search

3ndG4me / AutoBlue-MS17-010

This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010
MIT License
1.19k stars 311 forks source link

Corrections for byte literals, spacing, minor function change, and updated the examples. #22

Closed dkarpo closed 4 years ago

dkarpo commented 4 years ago

It looks like a bigger change than it is due to the tab -> 4 spaces changes in mysmb.py (to comply with the Python style guide) and removal of trailing whitespace. There were missing byte literals in places they were required and the examples were updated. It's confirmed that the code now successfully runs against Windows XP.

3ndG4me commented 4 years ago

Hey @dkarpo thanks for the contribution! Initial review looks good on my end. I'm going to test a few more things before I pull it in. You mentioned you had a successful run against Windows XP, so I assume that's where you ran into some issues before. If you could post screenshots of your validation to show your use case working. (Not required by any means, just helpful for a sanity check).

For future reference. If you ever do make a style change like this, try and do so in separate commits at least. I certainly appreciate the change in making the code cleaner, but it is a lot to review. Separate commits make it easier for a reviewer to see the distinct technical/versus non-technical changes more easily. Fortunately, this only impacts two relatively small code files so no big deal, wasn't too difficult to review.

I'll pull it in as soon as I complete testing on my end, but if you are able to upload any artifacts from your test please do so at any time.

dkarpo commented 4 years ago

Thanks Casey. I totally understand about breaking up the commits, sorry about that! My apologies!

I'm doing my OSCP and used the code to break into some Windows XP lab machines but due to Offensive Security's policies I unfortunately can't send out any screenshots of the exploit in their environments. :\ Prior to the changes zzz_exploit.py wouldn't run correctly in Python3 so I stepped through it with pdb and made adjustments as required. In its current state the RemoteShell still doesn't work but smb_send_file() is confirmed to work. If I have some time to look into the RemoteShell and correct it I'll make sure to do another pull request.

On Sat, Oct 24, 2020 at 11:19 AM Casey Erdmann notifications@github.com wrote:

Hey thanks for the contribution! Initial review looks good on my end. I'm going to test a few more things before I pull it in. You mentioned you had a successful run against Windows XP, so I assume that's where you ran into some issues before. If you could post screenshots of your validation to show your use case working. (Not required by any means, just helpful for a sanity check).

For future reference. If you ever do make a style change like this, try and do so in separate commits at least. I certainly appreciate the change in making the code cleaner, but it is a lot to review. Separate commits make it is easier for a reviewer to see the distinct technical/versus non-technical changes more easily. Fortunately, this only impacts two relatively small code files so no big deal, wasn't too difficult to review.

I'll pull it in as soon as I complete testing on my end, but if you are able to upload any artifacts from your test please do so at any time.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/3ndG4me/AutoBlue-MS17-010/pull/22#issuecomment-716016738, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATKOELAEAFK4XKU45Y5PT3SMMEBNANCNFSM4S5WYZZQ .

3ndG4me commented 4 years ago

No worries!

I was able to test, and I actually did successfully get a session with the RemoteShell() function via a browser pipe on Windows XP SP3. The section of example code from lines 898-908 that you commented out prevents me from pulling this "as is" in as it would break the current functionality of getting a shell. Currently the zzz_exploit.py code is incompatible with python3 without your changes to byte literals so I'd love to merge this in, but it works just fine getting the limited SMB shell with python2 so I do not want to remove this example code.

Based on my testing, your changes work just fine on python2 and python3 with the standard SMB shell example code. If you can uncomment lines 898-908 I will happily re-test and move this back in. Not sure what issues you encountered in getting RemoteShell() to work in the OSCP lab, but it does not seem to be a universal issue as it seems to be working just fine on my end. Please try to restest on another system. If you are unable to, still resubmit the PR with the uncommented example and I'll be restesting either way so we can get these changes merged in.

Excellent PR in regards to the byte literals, as this is code I missed during my python3 overhaul, but I can't merge this in with that example code commented out.

Code to uncomment:

    # example of creating a remote shell on the remote host (may not work at the moment...)
    if mode == 'SERVER':
        serverThread = SMBServer()
        serverThread.daemon = True
        serverThread.start()
    service_name = ''.join([random.choice(string.ascii_letters) for _ in range(4)])
    shell = RemoteShell(share, conn, mode, service_name)
    shell.cmdloop()

    if mode == 'SERVER':
        serverThread.stop()

Screenshot of this PR with uncommented example code working with python2: python2_example

Screenshot of this PR with uncommented example code working with python3: python3_example

dkarpo commented 4 years ago

Excellent. I will create that pull request now! In my test on XP SP1 build 2600 it failed as follows:

[*] make this SMB session to be SYSTEM [+] current TOKEN addr: 0xe1cdf338 Bad TOKEN_USER_GROUP offsets detected while parsing tokenData! RestrictedSids: 0xe1b37720 RestrictedSidCount: 0x1f4 userAndGroupCount: 0x4c userAndGroupsAddr: 0xe1cdf3c0 Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround userAndGroupCount: 0x3 userAndGroupsAddr: 0xe1cdf3c0 [*] overwriting token UserAndGroups [*] have fun with the system smb session! [-] got exception CRITICAL:root:SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.) Done Derrick On Sat, Oct 24, 2020 at 11:52 AM Casey Erdmann wrote: > No worries! > > I was able to test, and I actually did successfully get a session with the > RemoteShell() function via a browser pipe on Windows XP SP3. The section of > example code from lines 898-908 that you commented out prevents me from > pulling this "as is" in as it would break the current functionality of > getting a shell. Currently the zzz_exploit.py code is incompatible with > python3 without your changes to byte literals so I'd love to merge this in, > but it works just fine getting the limited SMB shell with python2 so I do > not want to remove this example code. > > Based on my testing, your changes work just fine on python2 and python3 > with the standard SMB shell example code. If you can uncomment lines > 898-908 I will happily re-test and move this back in. Not sure what issues > you encountered in getting RemoteShell() to work in the OSCP lab, but it > does not seem to be a universal issue as it seems to be working just fine > on my end. Please try to restest on another system. If you are unable to, > still resubmit the PR with the uncommented example and I'll be restesting > either way so we can get these changes merged in. > > Excellent PR in regards to the byte literals, as this is code I missed > during my python3 overhaul, but I can't merge this in with that example > code commented out. > > Code to uncomment: > > # example of creating a remote shell on the remote host (may not work at the moment...) > if mode == 'SERVER': > serverThread = SMBServer() > serverThread.daemon = True > serverThread.start() > service_name = ''.join([random.choice(string.ascii_letters) for _ in range(4)]) > shell = RemoteShell(share, conn, mode, service_name) > shell.cmdloop() > > if mode == 'SERVER': > serverThread.stop() > > Screenshot of this PR with uncommented example code working with python2: > [image: python2_example] > > > Screenshot of this PR with uncommented example code working with python3: > [image: python3_example] > > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > , > or unsubscribe > > . >
3ndG4me commented 4 years ago

Awesome, just validated the change and will merge it in shortly. Looks like the error you're seeing could be related either to SP1 or just that target in particular so just a note for future viewers of this PR.

Looks like it's not working for the target you documented due to encountering this error: [-] got exception CRITICAL:root:SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

Which could be based on the SP0/SP1 workaround not successfully working (could be hit or miss I'm no expert on this particular caveat, so take that with a grain of salt):

Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!
RestrictedSids: 0xe1b37720
RestrictedSidCount: 0x1f4
userAndGroupCount: 0x4c
userAndGroupsAddr: 0xe1cdf3c0
Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1cdf3c0

Either way excellent contribution, good luck on your OSCP!