|
|
gologger.AuditTimeLogger("[Go] [MS17-010] [3/4] Dumped TCP request for %s\n\n%s\n", ip+":445", hex.Dump(treeConnectRequest))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
n, err = conn.Read(reply)
|
|
if err != nil || n < 36 {
|
|
return err
|
|
}
|
|
gologger.AuditTimeLogger("[Go] [MS17-010] [3/4] Dumped TCP response for %s\n\n%s\n", ip+":445", hex.Dump(reply[:n]))
|
|
treeID := reply[28:30]
|
|
transNamedPipeRequest[28] = treeID[0]
|
|
transNamedPipeRequest[29] = treeID[1]
|
|
transNamedPipeRequest[32] = userID[0]
|
|
transNamedPipeRequest[33] = userID[1]
|
|
|
|
_, err = conn.Write(transNamedPipeRequest)
|
|
gologger.AuditTimeLogger("[Go] [MS17-010] [4/4] Dumped TCP request for %s\n\n%s\n", ip+":445", hex.Dump(transNamedPipeRequest))
|
|
|
|
if err != nil {
|
|
return err
|
|
}
|
|
n, err = conn.Read(reply)
|
|
if err != nil || n < 36 {
|
|
return err
|
|
}
|
|
gologger.AuditTimeLogger("[Go] [MS17-010] [4/4] Dumped TCP response for %s\n\n%s\n", ip+":445", hex.Dump(reply[:n]))
|
|
|
|
if reply[9] == 0x05 && reply[10] == 0x02 && reply[11] == 0x00 && reply[12] == 0xc0 {
|
|
result := fmt.Sprintf("MS17-010 %s (%s)", ip, os)
|
|
// gologger.Silent().Msg(result)
|
|
|
|
ddout.FormatOutput(ddout.OutputMessage{
|
|
Type: "GoPoc",
|
|
IP: "",
|
|
IPs: nil,
|
|
Port: "",
|
|
Protocol: "",
|
|
Web: ddout.WebInfo{},
|
|
Finger: nil,
|
|
Domain: "",
|
|
GoPoc: ddout.GoPocsResultType{PocName: "MS17-010",
|
|
Security: "CRITICAL",
|
|
Target: ip,
|
|
InfoLeft: os,
|
|
Description: "MS17-010 远程命令执行漏洞",
|
|
ShowMsg: result},
|
|
AdditionalMsg: "",
|
|
})
|
|
|
|
GoPocWriteResult(structs.GoPocsResultType{
|
|
PocName: "MS17-010",
|
|
Security: "CRITICAL",
|
|
Target: ip,
|
|
InfoLeft: os,
|
|
Description: "MS17-010 远程命令执行漏洞",
|
|
})
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|