shadowbrokers-exploits/windows/payloads/Smbdelete-1.1.1.0.xml
2017-04-14 11:45:07 +02:00

163 lines
7.5 KiB
XML

<?xml version="1.0"?>
<t:config id="aae3bb9d8fa41e6193529d29ba3b9d541bd9629a"
name="Smbdelete"
version="1.1.1"
configversion="1.1.1.0"
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:t='tc0'>
<t:inputparameters>
<t:parameter name="NetworkTimeout"
description="Timeout for blocking network calls (in seconds)"
type="S16"
default="60"/>
<t:parameter name="TargetIp"
description="Target IP Address"
type="IPv4"
binding="//identifier"/>
<t:parameter name="TargetPort"
description="Port used by the SMB service"
type="TcpPort"
binding="//service[name='smb']/port"
default="445"/>
<t:parameter name="Share"
description="A share on the target machine (c$), as string or hex bytes (not null terminated)"
type="UString"/>
<t:parameter name="Path"
description="The file to delete (windows\notepad.exe), as string or hex bytes (not null terminated)"
type="UString"
default=""/>
<t:paramchoice name="CredentialType"
description="Password, password hash, ticket, etc">
<t:paramgroup name="UnicodeCreds"
description="Unicode encoded credentials">
<t:parameter name="Username"
description="Username entered as hex bytes (in Unicode)"
type="UString"/>
<t:parameter name="Credential"
description="Unicode password entered as hex bytes (in Unicode)"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="PasswordHash"
description="NTLM password hash">
<t:parameter name="Username"
description="Username entered as hex bytes (in Unicode)"
type="UString"/>
<t:parameter name="Credential"
description="Hash of user/machine password entered as hex bytes"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="MachineHash"
description="Machine credentials, obtained from LSADump">
<t:parameter name="Username"
description="Machine name, including the '$' character, in UNICODE"
type="UString"/>
<t:parameter name="Credential"
description="Hash of machine password entered as HEX BYTES. This can be obtained from lsadump"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="KerberosTicket"
description="Kerberos ticket for target machine">
<t:parameter name="Username"
description="Name of the user who owns the Kerberos ticket (in Unicode)"
type="UString"/>
<t:parameter name="DomainDns"
description="DNS name of the domain being exploited (in Unicode)"
type="UString"/>
<t:parameter name="KerberosTicket"
description="Kerberos ticket with necessary privileges"
type="UString"/>
<t:parameter name="SessionKey"
description="Encryption key used in the Kerberos ticket"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="KerberosFile"
description="Kerberos ticket from disk">
<t:parameter name="TicketFile"
description="Local file holding Kerberos ticket"
type="LocalFile"/>
</t:paramgroup>
</t:paramchoice>
</t:inputparameters>
<t:outputparameters>
<t:paramchoice name="CredentialType"
description="Password, password hash, ticket, etc">
<t:paramgroup name="UnicodeCreds"
description="Unicode encoded credentials">
<t:parameter name="Username"
description="Username entered as hex bytes (in Unicode)"
type="UString"/>
<t:parameter name="Credential"
description="Unicode password entered as hex bytes (in Unicode)"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="PasswordHash"
description="NTLM password hash">
<t:parameter name="Username"
description="Username entered as hex bytes (in Unicode)"
type="UString"/>
<t:parameter name="Credential"
description="Hash of user/machine password entered as hex bytes"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="MachineHash"
description="Machine credentials, obtained from LSADump">
<t:parameter name="Username"
description="Machine name, including the '$' character, in UNICODE"
type="UString"/>
<t:parameter name="Credential"
description="Hash of machine password entered as HEX BYTES. This can be obtained from lsadump"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="KerberosTicket"
description="Kerberos ticket for target machine">
<t:parameter name="Username"
description="Name of the user who owns the Kerberos ticket (in Unicode)"
type="UString"/>
<t:parameter name="DomainDns"
description="DNS name of the domain being exploited (in Unicode)"
type="UString"/>
<t:parameter name="KerberosTicket"
description="Kerberos ticket with necessary privileges"
type="UString"/>
<t:parameter name="SessionKey"
description="Encryption key used in the Kerberos ticket"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="KerberosFile"
description="Kerberos ticket from disk">
<t:parameter name="TicketFile"
description="Local file holding Kerberos ticket"
type="LocalFile"/>
</t:paramgroup>
</t:paramchoice>
</t:outputparameters>
<t:redirection>
<t:local protocol="TCP"
listenaddr="TargetIp"
listenport="TargetPort"
destaddr="//identifier"
destport="//service[name='smb']/port"
closeoncompletion="true"/>
</t:redirection>
<t:logic>
<t:or>
<t:os family="windows" name="Windows 2000"/>
<t:os family="windows" name="Windows XP"/>
<t:os family="windows" name="Windows 2003"/>
<t:os family="windows" name="Windows 2003 R2"/>
<t:os family="windows" name="Windows Vista"/>
<t:os family="windows" name="Windows 2008"/>
<t:os family="windows" name="Windows 7"/>
<t:os family="windows" name="Windows 2008 R2"/>
</t:or>
</t:logic>
</t:config>