利用python写MS17-010扫描器

发布于2022年10月14日3年前

前言：
MS17-010早已是上一年的事情了。只不过想写一个检测脚本方便自己进行测试和用

正文:

先说思路：

    negotiate_protocol_request = binascii.unhexlify(
    "00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
session_setup_request = binascii.unhexlify(
    "00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")
tree_connect_request = binascii.unhexlify(
    "00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")
trans2_session_setup = binascii.unhexlify(
    "0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000")

1.先把这些payload(首先把payload进行字符化)发送到目标主机
2.然后读取返回的数据进行判断
3.验证是否存在MS17010漏洞

代码：

import socket
import binascii
import struct
import sys

user=input('IP:')
def scan():
payload0 = binascii.unhexlify ('00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200')
payload1 = binascii.unhexlify('00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000')
payload2 = binascii.unhexlify('00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00')
payload3 = binascii.unhexlify('0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000')

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.settimeout(5)
host=user
port=445

s.connect((host,port))

print('[+]{}Ready to send'.format(host))
s.send(payload0)
s.recv(1024)

print('[+]{}Setting request'.format(host))
s.send(payload1)
session_setup_response=s.recv(1024)

user_id=session_setup_response[32:34]
print(host,'User ID=%s'%struct.unpack('<H',user_id)[0])

modified_tree_connect_request=list(payload2)
modified_tree_connect_request[32]=user_id[0]
modified_tree_connect_request[33]=user_id[1]
modified_tree_connect_request="".join('%s'%ld for ld in modified_tree_connect_request)

print('[+]{}Send connection'.format(host))
s.send(payload2)
tree_connect_response=s.recv(1024)

tree_id=tree_connect_response[28:30]
print('[+]{}'.format(host),'Tree ID=%s'%struct.unpack('<H',tree_id)[0])

modified_trans2_session_setup=list(payload3)
modified_trans2_session_setup[28]=tree_id[0]
modified_trans2_session_setup[29]=tree_id[1]
modified_trans2_session_setup[32]=user_id[0]
modified_trans2_session_setup[33]=user_id[1]
modified_trans2_session_setup="".join('{}'.format(li for li in modified_trans2_session_setup))

print('[+]{}Sending success is actually returning.'.format(host))
s.send(payload3)
final_respone=s.recv(1024)

s.close()

if final_respone[32]=="\x51":
    print('[*]existence MS17-010')
else:
    print('[-]Not existence MS17-010')

def run():
    scan()
run()

测试结果：

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

利用python写MS17-010扫描器

精选回复

正文:

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索