CoCalc -- smbexploit.js

GitHub Repository: projectdiscovery/nuclei
Path: blob/dev/pkg/js/libs/structs/smbexploit.js
²⁰⁷⁰ views
1
const header = bytes.Buffer();
2

3
// Create the SMB header first
4
header.append(structs.pack("B", 254));  // magic
5
header.append("SMB");
6
header.append(structs.pack("H", 64)); // header size
7
header.append(structs.pack("H", 0)); // credit charge
8
header.append(structs.pack("H", 0)); // channel sequence 
9
header.append(structs.pack("H", 0)); // reserved 
10
header.append(structs.pack("H", 0)); // negotiate protocol command 
11
header.append(structs.pack("H", 31)); // credits requested
12
header.append(structs.pack("I", 0)); // flags
13
header.append(structs.pack("I", 0)); // chain offset
14
header.append(structs.pack("Q", 0)); // message id
15
header.append(structs.pack("I", 0)); // process id
16
header.append(structs.pack("I", 0)); // tree id
17
header.append(structs.pack("Q", 0)); // session id
18
header.append(structs.pack("QQ", [0, 0]));	// signature
19

20
// Create negotiation packet
21
const negotiation = bytes.Buffer();
22
negotiation.append(structs.pack("H", 0x24)); // struct size
23
negotiation.append(structs.pack("H", 8)); // amount of dialects
24
negotiation.append(structs.pack("H", 1)); // enable signing
25
negotiation.append(structs.pack("H", 0)); // reserved
26
negotiation.append(structs.pack("I", 0x7f)); // capabilities
27
negotiation.append(structs.pack("QQ", [0, 0])); // client guid
28
negotiation.append(structs.pack("I", 0x78)); // negotiation offset
29
negotiation.append(structs.pack("H", 2)); // negotiation context count
30
negotiation.append(structs.pack("H", 0)); // reserved
31
negotiation.append(structs.pack("H", 0x0202)); // smb 2.0.2 dialect
32
negotiation.append(structs.pack("H", 0x0210)); // smb 2.1.0 dialect
33
negotiation.append(structs.pack("H", 0x0222)); // smb 2.2.2 dialect
34
negotiation.append(structs.pack("H", 0x0224)); // smb 2.2.4 dialect
35
negotiation.append(structs.pack("H", 0x0300)); // smb 3.0.0 dialect
36
negotiation.append(structs.pack("H", 0x0302)); // smb 3.0.2 dialect
37
negotiation.append(structs.pack("H", 0x0310)); // smb 3.1.0 dialect
38
negotiation.append(structs.pack("H", 0x0311)); // smb 3.1.1 dialect
39
negotiation.append(structs.pack("I", 0)); // padding
40
negotiation.append(structs.pack("H", 1)); // negotiation context type
41
negotiation.append(structs.pack("H", 38)); // negotiation data length
42
negotiation.append(structs.pack("I", 0)); // reserved
43
negotiation.append(structs.pack("H", 1)); // negotiation hash algorithm count
44
negotiation.append(structs.pack("H", 32)); // negotiation salt length
45
negotiation.append(structs.pack("H", 1)); // negotiation hash algorithm SHA512
46
negotiation.append(structs.pack("H", 1)); // negotiation hash algorithm SHA512
47
negotiation.append(structs.pack("QQ", [0, 0])); // salt part 1
48
negotiation.append(structs.pack("QQ", [0, 0])); // salt part 2
49
negotiation.append(structs.pack("H", 3)); // unknown??
50
negotiation.append(structs.pack("H", 10)); // data length unknown??
51
negotiation.append(structs.pack("I", 0)); // reserved unknown??
52
negotiation.append("\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"); // unknown
53

54
const packet = bytes.Buffer();
55
packet.append(header.bytes());
56
packet.append(negotiation.bytes());
57

58
const netbios = bytes.Buffer();
59
netbios.append(structs.pack("H", 0)); // NetBIOS sessions message (should be 1 byte but whatever)
60
netbios.append(structs.pack("B", 0)); // just a pad to make it 3 bytes
61
netbios.append(structs.pack("B", packet.len())); // NetBIOS length (should be 3 bytes but whatever, as long as the packet isn't 0xff+ bytes)
62

63
const final = bytes.Buffer();
64
final.append(netbios.bytes());
65
final.append(packet.bytes());
66

67
console.log("Netbios", netbios.hex(), netbios.len());
68
console.log("Header", header.hex(), header.len());
69
console.log("Negotation", negotiation.hex(), negotiation.len());
70
console.log("Packet", final.hex(), final.len());
71

72
const c = require("nuclei/libnet");
73
let conn = c.Open("tcp", "118.68.186.114:445");
74
conn.Send(final.bytes(), 0);
75
let bytesRecv = conn.Recv(0, 4);
76
console.log("recv Bytes", bytesRecv);
77
let size = structs.unpack("I", bytesRecv)[0];
78
console.log("Size", size);
79
let data = conn.Recv(0, size);
80
console.log("Data", data);
81

82
// TODO: Add hexdump helpers
83

84
version = structs.unpack("H", data.slice(68,70))[0]
85
context = structs.unpack("H", data.slice(70,72))[0]
86

87
console.log("Version", version);
88
console.log("Context", context);
89

90
if (version != 0x0311){
91
	console.log("SMB version ", version, "was found which is not vulnerable!");
92
} else if (context != 2) {
93
	console.log("Server answered with context", context, " which indicates that the target may not have SMB compression enabled and is therefore not vulnerable!");
94
} else {
95
	console.log("SMB version ", version, " with context ", context, " was found which indicates SMBv3.1.1 is being used and SMB compression is enabled, therefore being vulnerable to CVE-2020-0796!");
96
}
97
conn.Close();
98
Product

Resources

Company
