Python impacket.uuid.string_to_bin() Examples
The following are 27
code examples of impacket.uuid.string_to_bin().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.uuid
, or try the search function
.
.
Example #1
| Source File: ldapattack.py From CVE-2019-1040 with MIT License | 6 votes |
|
def create_object_ace(privguid, sid):
nace = ldaptypes.ACE()
nace['AceType'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE
nace['AceFlags'] = 0x00
acedata = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE()
acedata['Mask'] = ldaptypes.ACCESS_MASK()
acedata['Mask']['Mask'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS
acedata['ObjectType'] = string_to_bin(privguid)
acedata['InheritedObjectType'] = b''
acedata['Sid'] = ldaptypes.LDAP_SID()
acedata['Sid'].fromCanonical(sid)
assert sid == acedata['Sid'].formatCanonical()
acedata['Flags'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_OBJECT_TYPE_PRESENT
nace['Ace'] = acedata
return nace
# Create an ALLOW ACE with the specified sid
Example #2
| Source File: ldapattack.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def create_object_ace(privguid, sid):
nace = ldaptypes.ACE()
nace['AceType'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE
nace['AceFlags'] = 0x00
acedata = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE()
acedata['Mask'] = ldaptypes.ACCESS_MASK()
acedata['Mask']['Mask'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS
acedata['ObjectType'] = string_to_bin(privguid)
acedata['InheritedObjectType'] = b''
acedata['Sid'] = ldaptypes.LDAP_SID()
acedata['Sid'].fromCanonical(sid)
assert sid == acedata['Sid'].formatCanonical()
acedata['Flags'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_OBJECT_TYPE_PRESENT
nace['Ace'] = acedata
return nace
# Create an ALLOW ACE with the specified sid
Example #3
| Source File: ldapattack.py From Exchange2domain with MIT License | 6 votes |
|
def create_object_ace(privguid, sid):
nace = ldaptypes.ACE()
nace['AceType'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE
nace['AceFlags'] = 0x00
acedata = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE()
acedata['Mask'] = ldaptypes.ACCESS_MASK()
acedata['Mask']['Mask'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS
acedata['ObjectType'] = string_to_bin(privguid)
acedata['InheritedObjectType'] = ''
acedata['Sid'] = ldaptypes.LDAP_SID()
acedata['Sid'].fromCanonical(sid)
acedata['Flags'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_OBJECT_TYPE_PRESENT
nace['Ace'] = acedata
return nace
# Check if an ACE allows for creation of users
Example #4
| Source File: exploitation.py From aclpwn.py with MIT License | 6 votes |
|
def create_object_ace(privguid, sid, accesstype):
nace = ldaptypes.ACE()
nace['AceType'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE
nace['AceFlags'] = 0x00
acedata = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE()
acedata['Mask'] = ldaptypes.ACCESS_MASK()
acedata['Mask']['Mask'] = accesstype
acedata['ObjectType'] = string_to_bin(privguid)
acedata['InheritedObjectType'] = b''
acedata['Sid'] = ldaptypes.LDAP_SID()
acedata['Sid'].fromCanonical(sid)
acedata['Flags'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_OBJECT_TYPE_PRESENT
nace['Ace'] = acedata
return nace
# Get object info from samname
Example #5
| Source File: test_epm.py From PiBunny with MIT License | 5 votes |
|
def test_map(self):
dce, rpctransport = self.connect()
tower2 = '\x04\x00\x13\x00\r\xac\xbe\x00\xc1:\xd3KJ\xbf#\xbb\xefFc\xd0\x17\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0c\x02\x00\x00\x00\x01\x00\x10\x18\x00LRPC-26b184043749be8892\x00'
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = '\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = '\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData()
#tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + pipeName.getData() + hostName.getData()
request = epm.ept_map()
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = str(tower)
#request.dumpRaw()
resp = dce.request(request)
resp.dump()
Example #6
| Source File: test_dcomrt.py From PiBunny with MIT License | 5 votes |
|
def tes_ie(self):
dce, rpctransport = self.connect()
scm = dcomrt.IRemoteSCMActivator(dce)
#iInterface = scm.RemoteCreateInstance(string_to_bin('0002DF01-0000-0000-C000-000000000046'),ie.IID_WebBrowser)
iInterface = scm.RemoteCreateInstance(string_to_bin('72C24DD5-D70A-438B-8A42-98424B88AFB8'),dcomrt.IID_IRemUnknown)
iDispatch = ie.IWebBrowser(iInterface)
resp = iDispatch.GetIDsOfNames(('Navigate',))
print resp
#sys.exit(1)
iTypeInfo = iDispatch.GetTypeInfo()
resp = iTypeInfo.GetTypeAttr()
#resp.dump()
for i in range(0,resp['ppTypeAttr']['cFuncs']):
resp = iTypeInfo.GetFuncDesc(i)
#resp.dump()
#resp2 = iTypeInfo.GetNames(resp['ppFuncDesc']['memid'])
#print resp2['rgBstrNames'][0]['asData']
resp = iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid'])
print resp['pBstrName']['asData']
#iEventSystem.get_EventObjectChangeEventClassID()
print "ACA"
iTypeInfo.RemRelease()
iDispatch.RemRelease()
sys.exit(1)
Example #7
| Source File: test_dcomrt.py From PiBunny with MIT License | 5 votes |
|
def tes_oaut(self):
dce, rpctransport = self.connect()
IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046')
IID_ITypeInfo = string_to_bin('00020401-0000-0000-C000-000000000046')
scm = dcomrt.IRemoteSCMActivator(dce)
iInterface = scm.RemoteCreateInstance(string_to_bin('4E14FBA2-2E22-11D1-9964-00C04FBBB345'), IID_IDispatch)
iDispatch = oaut.IDispatch(iInterface)
kk = iDispatch.GetTypeInfoCount()
kk.dump()
iTypeInfo = iDispatch.GetTypeInfo()
iTypeInfo.GetTypeAttr()
Example #8
| Source File: restore.py From CVE-2019-1040 with MIT License | 5 votes |
|
def dacl_remove_ace(secdesc, guid, usersid, accesstype):
to_remove = None
binguid = string_to_bin(guid)
for ace in secdesc['Dacl'].aces:
sid = ace['Ace']['Sid'].formatCanonical()
# Is it the correct ACE type?
if ace['AceType'] != ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE:
continue
# Is it the correct SID?
if sid != usersid:
continue
# Does it apply to the correct property?
if ace['Ace']['ObjectType'] != binguid:
continue
# Does it have the correct mask?
if ace['Ace']['Mask']['Mask'] != accesstype:
continue
# We are still here -> this is the correct ACE
to_remove = ace
break
if to_remove:
# Found! Remove
secdesc['Dacl'].aces.remove(to_remove)
return True
else:
# Not found
return False
Example #9
| Source File: test_epm.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def test_map(self):
dce, rpctransport = self.connect()
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = b'\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = b'\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData()
request = epm.ept_map()
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = tower.getData()
resp = dce.request(request)
resp.dump()
Example #10
| Source File: test_dcomrt.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def tes_oaut(self):
dce, rpctransport = self.connect()
IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046')
scm = dcomrt.IRemoteSCMActivator(dce)
iInterface = scm.RemoteCreateInstance(string_to_bin('4E14FBA2-2E22-11D1-9964-00C04FBBB345'), IID_IDispatch)
iDispatch = oaut.IDispatch(iInterface)
kk = iDispatch.GetTypeInfoCount()
kk.dump()
iTypeInfo = iDispatch.GetTypeInfo()
iTypeInfo.GetTypeAttr()
Example #11
| Source File: restore.py From aclpwn.py with MIT License | 5 votes |
|
def dacl_remove_ace(secdesc, guid, usersid, accesstype):
to_remove = None
binguid = string_to_bin(guid)
for ace in secdesc['Dacl'].aces:
sid = ace['Ace']['Sid'].formatCanonical()
