Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello there,
This PR implements Relaying to RPC attack which currently allows RCE in any MS Exchange via Exchange Trusted Subsystem group (Exchange servers have Administrator rights to each other via this or similar group) and printerbug.py.
Queries for BloodHound to locate exploitation chains
Those queries show all machines that have Administrator rights to other machines.
Usage Option 1
Relaying incoming connections to RPC over TCP/IP endpoints (also known as ncacn_ip_tcp endpoints):
It requires 135/tcp port and a dynamic high MSRPC TCP port of TSCH service to be available on the target host.
Usage Option 2
Relaying incoming connections to RPC over SMB endpoints (also known as ncacn_np endpoints or the IPC$ share):
It requires only 445/tcp port (or 139/tcp port) to be available on the target host, and the connection will be encrypted if SMB3 is used. A low-privilege account is needed.
Description
My original complete patch: https://gist.github.com/mohemiv/ab542e4ff5d8fedda790e35326705bad
MD5SUM from May 2, 2020: https://twitter.com/_mohemiv/status/1256636651780087809
This is the same attack that Compass Security has published (https://twitter.com/compasssecurity/status/1260898906629529602), but it was discovered before the Compass Security publication, so I just share my PoC because no other POCs have been released.
This PoC was also sent to MS including an example of relaying to DCOM MMC20 object.
For @CompassSecurity, it will be interesting to see your RPC Server and ways to get an incoming RPC connection 😎
June update
Relaying to DCOM activation service is patched.
If you are reading this and interested in finding new MSRPC endpoints to attack, check out new rpcmap.py tool with
-auth-level 2
flag:The available such way endpoints should be vulnerable to RPC Relaying attack.