sneedmca/shadowbrokers-exploits
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
shadowbrokers-exploits/windows/exploits/Eternalsynergy-1.0.1.0.xml
Donncha O'Cearbhaill 7f640a83d4 Inital commit of Shadowbrokers 'Lost in Translation' release
2017-04-14 11:45:07 +02:00

185 lines
11 KiB
XML
Raw Blame History

<?xml version='1.0' encoding='utf-8'?>
<config xmlns='urn:trch' name='Eternalsynergy' version='1.0.1' schemaversion='2.1.0' configversion='1.0.1.0' id='665a77d7870f1e8dc34048203dc820525c09bd23'>
<inputparameters>
<parameter type='S16' name='NetworkTimeout' description='Timeout for blocking network calls (in seconds). Use -1 for no timeout.'>
<default>60</default>
</parameter>
<parameter type='IPv4' name='TargetIp' description='Target IP Address'/>
<parameter type='TcpPort' name='TargetPort' description='Target TCP port'>
<default>445</default>
</parameter>
<parameter hidden='true' type='U32' name='MaxLeakAttempts' description='Number of tries to exploit. Default 7'>
<default>7</default>
</parameter>
<parameter hidden='true' type='U32' name='MaxExploitAttempts' description='Number of tries to exploit. Default 3'>
<default>3</default>
</parameter>
<parameter type='U32' name='AttemptIndex' description='How many times ETSY has already been used against this target (0-7)'>
<default>0</default>
</parameter>
<parameter type='Boolean' name='ManyCoreTarget' description='Boolean specifying if the target is assumed to have many (8 or more) cores, physical or virtual'>
<default>0</default>
</parameter>
<parameter type='String' name='PipeName' description='The named pipe to use'>
</parameter>
<paramchoice name='ExploitMethod' description='Which exploit method to use'>
<default>Default</default>
<paramgroup name='Default' description='Use the best exploit method(s) for the target OS'>
<parameter hidden='true' type='U32' name='ExploitMethodChoice' description=''>
<default>0</default>
</parameter>
</paramgroup>
<paramgroup name='Matched-pairs' description='More reliable'>
<parameter hidden='true' type='U32' name='ExploitMethodChoice' description=''>
<default>1</default>
</parameter>
</paramgroup>
<paramgroup name='Classic-Synergy' description='Less reliable'>
<parameter hidden='true' type='U32' name='ExploitMethodChoice' description=''>
<default>2</default>
</parameter>
</paramgroup>
</paramchoice>
<parameter xdevmap='EXPLOIT_SHELLCODE' type='LocalFile' name='ShellcodeFile' description='DOPU (x64 version!) ONLY! Other shellcode will likely BSOD.'/>
<paramchoice name='Credentials' description='Type of credentials to use'>
<default>Anonymous</default>
<paramgroup name='Anonymous' description='Anonymous (NULL session)'>
<parameter hidden='true' type='U32' name='CredChoice' description=''>
<default>0</default>
</parameter>
<parameter hidden='true' type='Buffer' name='Username' description=''>
<default/>
</parameter>
<parameter hidden='true' type='Buffer' name='Password' description=''>
<default/>
</parameter>
</paramgroup>
<paramgroup name='Guest' description='Guest account'>
<parameter hidden='true' type='U32' name='CredChoice' description=''>
<default>2</default>
</parameter>
<parameter hidden='true' type='Buffer' name='Username' description=''>
<default>Guest</default>
</parameter>
<parameter hidden='true' type='Buffer' name='Password' description=''>
<default/>
</parameter>
</paramgroup>
<paramgroup name='Blank' description='User account with no password set'>
<parameter hidden='true' type='U32' name='CredChoice' description=''>
<default>2</default>
</parameter>
<parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
<parameter hidden='true' type='Buffer' name='Password' description=''>
<default/>
</parameter>
</paramgroup>
<paramgroup name='Password' description='User name and password'>
<parameter hidden='true' type='U32' name='CredChoice' description=''>
<default>3</default>
</parameter>
<parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
<parameter type='Buffer' name='Password' description='Password entered as hex bytes (in unicode)'/>
</paramgroup>
<paramgroup name='NTLM' description='User name and NT and/or LM hash'>
<parameter hidden='true' type='U32' name='CredChoice' description=''>
<default>4</default>
</parameter>
<parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
<parameter type='Buffer' name='ntHash' description='NT password hash (in hex), or blank to use LM hash'>
<default/>
</parameter>
<parameter type='Buffer' name='lmHash' description='LM password hash (in hex), or blank to use NT hash'>
<default/>
</parameter>
</paramgroup>
</paramchoice>
<paramchoice name='Protocol' description='SMB (default port 445) or NBT (default port 139)'>
<default>SMB</default>
<paramgroup name='SMB' description=''>
<parameter hidden='true' type='Boolean' name='UsingNbt' description='Boolean stating to use Nbt or not'>
<default>0</default>
</parameter>
</paramgroup>
<paramgroup name='NBT' description=''>
<parameter hidden='true' type='Boolean' name='UsingNbt' description='Boolean stating to use Nbt or not'>
<default>1</default>
</parameter>
</paramgroup>
