Inspired by ollypwn's SMBGhost script, I wrote my own script and shared it.
import socket
import binascii
import sys
payload = binascii.unhexlify('000000c8fe534d42400000000000000000001f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024000500010000007f0000000000000000000000000000000000000070000000030000000202100200030203110300000100260000000000010020000100000000000000000000000000000000000000000000000000000000000000000000000200060000000000020002000100000003000e000000000003000000000000000200030001000000'.encode())
# Value Meaning
# NONE 0x0000 No compression
# LZNT1 0x0001 LZNT1 compression algorithm
# LZ77 0x0002 LZ77 compression algorithm
# LZ77+Huffman 0x0003 LZ77+Huffman compression algorithm
try:
sock = socket.socket(socket.AF_INET)
sock.settimeout(3)
sock.connect(( sys.argv[1], 445 ))
sock.send(payload)
response = sock.recv(2020)
sock.close()
# Detect support SMB version
# 1103 -> 3.1.1
if binascii.hexlify(response)[144:148].startswith('1103'):
print(sys.argv[1] + " support SMB protocol version 3.1.1")
# See above Value:Meaning comment
if binascii.hexlify(response)[-36:].startswith('03'):
if response[-2:] == b'\x01\x00':
exit(sys.argv[1] + "\tVulnerable!!!\tTarget support LZNT1 compression algorithm")
if response[-2:] == b'\x02\x00':
exit(sys.argv[1] + "\tVulnerable!!!\tTarget support LZ77 compression algorithm")
if response[-2:] == b'\x03\x00':
exit(sys.argv[1] + "\tVulnerable!!!\tTarget support LZ77+Huffman compression algorithm")
except Exception as identifier:
exit(sys.argv[1] + " " + str(identifier))
exit(sys.argv[1] + "[*] Not vulnerable.")
above codes do two things:
- Send SMB negotiate request with supported SMB version and compression algorithm
- check response packet detect supported smb version and compression algorithm