From 95735f3d0916f8fb458b3d32e42fa2c9dc92997d Mon Sep 17 00:00:00 2001 From: dash Date: Thu, 1 Jun 2017 07:57:25 +0200 Subject: [PATCH] initial --- README.md | 8 ++ payload | 1 + smb_enum.py | 257 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 266 insertions(+) create mode 100644 README.md create mode 100644 payload create mode 100755 smb_enum.py diff --git a/README.md b/README.md new file mode 100644 index 0000000..82d8568 --- /dev/null +++ b/README.md @@ -0,0 +1,8 @@ +# ETERNALRED + +smb_enum - samba share scanner looking for shares accessable without authentication +payload - test payload for upload + +# NOTE + +Exploit code for eternal red not included, for obvious reasons ;) diff --git a/payload b/payload new file mode 100644 index 0000000..2c32e07 --- /dev/null +++ b/payload @@ -0,0 +1 @@ +eternalred diff --git a/smb_enum.py b/smb_enum.py new file mode 100755 index 0000000..06c6095 --- /dev/null +++ b/smb_enum.py @@ -0,0 +1,257 @@ +#!/usr/bin/env python2 +# easy public share scanner for samba + +import os +import sys +import time +import Queue +import socket +import struct +import random +import argparse +import threading + +from random import randrange +from smb.SMBConnection import SMBConnection + +version = '0.1' + +global rQ +rQ = Queue.Queue() + +global q +q = Queue.Queue() + +global payload + +def printd(data): + pass + +def printe(data): + pass + +def clean_line(line): + line = line.rstrip('\r') + line = line.rstrip('\n') + return line + +def randomizeIP(iplist): + ''' function to randomize ips to scan''' + orig_list = iplist + + # check if we have double ips + for ip in orig_list: + if iplist.count(ip)>1: + print '[*] Warning, %s is %d times in list' % (ip,iplist.count(ip)) + while iplist.count(ip)>1: + iplist.remove(ip) + + spos = 0 + epos = len(iplist)-1 + cnt = 0 + while [ 1 ]: + a = random.randint(0,epos) + b = random.randint(0,epos) + amove = iplist[a] + bmove = iplist[b] + iplist[a]=bmove + iplist[b]=amove + cnt+=1 + rnd=2 + if cnt > epos*rnd: + print '[+] Did %d random iterations, break' % (rnd) + break + + # check if all ips still there (you never know ;)) + for ip in orig_list: + if iplist.count(ip)==0: + print 'Warning missing %s' % (ip) + + return iplist + +def _share_check(conn): + logshares = [] + shares = conn.listShares() + + for share in shares: + if not share.isSpecial and share.name not in ['NETLOGON', 'SYSVOL','print$']: + #print 'Share: [%s]' % share.name + try: + sharedfiles = conn.listPath(share.name, '/') + except: + return False + + files = [] + for sharedfile in sharedfiles: + files.append(sharedfile.filename) +# print(sharedfile.filename) + data = ('READ',share.name,files) + logshares.append(data) + return logshares + +def _share_check_write(conn,payload): + fr = open(payload,'r+') + logshares = [] + testpath='/.ZGF0YS5iaW4ZGF0YS5iaW4' + shares = conn.listShares() + for share in shares: +# print 'SHARE:',share.name + if not share.isSpecial and share.name not in ['NETLOGON', 'SYSVOL','print$']: + try: + # write file + ret = conn.storeFile(share.name, testpath, fr, timeout=30) + + # remove file :) + conn.deleteFiles(share.name, testpath, timeout=30) + except: + return False + if ret > 0: + data = ('WRITE',share.name,'') + logshares.append(data) + return logshares + +def make_request(host,port,timeout,payload): + human=[] + try: + # place here what the code has to do!! + s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + s.settimeout(timeout) + s.connect((host,port)) + s.close() + except socket.timeout: + printe('%s timeout' % host) + return