</paramchoice>
<paramchoice name='Target' description='Operating System, Service Pack, of target OS'>
<paramgroup name='WIN8_SP0' description='Windows 8 Sp0, 64-bit'>
<parameter hidden='true' type='U8' name='OsMajor' description='OS Major Version'>
<default>6</default>
</parameter>
<parameter hidden='true' type='U8' name='OsMinor' description='OS Minor Version'>
<default>2</default>
</parameter>
<parameter hidden='true' type='U8' name='OsServicePack' description='OS Service Pack Level'>
<default>0</default>
</parameter>
</paramgroup>
<paramgroup name='SERVER_2K12_SP0' description='Windows Server 2012 Sp0, 64-bit'>
<parameter hidden='true' type='U8' name='OsMajor' description='OS Major Version'>
<default>6</default>
</parameter>
<parameter hidden='true' type='U8' name='OsMinor' description='OS Minor Version'>
<default>2</default>
</parameter>
<parameter hidden='true' type='U8' name='OsServicePack' description='OS Service Pack Level'>
<default>0</default>
</parameter>
</paramgroup>
</paramchoice>
</inputparameters>
<outputparameters>
<parameter type='Buffer' name='TargetOsArchitecture' description='The architecture of the target operating system'/>
</outputparameters>
<errors>
<errorcode name='ETSY_ERROR_NO_MEMORY' value='65' description='Out of memory'/>
<errorcode name='ETSY_ERROR_INVALID_PIPE_CHOICE' value='66' description='Named pipe choice not supported'/>
<errorcode name='ETSY_UNALIGNED_RPC_STRUCT' value='67' description='Unaligned data attempted to be sent over browser pipe'/>
<errorcode name='ETSY_ERROR_PIPES_NOT_AVAILABLE' value='68' description='No pipes available to connect to'/>
<errorcode name='ETSY_ERROR_WINSOCK_STARTUP' value='69' description='Winsock failed to start up'/>
<errorcode name='ETSY_ERROR_PARAM_INIT' value='69' description='Error during parameter initialization'/>
<errorcode name='ETSY_ERROR_TRANS_NOT_FOUND' value='70' description='Unable to find a Transaction struct with info leak'/>
<errorcode name='ETSY_ERROR_TRANS_WRITE_OUT_OF_RANGE' value='71' description='Cannot write that far into Transaction, should have written more with WriteAndX'/>
<errorcode name='ETSY_ERROR_TRANS_TAKEOVER_UNSUCCESSFUL' value='72' description='Memory written to was not a transaction we controlled'/>
<errorcode name='ETSY_ERROR_OUT_OF_REMOTE_MEMORY' value='73' description='Out of memory to use in remote transaction'/>
<errorcode name='ETSY_ERROR_UNKNOWN_TRANS_SIZE' value='74' description='Unknown transaction size detected'/>
<errorcode name='ETSY_ERROR_NOT_ENOUGH_LEAK_DATA' value='75' description='Leak returned with less data than it should have'/>
<errorcode name='ETSY_ERROR_STRUCT_WALK_ABORTED' value='76' description='Failed to walk structures and find Srv module'/>
<errorcode name='ETSY_ERROR_BACKDOOR_NOT_PRESENT' value='77' description='Backdoor transaction sent but backdoor did not respond'/>
<errorcode name='ETSY_ERROR_PAYLOAD_TOO_LARGE' value='78' description='Stage 1 payload exceeded max allowed size (0xFFFF)'/>
<errorcode name='ETSY_ERROR_BACKDOOR_RETURNED_ERROR' value='79' description='Backdoor present but returned an error code'/>
<errorcode name='ETSY_ERROR_BLUE_SCREENED_TARGET' value='80' description='Overwrite caused the target to blue screen'/>
<errorcode name='ETSY_ERROR_OS_NOT_SUPPORTED' value='81' description='Offsets not available for the targeted OS'/>
<errorcode name='ETSY_ERROR_DISPATCH_TABLE_NOT_FOUND' value='82' description='Unable to locate the dispatch table in memory'/>
<errorcode name='ETSY_ERROR_EXPLOITATION_UNSUCCESSFUL' value='83' description='Exploit methods were tried and were not successful'/>
<errorcode name='ETSY_ERROR_EXPLOIT_METHOD_UNSUCCESSFUL' value='84' description='Exploit method was not successful but did not crash, other methods may be tried'/>
<errorcode name='ETSY_ERROR_INVALID_EXPLOIT_METHOD' value='85' description='Exploit method not possible for target OS'/>
<errorcode name='ETSY_ERROR_TIPPYBEER' value='86' description='Tippybeer encountered an unrecoverable error, probably memory related'/>
<errorcode name='ETSY_ERROR_CONNECTION_LOCAL' value='87' description='Something went wrong at the network layer on our end!'/>
<errorcode name='ETSY_ERROR_CONNECTION_REMOTE' value='88' description='Connection to target failed'/>
<errorcode name='ETSY_ERROR_ARCH' value='89' description='Architecture is unknown or not supported'/>
</errors>
<redirection>
<local protocol='TCP' listenaddr='TargetIp' listenport='TargetPort' closeoncompletion='true' destaddr='TargetIp' destport='TargetPort'/>
</redirection>
<logic>
<and>
<service name='smb'>
<bindtovalue name='Protocol' value='SMB'/>
<bindtopath path="//service[name='smb']/port" name='TargetPort'/>
</service>
<or>
<os servicepack='0' name='Windows 8' family='windows' architecture='x64 64-bit'>
<bindtovalue name='Target' value='WIN8_SP0'/>
</os>
<os servicepack='0' name='Windows Server 2012' family='windows' architecture='x64 64-bit'>
<bindtovalue name='Target' value='SERVER_2K12_SP0'/>
</os>
</or>
</and>
</logic>
</config>
Reference in a new issue View git blame Copy permalink