A-A+

MS17-010检测脚本py (php)

2017年12月29日 11:19 汪洋大海 暂无评论 阅读 137 views 次

ms17-010 py检测脚本来源:https://github.com/ysrc/xunfeng/blob/master/vulscan/vuldb/MS17_010.py

代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# coding=utf-8
import socket
import binascii
 
 
def get_plugin_info():
    plugin_info = {
        "name": "SMB远程溢出",
        "info": "MS17-010(NSA Eternalblue SMB),攻击者可通过此漏洞执行任意代码,进而导致服务器被入侵控制。",
        "level": "紧急",
        "type": "远程溢出",
        "author": "wolf@YSRC",
        "url": "http://bobao.360.cn/learning/detail/3738.html",
        "keyword": "server:smb",
        "source": 1
    }
    return plugin_info
 
def check(ip, port, timeout):
    negotiate_protocol_request = binascii.unhexlify(
        "00000054ff534d42720000000018012800000000000000000000000000002f4b0000c55e003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200")
    session_setup_request = binascii.unhexlify(
        "00000063ff534d42730000000018012000000000000000000000000000002f4b0000c55e0dff000000dfff02000100000000000000000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000")
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(timeout)
        s.connect((ip, port))
        s.send(negotiate_protocol_request)
        s.recv(1024)
        s.send(session_setup_request)
        data = s.recv(1024)
        user_id = data[32:34]
        tree_connect_andx_request = "000000%xff534d42750000000018012000000000000000000000000000002f4b%sc55e04ff000000000001001a00005c5c%s5c49504324003f3f3f3f3f00" % ((58 + len(ip)), user_id.encode('hex'), ip.encode('hex'))
        s.send(binascii.unhexlify(tree_connect_andx_request))
        data = s.recv(1024)
        allid = data[28:36]
        payload = "0000004aff534d422500000000180128000000000000000000000000%s1000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00" % allid.encode('hex')
        s.send(binascii.unhexlify(payload))
        data = s.recv(1024)
        s.close()
        if "\x05\x02\x00\xc0" in data:
            return u"存在SMB远程溢出漏洞"
        s.close()
    except:
        pass

MS17-010 php检测脚本,来源地址:https://www.t00ls.net/thread-43350-1-1.html 作者:冰封
代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<?php
//根据巡风python代码翻译成PHP代码
//2017.08.03 by ice && By T00ls.Net;
//https://github.com/ysrc/xunfeng/blob/master/vulscan/vuldb/MS17_010.py
@error_reporting(7);
if(@$_GET['host']){
        $host=trim($_GET['host']);
        if(ms17010($host,445)){
                echo '<span style="color:#F00">[+] Vulnerability!</span>';
        }else{
                echo '<span style="color:#000">[-] No Vulnerability!</span>';
        }
        echo '<br>[+] OS: <span style="color:#666">'.smbos($host,445)."</span><br>";
}
function ms17010($host,$port){
        $tcp='tcp://'.$host.':'.$port;
        $sock=stream_socket_client($tcp,$errno, $errstr, 3,STREAM_CLIENT_CONNECT);
        if ($sock){
                $data1=pack('H*','00000054ff534d42720000000018012800000000000000000000000000002f4b0000c55e003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200');
                fwrite($sock,$data1);
                fread($sock, 1024);
                $data2=pack('H*','00000063ff534d42730000000018012000000000000000000000000000002f4b0000c55e0dff000000dfff02000100000000000000000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000');
                fwrite($sock,$data2);
                $data2_data=fread($sock, 1024);
                $user_id=substr(bin2hex($data2_data),64,4);
                $data3=pack('H*','000000'.dechex(58+strlen($host)).'ff534d42750000000018012000000000000000000000000000002f4b'.$user_id.'c55e04ff000000000001001a00005c5c'.bin2hex($host).'5c49504324003f3f3f3f3f00');
                fwrite($sock,$data3);
                $data3_data=fread($sock, 1024);
                $allid=substr(bin2hex($data3_data),28*2,16);
                $data4=pack('H*','0000004aff534d422500000000180128000000000000000000000000'.$allid.'1000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00');
                fwrite($sock,$data4);
                $data4_data=fread($sock, 1024);
                if(substr(bin2hex($data4_data),18,8) == '050200c0'){
                        return true;
                }else{
                        return false;
                }
        }
}
function smbos($host,$port){
        $tcp='tcp://'.$host.':'.$port;
        $sock=stream_socket_client($tcp,$errno, $errstr, 3,STREAM_CLIENT_CONNECT);
        if ($sock){
                $payload1=pack('H*','00000085ff534d4272000000001853c80000000000000000000000000000fffe00000000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200');
                $payload2=pack('H*','0000010aff534d4273000000001807c80000000000000000000000000000fffe000040000cff000a01044132000000000000004a0000000000d40000a0cf00604806062b0601050502a03e303ca00e300c060a2b06010401823702020aa22a04284e544c4d5353500001000000078208a2000000000000000000000000000000000502ce0e0000000f00570069006e0064006f0077007300200053006500720076006500720020003200300030003300200033003700390030002000530065007200760069006300650020005000610063006b002000320000000000570069006e0064006f0077007300200053006500720076006500720020003200300030003300200035002e00320000000000');
                fwrite($sock,$payload1);
                $out1=fread($sock, 1024);
                fwrite($sock,$payload2);
                $out2=fread($sock, 1024);
                $blob_len_arr=unpack('s',substr($out2,36+7,2));
                $osarr=explode(chr(0),iconv('UTF-16LE','UTF-8',substr($out2,36+11+$blob_len_arr[1])));
                return $osarr[0].'|'.$osarr[1];
        }
}
?>

用法很简单:
http://127.0.0.1/ms17-010.php?host=10.211.55.10

给我留言