# Is it the correct ACE type?
if ace['AceType'] != ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE:
continue
# Is it the correct SID?
if sid != usersid:
continue
# Does it apply to the correct property?
if ace['Ace']['ObjectType'] != binguid:
continue
# Does it have the correct mask?
if ace['Ace']['Mask']['Mask'] != accesstype:
continue
# We are still here -> this is the correct ACE
to_remove = ace
break
if to_remove:
# Found! Remove
secdesc['Dacl'].aces.remove(to_remove)
return True
else:
# Not found
return False
Example #12
| Source File: test_epm.py From cracke-dit with MIT License | 5 votes |
|
def test_map(self):
dce, rpctransport = self.connect()
tower2 = '\x04\x00\x13\x00\r\xac\xbe\x00\xc1:\xd3KJ\xbf#\xbb\xefFc\xd0\x17\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0c\x02\x00\x00\x00\x01\x00\x10\x18\x00LRPC-26b184043749be8892\x00'
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = '\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = '\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData()
#tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + pipeName.getData() + hostName.getData()
request = epm.ept_map()
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = str(tower)
#request.dumpRaw()
resp = dce.request(request)
resp.dump()
Example #13
| Source File: test_dcomrt.py From cracke-dit with MIT License | 5 votes |
|
def tes_ie(self):
dce, rpctransport = self.connect()
scm = dcomrt.IRemoteSCMActivator(dce)
#iInterface = scm.RemoteCreateInstance(string_to_bin('0002DF01-0000-0000-C000-000000000046'),ie.IID_WebBrowser)
iInterface = scm.RemoteCreateInstance(string_to_bin('72C24DD5-D70A-438B-8A42-98424B88AFB8'),dcomrt.IID_IRemUnknown)
iDispatch = ie.IWebBrowser(iInterface)
resp = iDispatch.GetIDsOfNames(('Navigate',))
print resp
#sys.exit(1)
iTypeInfo = iDispatch.GetTypeInfo()
resp = iTypeInfo.GetTypeAttr()
#resp.dump()
for i in range(0,resp['ppTypeAttr']['cFuncs']):
resp = iTypeInfo.GetFuncDesc(i)
#resp.dump()
#resp2 = iTypeInfo.GetNames(resp['ppFuncDesc']['memid'])
#print resp2['rgBstrNames'][0]['asData']
resp = iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid'])
print resp['pBstrName']['asData']
#iEventSystem.get_EventObjectChangeEventClassID()
print "ACA"
iTypeInfo.RemRelease()
iDispatch.RemRelease()
sys.exit(1)
Example #14
| Source File: test_dcomrt.py From cracke-dit with MIT License | 5 votes |
|
def tes_oaut(self):
dce, rpctransport = self.connect()
IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046')
IID_ITypeInfo = string_to_bin('00020401-0000-0000-C000-000000000046')
scm = dcomrt.IRemoteSCMActivator(dce)
iInterface = scm.RemoteCreateInstance(string_to_bin('4E14FBA2-2E22-11D1-9964-00C04FBBB345'), IID_IDispatch)
iDispatch = oaut.IDispatch(iInterface)
kk = iDispatch.GetTypeInfoCount()
kk.dump()
iTypeInfo = iDispatch.GetTypeInfo()
iTypeInfo.GetTypeAttr()
Example #15
| Source File: test_epm.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def test_map(self):
dce, rpctransport = self.connect()
tower2 = '\x04\x00\x13\x00\r\xac\xbe\x00\xc1:\xd3KJ\xbf#\xbb\xefFc\xd0\x17\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0c\x02\x00\x00\x00\x01\x00\x10\x18\x00LRPC-26b184043749be8892\x00'
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = '\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = '\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData()
#tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + pipeName.getData() + hostName.getData()
request = epm.ept_map()
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = str(tower)
#request.dumpRaw()
resp = dce.request(request)
resp.dump()
Example #16
| Source File: test_dcomrt.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def tes_ie(self):
dce, rpctransport = self.connect()
scm = dcomrt.IRemoteSCMActivator(dce)
#iInterface = scm.RemoteCreateInstance(string_to_bin('0002DF01-0000-0000-C000-000000000046'),ie.IID_WebBrowser)
iInterface = scm.RemoteCreateInstance(string_to_bin('72C24DD5-D70A-438B-8A42-98424B88AFB8'),dcomrt.IID_IRemUnknown)
iDispatch = ie.IWebBrowser(iInterface)
resp = iDispatch.GetIDsOfNames(('Navigate',))
print resp
#sys.exit(1)
iTypeInfo = iDispatch.GetTypeInfo()
resp = iTypeInfo.GetTypeAttr()
#resp.dump()
for i in range(0,resp['ppTypeAttr']['cFuncs']):
resp = iTypeInfo.GetFuncDesc(i)
#resp.dump()
#resp2 = iTypeInfo.GetNames(resp['ppFuncDesc']['memid'])
#print resp2['rgBstrNames'][0]['asData']
resp = iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid'])
print resp['pBstrName']['asData']
#iEventSystem.get_EventObjectChangeEventClassID()
print "ACA"
iTypeInfo.RemRelease()
iDispatch.RemRelease()
sys.exit(1)
Example #17
| Source File: test_dcomrt.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def tes_oaut(self):
dce, rpctransport = self.connect()
IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046')
IID_ITypeInfo = string_to_bin('00020401-0000-0000-C000-000000000046')
scm = dcomrt.IRemoteSCMActivator(dce)
iInterface = scm.RemoteCreateInstance(string_to_bin('4E14FBA2-2E22-11D1-9964-00C04FBBB345'), IID_IDispatch)
iDispatch = oaut.IDispatch(iInterface)
kk = iDispatch.GetTypeInfoCount()
kk.dump()
iTypeInfo = iDispatch.GetTypeInfo()
iTypeInfo.GetTypeAttr()
Example #18
| Source File: dump.py From Exchange2domain with MIT License | 4 votes |
|
def DRSGetNCChanges(self, userEntry):
if self.__drsr is None:
self.__connectDrds()
LOG.debug('Calling DRSGetNCChanges for %s ' % userEntry)
request = drsuapi.DRSGetNCChanges()
request['hDrs'] = self.__hDrs
request['dwInVersion'] = 8
request['pmsgIn']['tag'] = 8
request['pmsgIn']['V8']['uuidDsaObjDest'] = self.__NtdsDsaObjectGuid
request['pmsgIn']['V8']['uuidInvocIdSrc'] = self.__NtdsDsaObjectGuid
dsName = drsuapi.DSNAME()
dsName['SidLen'] = 0
dsName['Guid'] = string_to_bin(userEntry[1:-1])
dsName['Sid'] = ''
dsName['NameLen'] = 0
dsName['StringName'] = ('\x00')
dsName['structLen'] = len(dsName.getData())
request['pmsgIn']['V8']['pNC'] = dsName
request['pmsgIn']['V8']['usnvecFrom']['usnHighObjUpdate'] = 0
request['pmsgIn']['V8']['usnvecFrom']['usnHighPropUpdate'] = 0
request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL
request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_WRIT_REP
request['pmsgIn']['V8']['cMaxObjects'] = 1
request['pmsgIn']['V8']['cMaxBytes'] = 0
request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ
if self.__ppartialAttrSet is None:
self.__prefixTable = []
self.__ppartialAttrSet = drsuapi.PARTIAL_ATTR_VECTOR_V1_EXT()
self.__ppartialAttrSet['dwVersion'] = 1
self.__ppartialAttrSet['cAttrs'] = len(NTDSHashes.ATTRTYP_TO_ATTID)
for attId in NTDSHashes.ATTRTYP_TO_ATTID.values():
self.__ppartialAttrSet['rgPartialAttr'].append(drsuapi.MakeAttid(self.__prefixTable , attId))
request['pmsgIn']['V8']['pPartialAttrSet'] = self.__ppartialAttrSet
