From 0500b6a7559c4950a1f9947e0a821d3c791f057e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9as=20Leroux?= <aleroux@tranquil.it>
Date: Tue, 19 Nov 2024 08:55:49 +0100
Subject: [PATCH] Handle no more entries response from ept_lookup rpc call

---
 impacket/dcerpc/v5/epm.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/impacket/dcerpc/v5/epm.py b/impacket/dcerpc/v5/epm.py
index bc0f7fcb7..cacedb094 100644
--- a/impacket/dcerpc/v5/epm.py
+++ b/impacket/dcerpc/v5/epm.py
@@ -1233,7 +1233,13 @@ def hept_lookup(destHost, inquiry_type = RPC_C_EP_ALL_ELTS, objectUUID = NULL, i
         request['entry_handle'] = entry_handle
         request['max_ents'] = 500
 
-        resp = dce.request(request)
+        try:
+            resp = dce.request(request)
+        except DCERPCException as e:
+            # [MS-RPCE]: Section 2.2.1.2.4 specify ept_lookup should return 0x16C9A0D6 when no more entries
+            if e.error_code == 0x16c9a0d6:
+                break
+            raise e
 
         for i in range(resp['num_ents']):
             tmpEntry = {}
@@ -1244,6 +1250,7 @@ def hept_lookup(destHost, inquiry_type = RPC_C_EP_ALL_ELTS, objectUUID = NULL, i
             entries.append(tmpEntry)
 
         entry_handle = resp['entry_handle']
+        # However MSAD implementation seems to never return 0x16C9A0D6 but instead return an empty handle to notify end of elements
         if entry_handle.isNull():
             break