mirror of
https://github.com/sairson/Yasso.git
synced 2026-02-07 20:44:21 +08:00
121 lines
2.6 KiB
Go
121 lines
2.6 KiB
Go
package plugin
|
|
|
|
import (
|
|
"Yasso/config"
|
|
"Yasso/core/logger"
|
|
"bytes"
|
|
"fmt"
|
|
"net"
|
|
"time"
|
|
)
|
|
|
|
const (
|
|
pkt = "\x00" + // session
|
|
"\x00\x00\xc0" + // legth
|
|
|
|
"\xfeSMB@\x00" + // protocol
|
|
|
|
//[MS-SMB2]: SMB2 NEGOTIATE Request
|
|
//https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/e14db7ff-763a-4263-8b10-0c3944f52fc5
|
|
|
|
"\x00\x00" +
|
|
"\x00\x00" +
|
|
"\x00\x00" +
|
|
"\x00\x00" +
|
|
"\x1f\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
|
|
// [MS-SMB2]: SMB2 NEGOTIATE_CONTEXT
|
|
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/15332256-522e-4a53-8cd7-0bd17678a2f7
|
|
|
|
"$\x00" +
|
|
"\x08\x00" +
|
|
"\x01\x00" +
|
|
"\x00\x00" +
|
|
"\x7f\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"x\x00" +
|
|
"\x00\x00" +
|
|
"\x02\x00" +
|
|
"\x00\x00" +
|
|
"\x02\x02" +
|
|
"\x10\x02" +
|
|
"\x22\x02" +
|
|
"$\x02" +
|
|
"\x00\x03" +
|
|
"\x02\x03" +
|
|
"\x10\x03" +
|
|
"\x11\x03" +
|
|
"\x00\x00\x00\x00" +
|
|
|
|
// [MS-SMB2]: SMB2_PREAUTH_INTEGRITY_CAPABILITIES
|
|
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5a07bd66-4734-4af8-abcf-5a44ff7ee0e5
|
|
|
|
"\x01\x00" +
|
|
"&\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x01\x00" +
|
|
"\x20\x00" +
|
|
"\x01\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x00\x00" +
|
|
|
|
// [MS-SMB2]: SMB2_COMPRESSION_CAPABILITIES
|
|
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271
|
|
|
|
"\x03\x00" +
|
|
"\x0e\x00" +
|
|
"\x00\x00\x00\x00" +
|
|
"\x01\x00" + //CompressionAlgorithmCount
|
|
"\x00\x00" +
|
|
"\x01\x00\x00\x00" +
|
|
"\x01\x00" + //LZNT1
|
|
"\x00\x00" +
|
|
"\x00\x00\x00\x00"
|
|
)
|
|
|
|
func SmbGhostConn(info config.ServiceConn) bool {
|
|
conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%v", info.Hostname, info.Port), info.Timeout)
|
|
if err != nil {
|
|
return false
|
|
} else {
|
|
defer conn.Close()
|
|
conn.Write([]byte(pkt))
|
|
buff := make([]byte, 1024)
|
|
err = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
|
|
n, err := conn.Read(buff)
|
|
if err != nil {
|
|
//Println(err.Error()) // Profound analysis
|
|
}
|
|
|
|
if bytes.Contains([]byte(buff[:n]), []byte("Public")) == true {
|
|
logger.Success(fmt.Sprintf("%s Find CVE-2020-0796", info.Hostname))
|
|
return true
|
|
} else {
|
|
//Println(ip + " Not Vulnerable")
|
|
return false
|
|
}
|
|
}
|
|
}
|