request['pmsgIn']['V8']['PrefixTableDest']['PrefixCount'] = len(self.__prefixTable)
request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = self.__prefixTable
request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
return self.__drsr.request(request)
Example #19
| Source File: test_ndr.py From cracke-dit with MIT License | 4 votes |
|
def test_12(self):
ept_mapReq = '\x87d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x001j\x00\x00\x00\x00\x00\x00K\x00\x00\x00\x00\x00\x00\x00K\x00\x00\x00\x05\x00\x13\x00\rxW4\x124\x12\xcd\xab\xef\x00\x01#Eg\x89\xac\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0b\x02\x00\x00\x00\x01\x00\x07\x02\x00\x00\x00\x01\x00\t\x04\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00'
hexdump(ept_mapReq)
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = '\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = '\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData()
request = epm.ept_map(isNDR64=True)
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = str(tower)
output = request.getData()
print "ORIG: %d, REPACKED: %d" % (len(ept_mapReq), len(output))
print "="*80
print "ORIG"
hexdump(ept_mapReq)
print "="*80
print "REPACKED"
hexdump(output)
print "="*80
self.assertTrue(len(ept_mapReq) == len(output))
Example #20
| Source File: secretsdump.py From Slackor with GNU General Public License v3.0 | 4 votes |
|
def DRSGetNCChanges(self, userEntry):
if self.__drsr is None:
self.__connectDrds()
LOG.debug('Calling DRSGetNCChanges for %s ' % userEntry)
request = drsuapi.DRSGetNCChanges()
request['hDrs'] = self.__hDrs
request['dwInVersion'] = 8
request['pmsgIn']['tag'] = 8
request['pmsgIn']['V8']['uuidDsaObjDest'] = self.__NtdsDsaObjectGuid
request['pmsgIn']['V8']['uuidInvocIdSrc'] = self.__NtdsDsaObjectGuid
dsName = drsuapi.DSNAME()
dsName['SidLen'] = 0
dsName['Guid'] = string_to_bin(userEntry[1:-1])
dsName['Sid'] = ''
dsName['NameLen'] = 0
dsName['StringName'] = ('\x00')
dsName['structLen'] = len(dsName.getData())
request['pmsgIn']['V8']['pNC'] = dsName
request['pmsgIn']['V8']['usnvecFrom']['usnHighObjUpdate'] = 0
request['pmsgIn']['V8']['usnvecFrom']['usnHighPropUpdate'] = 0
request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL
request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_WRIT_REP
request['pmsgIn']['V8']['cMaxObjects'] = 1
request['pmsgIn']['V8']['cMaxBytes'] = 0
request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ
if self.__ppartialAttrSet is None:
self.__prefixTable = []
self.__ppartialAttrSet = drsuapi.PARTIAL_ATTR_VECTOR_V1_EXT()
self.__ppartialAttrSet['dwVersion'] = 1
self.__ppartialAttrSet['cAttrs'] = len(NTDSHashes.ATTRTYP_TO_ATTID)
for attId in list(NTDSHashes.ATTRTYP_TO_ATTID.values()):
self.__ppartialAttrSet['rgPartialAttr'].append(drsuapi.MakeAttid(self.__prefixTable , attId))
request['pmsgIn']['V8']['pPartialAttrSet'] = self.__ppartialAttrSet
request['pmsgIn']['V8']['PrefixTableDest']['PrefixCount'] = len(self.__prefixTable)
request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = self.__prefixTable
request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
return self.__drsr.request(request)
Example #21
| Source File: test_ndr.py From Slackor with GNU General Public License v3.0 | 4 votes |
|
def test_12(self):
