coercer.utils.RPCProtocol

  1#!/usr/bin/env python3
  2# -*- coding: utf-8 -*-
  3# File name          : RPCProtocol.py
  4# Author             : Podalirius (@podalirius_)
  5# Date created       : 6 Jul 2022
  6
  7
  8import sys
  9from impacket import system_errors
 10from impacket.dcerpc.v5 import transport
 11from impacket.dcerpc.v5.rpcrt import DCERPCException
 12from impacket.uuid import uuidtup_to_bin
 13
 14
 15class DCERPCSessionError(DCERPCException):
 16    def __init__(self, error_string=None, error_code=None, packet=None):
 17        DCERPCException.__init__(self, error_string, error_code, packet)
 18
 19    def __str__(self):
 20        key = self.error_code
 21        if key in system_errors.ERROR_MESSAGES:
 22            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
 23            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
 24            return '[!] SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
 25        else:
 26            return '[!] SessionError: unknown error code: 0x%x' % self.error_code
 27
 28
 29class RPCProtocol(object):
 30    """
 31    Documentation for class RPCProtocol
 32    """
 33
 34    uuid = None
 35    version = None
 36
 37    auth_type = None
 38    auth_level = None
 39    pipe = None
 40
 41    available_pipes = []
 42
 43    webdav_host = None
 44    webdav_port = None
 45
 46    ncan_target = None
 47    __rpctransport = None
 48    dce = None
 49    verbose = False
 50    debug = False
 51
 52    def __init__(self, verbose=False):
 53        super(RPCProtocol, self).__init__()
 54        self.verbose = verbose
 55
 56    def connect(self, username, password, domain, lmhash, nthash, target, dcHost, doKerberos=False, targetIp=None):
 57        self.ncan_target = r'ncacn_np:%s[%s]' % (target, self.pipe)
 58        self.__rpctransport = transport.DCERPCTransportFactory(self.ncan_target)
 59
 60        self.auth_username = username
 61        self.auth_password = password
 62        self.auth_domain = domain
 63        self.target = target
 64        self.auth_lmhash = lmhash
 65        self.auth_nthash = nthash
 66
 67        if hasattr(self.__rpctransport, 'set_credentials'):
 68            self.__rpctransport.set_credentials(
 69                username=username,
 70                password=password,
 71                domain=domain,
 72                lmhash=lmhash,
 73                nthash=nthash
 74            )
 75
 76        if doKerberos:
 77            self.__rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
 78        if targetIp is not None:
 79            self.__rpctransport.setRemoteHost(targetIp)
 80
 81        self.dce = self.__rpctransport.get_dce_rpc()
 82        if self.auth_type is not None:
 83            self.dce.set_auth_type(self.auth_type)
 84        if self.auth_level is not None:
 85            self.dce.set_auth_level(self.auth_level)
 86
 87        if self.verbose:
 88            print("         [>] Connecting to %s ... " % self.ncan_target, end="")
 89        sys.stdout.flush()
 90        try:
 91            self.dce.connect()
 92        except Exception as e:
 93            if self.verbose:
 94                print("\x1b[1;91mfail\x1b[0m")
 95                print("         [!] Something went wrong, check error status => %s" % str(e))
 96            return False
 97        else:
 98            if self.verbose:
 99                print("\x1b[1;92msuccess\x1b[0m")
100
101        if self.verbose:
102            print("         [>] Binding to <uuid='%s', version='%s'> ... " % (self.uuid, self.version), end="")
103        sys.stdout.flush()
104        try:
105            self.dce.bind(uuidtup_to_bin((self.uuid, self.version)))
106        except Exception as e:
107            if self.verbose:
108                print("\x1b[1;91mfail\x1b[0m")
109                print("         [!] Something went wrong, check error status => %s" % str(e))
110            return False
111        else:
112            if self.verbose:
113                print("\x1b[1;92msuccess\x1b[0m")
114
115        return True
116
117    @classmethod
118    def list_coerce_methods(cls):
119        return []
120
121    def perform_coerce_calls(self, listener):
122        pass
123
124    def analyze_coerce_calls(self, listener):
125        pass
class DCERPCSessionError(impacket.dcerpc.v5.rpcrt.DCERPCException):
16class DCERPCSessionError(DCERPCException):
17    def __init__(self, error_string=None, error_code=None, packet=None):
18        DCERPCException.__init__(self, error_string, error_code, packet)
19
20    def __str__(self):
21        key = self.error_code
22        if key in system_errors.ERROR_MESSAGES:
23            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
24            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
25            return '[!] SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
26        else:
27            return '[!] SessionError: unknown error code: 0x%x' % self.error_code

This is the exception every client should catch regardless of the underlying DCERPC Transport used.

DCERPCSessionError(error_string=None, error_code=None, packet=None)
17    def __init__(self, error_string=None, error_code=None, packet=None):
18        DCERPCException.__init__(self, error_string, error_code, packet)

:param string error_string: A string you want to show explaining the exception. Otherwise the default ones will be used :param integer error_code: the error_code if we're using a dictionary with error's descriptions :param NDR packet: if successfully decoded, the NDR packet of the response call. This could probably have useful information