False + except socket.error: + printe( '%s refused' % host) + return False + + clmachine='localhost' + sname='server' + domain='WORKGROUP' + user = '' + password = '' + conn = SMBConnection(user,password,clmachine,sname,domain,use_ntlm_v2=True,is_direct_tcp=True) + conn.connect(host,port) + logshares = _share_check(conn) + + # public read shares + if logshares != False: + hdata = '%s:%d' % (host,port) + hdump = logshares + read = [hdata,hdump] + rQ.put(read) + + # public write shares + logshares = _share_check_write(conn, payload) + if logshares != False: + hdata = '%s:%d' % (host,port) + hdump = logshares + read = [hdata,hdump] + #print 'write',read + rQ.put(read) + +def run(args): + + + payload = args.payl + if args.outfile: + fw = open(args.outfile,'w') + + if args.host: + host = args.host + print 'Hostmode: %s' % host + line = clean_line(host) + q.put(line) + + elif args.hostlist: + ipL=[] + hostlist = args.hostlist + print 'Hostlistmode' + fr = open(hostlist,'r') + rBuf = fr.readlines() + for l in rBuf: + l = clean_line(l) + ipL.append(l) + if not args.unrandom: + iplist = randomizeIP(ipL) + else: + iplist = ipL + + list = [q.put(query) for query in iplist] + + else: + print 'Unknown or no mode choosen. cya' + sys.exit() + + print 'Targets: %d' % (q.qsize()) + + port = int(args.port) + + thrCnt = args.thrCnt + + thrList = [] + + printd('Starting loop') + while True: + if len(thrList) < thrCnt and q.qsize()>0: + #pkt is send to thread and used + newthread = threading.Thread(target = make_request,args = (q.get(),port,int(args.timeout),payload)) + newthread.daemon = True + newthread.start() + thrList.append(newthread) + + for entry in thrList: + if entry.isAlive()==False: + entry.join() + thrList.remove(entry) + + if rQ.qsize()>0: + + pout = rQ.get() + hostdata = '%s' % (pout[0]) + sharedata = pout[1][0] +# print 'sharen:',sharen + sharef = sharedata[2] + sharem = sharedata[0] + sharen = sharedata[1] + + for item in sharef: + tp = '%s %s %s %s' % (hostdata,sharem,sharen,item) + print tp + if args.outfile: + tp = tp + '\n' + fw.write(tp) + fw.flush() + if sharedata[0] == 'WRITE': + tp = '%s %s %s' % (hostdata,sharedata[0],sharedata[1]) + print tp + if args.outfile: + tp = tp + '\n' + fw.write(tp) + fw.flush() + + if q.qsize()==0 and len(thrList) == 0: + break + + if args.outfile: + fw.close() + + + +def main(): + parser_desc = 'smb share enumerator %s' % version + prog_desc = 'smb_enum.py' + parser = argparse.ArgumentParser(prog = prog_desc, description=parser_desc) + parser.add_argument("-l","--host",action="store",required=False,help='host to check version',dest='host') + parser.add_argument("-L","--hostlist",action="store",required=False,help='hostlist to check version',dest='hostlist') + parser.add_argument("-p","--port",action="store",required=False,default=139,help='ipmi port',dest='port') + parser.add_argument("-t","--threads",action="store",required=False,default=50,help='how many threads',dest='thrCnt') + parser.add_argument("-T","--timeout",action="store",required=False,default=5,help='timeout of socket recv',dest='timeout') + parser.add_argument("-o","--outfile",action="store",required=False,help='outfile in txt format',dest='outfile',default=None) + parser.add_argument("-r","--unrandom",action="store",required=False,help='disable random targetlist',dest='unrandom') + parser.add_argument("-P","--payload",action="store",required=False,help='payload to upload',dest='payl',default='payload') + args = parser.parse_args() + run(args) + +if __name__ == "__main__": + main()