ept_mapReq = b'\x87d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x001j\x00\x00\x00\x00\x00\x00K\x00\x00\x00\x00\x00\x00\x00K\x00\x00\x00\x05\x00\x13\x00\rxW4\x124\x12\xcd\xab\xef\x00\x01#Eg\x89\xac\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0b\x02\x00\x00\x00\x01\x00\x07\x02\x00\x00\x00\x01\x00\t\x04\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00'
hexdump(ept_mapReq)
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = '\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = '\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData()
request = epm.ept_map(isNDR64=True)
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = tower.getData()
output = request.getData()
print("ORIG: %d, REPACKED: %d" % (len(ept_mapReq), len(output)))
print("="*80)
print("ORIG")
hexdump(ept_mapReq)
print("="*80)
print("REPACKED")
hexdump(output)
print("="*80)
self.assertTrue(len(ept_mapReq) == len(output))
Example #22
| Source File: secretsdump.py From cracke-dit with MIT License | 4 votes |
|
def DRSGetNCChanges(self, userEntry):
if self.__drsr is None:
self.__connectDrds()
LOG.debug('Calling DRSGetNCChanges for %s ' % userEntry)
request = drsuapi.DRSGetNCChanges()
request['hDrs'] = self.__hDrs
request['dwInVersion'] = 8
request['pmsgIn']['tag'] = 8
request['pmsgIn']['V8']['uuidDsaObjDest'] = self.__NtdsDsaObjectGuid
request['pmsgIn']['V8']['uuidInvocIdSrc'] = self.__NtdsDsaObjectGuid
dsName = drsuapi.DSNAME()
dsName['SidLen'] = 0
dsName['Guid'] = string_to_bin(userEntry[1:-1])
dsName['Sid'] = ''
dsName['NameLen'] = 0
dsName['StringName'] = ('\x00')
dsName['structLen'] = len(dsName.getData())
request['pmsgIn']['V8']['pNC'] = dsName
request['pmsgIn']['V8']['usnvecFrom']['usnHighObjUpdate'] = 0
request['pmsgIn']['V8']['usnvecFrom']['usnHighPropUpdate'] = 0
request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL
request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_WRIT_REP
request['pmsgIn']['V8']['cMaxObjects'] = 1
request['pmsgIn']['V8']['cMaxBytes'] = 0
request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ
if self.__ppartialAttrSet is None:
self.__prefixTable = []
self.__ppartialAttrSet = drsuapi.PARTIAL_ATTR_VECTOR_V1_EXT()
self.__ppartialAttrSet['dwVersion'] = 1
self.__ppartialAttrSet['cAttrs'] = len(NTDSHashes.ATTRTYP_TO_ATTID)
for attId in NTDSHashes.ATTRTYP_TO_ATTID.values():
self.__ppartialAttrSet['rgPartialAttr'].append(drsuapi.MakeAttid(self.__prefixTable , attId))
request['pmsgIn']['V8']['pPartialAttrSet'] = self.__ppartialAttrSet
request['pmsgIn']['V8']['PrefixTableDest']['PrefixCount'] = len(self.__prefixTable)
request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = self.__prefixTable
request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
return self.__drsr.request(request)
Example #23
| Source File: dump.py From CVE-2019-1040 with MIT License | 4 votes |
|
def DRSGetNCChanges(self, userEntry):
if self.__drsr is None:
self.__connectDrds()
LOG.debug('Calling DRSGetNCChanges for %s ' % userEntry)
request = drsuapi.DRSGetNCChanges()
request['hDrs'] = self.__hDrs
request['dwInVersion'] = 8
request['pmsgIn']['tag'] = 8
request['pmsgIn']['V8']['uuidDsaObjDest'] = self.__NtdsDsaObjectGuid
request['pmsgIn']['V8']['uuidInvocIdSrc'] = self.__NtdsDsaObjectGuid
dsName = drsuapi.DSNAME()
dsName['SidLen'] = 0
dsName['Guid'] = string_to_bin(userEntry[1:-1])
dsName['Sid'] = ''
dsName['NameLen'] = 0
dsName['StringName'] = ('\x00')
dsName['structLen'] = len(dsName.getData())
request['pmsgIn']['V8']['pNC'] = dsName
request['pmsgIn']['V8']['usnvecFrom']['usnHighObjUpdate'] = 0