Inherited Members
impacket.dcerpc.v5.rpcrt.DCERPCException
get_error_code
get_packet
builtins.BaseException
with_traceback
class RPCProtocol:
 30class RPCProtocol(object):
 31    """
 32    Documentation for class RPCProtocol
 33    """
 34
 35    uuid = None
 36    version = None
 37
 38    auth_type = None
 39    auth_level = None
 40    pipe = None
 41
 42    available_pipes = []
 43
 44    webdav_host = None
 45    webdav_port = None
 46
 47    ncan_target = None
 48    __rpctransport = None
 49    dce = None
 50    verbose = False
 51    debug = False
 52
 53    def __init__(self, verbose=False):
 54        super(RPCProtocol, self).__init__()
 55        self.verbose = verbose
 56
 57    def connect(self, username, password, domain, lmhash, nthash, target, dcHost, doKerberos=False, targetIp=None):
 58        self.ncan_target = r'ncacn_np:%s[%s]' % (target, self.pipe)
 59        self.__rpctransport = transport.DCERPCTransportFactory(self.ncan_target)
 60
 61        self.auth_username = username
 62        self.auth_password = password
 63        self.auth_domain = domain
 64        self.target = target
 65        self.auth_lmhash = lmhash
 66        self.auth_nthash = nthash
 67
 68        if hasattr(self.__rpctransport, 'set_credentials'):
 69            self.__rpctransport.set_credentials(
 70                username=username,
 71                password=password,
 72                domain=domain,
 73                lmhash=lmhash,
 74                nthash=nthash
 75            )
 76
 77        if doKerberos:
 78            self.__rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
 79        if targetIp is not None:
 80            self.__rpctransport.setRemoteHost(targetIp)
 81
 82        self.dce = self.__rpctransport.get_dce_rpc()
 83        if self.auth_type is not None:
 84            self.dce.set_auth_type(self.auth_type)
 85        if self.auth_level is not None:
 86            self.dce.set_auth_level(self.auth_level)
 87
 88        if self.verbose:
 89            print("         [>] Connecting to %s ... " % self.ncan_target, end="")
 90        sys.stdout.flush()
 91        try:
 92            self.dce.connect()
 93        except Exception as e:
 94            if self.verbose:
 95                print("\x1b[1;91mfail\x1b[0m")
 96                print("         [!] Something went wrong, check error status => %s" % str(e))
 97            return False
 98        else:
 99            if self.verbose:
100                print("\x1b[1;92msuccess\x1b[0m")
101
102        if self.verbose:
103            print("         [>] Binding to <uuid='%s', version='%s'> ... " % (self.uuid, self.version), end="")
104        sys.stdout.flush()
105        try:
106            self.dce.bind(uuidtup_to_bin((self.uuid, self.version)))
107        except Exception as e:
108            if self.verbose:
109                print("\x1b[1;91mfail\x1b[0m")
110                print("         [!] Something went wrong, check error status => %s" % str(e))
111            return False
112        else:
113            if self.verbose:
114                print("\x1b[1;92msuccess\x1b[0m")
115
116        return True
117
118    @classmethod
119    def list_coerce_methods(cls):
120        return []
121
122    def perform_coerce_calls(self, listener):
123        pass
124
125    def analyze_coerce_calls(self, listener):
126        pass

Documentation for class RPCProtocol

RPCProtocol(verbose=False)
53    def __init__(self, verbose=False):
54        super(RPCProtocol, self).__init__()
55        self.verbose = verbose
def connect( self, username, password, domain, lmhash, nthash, target, dcHost, doKerberos=False, targetIp=None):
 57    def connect(self, username, password, domain, lmhash, nthash, target, dcHost, doKerberos=False, targetIp=None):
 58        self.ncan_target = r'ncacn_np:%s[%s]' % (target, self.pipe)
 59        self.__rpctransport = transport.DCERPCTransportFactory(self.ncan_target)
 60
 61        self.auth_username = username
 62        self.auth_password = password
 63        self.auth_domain = domain
 64        self.target = target
 65        self.auth_lmhash = lmhash
 66        self.auth_nthash = nthash
 67
 68        if hasattr(self.__rpctransport, 'set_credentials'):
 69            self.__rpctransport.set_credentials(
 70                username=username,
 71                password=password,
 72                domain=domain,
 73                lmhash=lmhash,
 74                nthash=nthash
 75            )
 76
 77        if doKerberos:
 78            self.__rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
 79        if targetIp is not None:
 80            self.__rpctransport.setRemoteHost(targetIp)
 81
 82        self.dce = self.__rpctransport.get_dce_rpc()
 83        if self.auth_type is not None:
 84            self.dce.set_auth_type(self.auth_type)
 85        if self.auth_level is not None:
 86            self.dce.set_auth_level(self.auth_level)
 87
 88        if self.verbose:
 89            print("         [>] Connecting to %s ... " % self.ncan_target, end="")
 90        sys.stdout.flush()
 91        try:
 92            self.dce.connect()
 93        except Exception as e:
 94            if self.verbose:
 95                print("\x1b[1;91mfail\x1b[0m")
 96                print("         [!] Something went wrong, check error status => %s" % str(e))
 97            return False
 98        else:
 99            if self.verbose:
100                print("\x1b[1;92msuccess\x1b[0m")
101
102        if self.verbose:
103            print("         [>] Binding to <uuid='%s', version='%s'> ... " % (self.uuid, self.version), end="")
104        sys.stdout.flush()
105        try:
106            self.dce.bind(uuidtup_to_bin((self.uuid, self.version)))
107        except Exception as e:
108            if self.verbose:
109                print("\x1b[1;91mfail\x1b[0m")
110                print("         [!] Something went wrong, check error status => %s" % str(e))
111            return False
112        else:
113            if self.verbose:
114                print("\x1b[1;92msuccess\x1b[0m")
115
116        return True
@classmethod
def list_coerce_methods(cls):
118    @classmethod
119    def list_coerce_methods(cls):
120        return []
def perform_coerce_calls(self, listener):
122    def perform_coerce_calls(self, listener):
123        pass
def analyze_coerce_calls(self, listener):
125    def analyze_coerce_calls(self, listener):
126        pass