request['pmsgIn']['V8']['usnvecFrom']['usnHighPropUpdate'] = 0
request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL
request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_WRIT_REP
request['pmsgIn']['V8']['cMaxObjects'] = 1
request['pmsgIn']['V8']['cMaxBytes'] = 0
request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ
if self.__ppartialAttrSet is None:
self.__prefixTable = []
self.__ppartialAttrSet = drsuapi.PARTIAL_ATTR_VECTOR_V1_EXT()
self.__ppartialAttrSet['dwVersion'] = 1
self.__ppartialAttrSet['cAttrs'] = len(NTDSHashes.ATTRTYP_TO_ATTID)
for attId in list(NTDSHashes.ATTRTYP_TO_ATTID.values()):
self.__ppartialAttrSet['rgPartialAttr'].append(drsuapi.MakeAttid(self.__prefixTable , attId))
request['pmsgIn']['V8']['pPartialAttrSet'] = self.__ppartialAttrSet
request['pmsgIn']['V8']['PrefixTableDest']['PrefixCount'] = len(self.__prefixTable)
request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = self.__prefixTable
request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
return self.__drsr.request(request)
Example #24
| Source File: test_ndr.py From CVE-2017-7494 with GNU General Public License v3.0 | 4 votes |
|
def test_12(self):
ept_mapReq = '\x87d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x001j\x00\x00\x00\x00\x00\x00K\x00\x00\x00\x00\x00\x00\x00K\x00\x00\x00\x05\x00\x13\x00\rxW4\x124\x12\xcd\xab\xef\x00\x01#Eg\x89\xac\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0b\x02\x00\x00\x00\x01\x00\x07\x02\x00\x00\x00\x01\x00\t\x04\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00'
hexdump(ept_mapReq)
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = '\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = '\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData()
request = epm.ept_map(isNDR64=True)
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = str(tower)
output = request.getData()
print "ORIG: %d, REPACKED: %d" % (len(ept_mapReq), len(output))
print "="*80
print "ORIG"
hexdump(ept_mapReq)
print "="*80
print "REPACKED"
hexdump(output)
print "="*80
self.assertTrue(len(ept_mapReq) == len(output))
Example #25
| Source File: secretsdump.py From PiBunny with MIT License | 4 votes |
|
def DRSGetNCChanges(self, userEntry):
if self.__drsr is None:
self.__connectDrds()
LOG.debug('Calling DRSGetNCChanges for %s ' % userEntry)
request = drsuapi.DRSGetNCChanges()
request['hDrs'] = self.__hDrs
request['dwInVersion'] = 8
request['pmsgIn']['tag'] = 8
request['pmsgIn']['V8']['uuidDsaObjDest'] = self.__NtdsDsaObjectGuid
request['pmsgIn']['V8']['uuidInvocIdSrc'] = self.__NtdsDsaObjectGuid
dsName = drsuapi.DSNAME()
dsName['SidLen'] = 0
dsName['Guid'] = string_to_bin(userEntry[1:-1])
dsName['Sid'] = ''
dsName['NameLen'] = 0
dsName['StringName'] = ('\x00')
dsName['structLen'] = len(dsName.getData())
request['pmsgIn']['V8']['pNC'] = dsName
request['pmsgIn']['V8']['usnvecFrom']['usnHighObjUpdate'] = 0
request['pmsgIn']['V8']['usnvecFrom']['usnHighPropUpdate'] = 0
request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL
request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_WRIT_REP
request['pmsgIn']['V8']['cMaxObjects'] = 1
request['pmsgIn']['V8']['cMaxBytes'] = 0
request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ
if self.__ppartialAttrSet is None:
self.__prefixTable = []
self.__ppartialAttrSet = drsuapi.PARTIAL_ATTR_VECTOR_V1_EXT()
self.__ppartialAttrSet['dwVersion'] = 1
self.__ppartialAttrSet['cAttrs'] = len(NTDSHashes.ATTRTYP_TO_ATTID)
for attId in NTDSHashes.ATTRTYP_TO_ATTID.values():
self.__ppartialAttrSet['rgPartialAttr'].append(drsuapi.MakeAttid(self.__prefixTable , attId))
request['pmsgIn']['V8']['pPartialAttrSet'] = self.__ppartialAttrSet
request['pmsgIn']['V8']['PrefixTableDest']['PrefixCount'] = len(self.__prefixTable)
request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = self.__prefixTable
request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
return self.__drsr.request(request)
Example #26
| Source File: test_ndr.py From PiBunny with MIT License | 4 votes |
|
def test_12(self):
ept_mapReq = '\x87d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x001j\x00\x00\x00\x00\x00\x00K\x00\x00\x00\x00\x00\x00\x00K\x00\x00\x00\x05\x00\x13\x00\rxW4\x124\x12\xcd\xab\xef\x00\x01#Eg\x89\xac\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0b\x02\x00\x00\x00\x01\x00\x07\x02\x00\x00\x00\x01\x00\t\x04\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00'
hexdump(ept_mapReq)
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = '\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = '\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData()
request = epm.ept_map(isNDR64=True)
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = str(tower)
output = request.getData()
print "ORIG: %d, REPACKED: %d" % (len(ept_mapReq), len(output))
print "="*80
print "ORIG"
hexdump(ept_mapReq)
print "="*80
print "REPACKED"
hexdump(output)
print "="*80
self.assertTrue(len(ept_mapReq) == len(output))
Example #27
| Source File: secretsdump.py From CVE-2017-7494 with GNU General Public License v3.0 | 4 votes |
|
def DRSGetNCChanges(self, userEntry):
if self.__drsr is None:
self.__connectDrds()
LOG.debug('Calling DRSGetNCChanges for %s ' % userEntry)
request = drsuapi.DRSGetNCChanges()
request['hDrs'] = self.__hDrs
request['dwInVersion'] = 8
request['pmsgIn']['tag'] = 8
request['pmsgIn']['V8']['uuidDsaObjDest'] = self.__NtdsDsaObjectGuid
request['pmsgIn']['V8']['uuidInvocIdSrc'] = self.__NtdsDsaObjectGuid
dsName = drsuapi.DSNAME()
dsName['SidLen'] = 0
dsName['Guid'] = string_to_bin(userEntry[1:-1])
dsName['Sid'] = ''
dsName['NameLen'] = 0
dsName['StringName'] = ('\x00')
dsName['structLen'] = len(dsName.getData())
request['pmsgIn']['V8']['pNC'] = dsName
request['pmsgIn']['V8']['usnvecFrom']['usnHighObjUpdate'] = 0
request['pmsgIn']['V8']['usnvecFrom']['usnHighPropUpdate'] = 0
request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL
request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_WRIT_REP
request['pmsgIn']['V8']['cMaxObjects'] = 1
request['pmsgIn']['V8']['cMaxBytes'] = 0
request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ
if self.__ppartialAttrSet is None:
self.__prefixTable = []
self.__ppartialAttrSet = drsuapi.PARTIAL_ATTR_VECTOR_V1_EXT()
self.__ppartialAttrSet['dwVersion'] = 1
self.__ppartialAttrSet['cAttrs'] = len(NTDSHashes.ATTRTYP_TO_ATTID)
for attId in NTDSHashes.ATTRTYP_TO_ATTID.values():
self.__ppartialAttrSet['rgPartialAttr'].append(drsuapi.MakeAttid(self.__prefixTable , attId))
request['pmsgIn']['V8']['pPartialAttrSet'] = self.__ppartialAttrSet
request['pmsgIn']['V8']['PrefixTableDest']['PrefixCount'] = len(self.__prefixTable)
request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = self.__prefixTable
request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
return self.__drsr.request(request)
