github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_dcomrt.py

github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_dcomrt.py (about)

     1  ###############################################################################
     2  #  Tested so far: 
     3  #
     4  # Since DCOM is more high level, I'll always use the helper classes
     5  # ServerAlive
     6  # ServerAlive2
     7  # ComplexPing
     8  # SimplePing
     9  # RemoteCreateInstance
    10  # ResolveOxid
    11  # ResolveOxid2
    12  # RemoteActivation
    13  # RemRelease
    14  # RemoteGetClassObject
    15  #
    16  #  Not yet:
    17  #
    18  # 
    19  # Shouldn't dump errors against a win7
    20  #
    21  ################################################################################
    22  
    23  from __future__ import division
    24  from __future__ import print_function
    25  import unittest
    26  try:
    27      import ConfigParser
    28  except ImportError:
    29      import configparser as ConfigParser
    30  
    31  from impacket.dcerpc.v5 import transport
    32  from impacket.dcerpc.v5 import dcomrt
    33  from impacket.dcerpc.v5.dcom import scmp, vds, oaut, comev
    34  from impacket.uuid import string_to_bin, uuidtup_to_bin
    35  from impacket import ntlm
    36  
    37  
    38  class DCOMTests(unittest.TestCase):
    39      def connect(self):
    40          rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
    41          if len(self.hashes) > 0:
    42              lmhash, nthash = self.hashes.split(':')
    43          else:
    44              lmhash = ''
    45              nthash = ''
    46          if hasattr(rpctransport, 'set_credentials'):
    47              # This method exists only for selected protocol sequences.
    48              rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
    49          dce = rpctransport.get_dce_rpc()
    50          dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
    51          dce.connect()
    52  
    53          return dce, rpctransport
    54  
    55      def test_ServerAlive(self):
    56          dce, rpctransport = self.connect()
    57          objExporter = dcomrt.IObjectExporter(dce)
    58          objExporter.ServerAlive()
    59  
    60      def test_ServerAlive2(self):
    61          dce, rpctransport = self.connect()
    62          objExporter = dcomrt.IObjectExporter(dce)
    63          objExporter.ServerAlive2()
    64  
    65      def test_ComplexPing_SimplePing(self):
    66          dce, rpctransport = self.connect()
    67          objExporter = dcomrt.IObjectExporter(dce)
    68          resp = objExporter.ComplexPing()
    69          objExporter.SimplePing(resp['pSetId'])
    70  
    71      def test_ResolveOxid(self):
    72          dce, rpctransport = self.connect()
    73          scm = dcomrt.IRemoteSCMActivator(dce)
    74          iInterface = scm.RemoteCreateInstance(comev.CLSID_EventSystem, comev.IID_IEventSystem)
    75          objExporter = dcomrt.IObjectExporter(dce)
    76          objExporter.ResolveOxid(iInterface.get_oxid(), (7,))
    77  
    78      def test_ResolveOxid2(self):
    79          dce, rpctransport = self.connect()
    80          #scm = dcomrt.IRemoteSCMActivator(dce)
    81          #iInterface = scm.RemoteCreateInstance(comev.CLSID_EventSystem, comev.IID_IEventSystem)
    82          scm = dcomrt.IActivation(dce)
    83          iInterface = scm.RemoteActivation(comev.CLSID_EventSystem, comev.IID_IEventSystem)
    84          objExporter = dcomrt.IObjectExporter(dce)
    85          objExporter.ResolveOxid2(iInterface.get_oxid(), (7,))
    86  
    87      def test_RemoteActivation(self):
    88          dce, rpctransport = self.connect()
    89          scm = dcomrt.IActivation(dce)
    90          scm.RemoteActivation(comev.CLSID_EventSystem, comev.IID_IEventSystem)
    91  
    92      def test_RemoteGetClassObject(self):
    93          dce, rpctransport = self.connect()
    94          IID_IClassFactory = uuidtup_to_bin(('00000001-0000-0000-C000-000000000046','0.0'))
    95          scm = dcomrt.IRemoteSCMActivator(dce)
    96          iInterface = scm.RemoteGetClassObject(comev.CLSID_EventSystem, IID_IClassFactory)
    97          iInterface.RemRelease()
    98  
    99  
   100      def test_RemQueryInterface(self):
   101          dcom = dcomrt.DCOMConnection(self.machine, self.username, self.password, self.domain)
   102          iInterface = dcom.CoCreateInstanceEx(comev.CLSID_EventSystem, comev.IID_IEventSystem)
   103          iEventSystem = comev.IEventSystem(iInterface)
   104          iEventSystem.RemQueryInterface(1, (comev.IID_IEventSystem,))
   105          dcom.disconnect()
   106  
   107      def test_RemRelease(self):
   108          dcom = dcomrt.DCOMConnection(self.machine, self.username, self.password, self.domain)
   109          iInterface = dcom.CoCreateInstanceEx(comev.CLSID_EventSystem, comev.IID_IEventSystem)
   110          iEventSystem = comev.IEventSystem(iInterface)
   111          iEventSystem.RemRelease()
   112          dcom.disconnect()
   113  
   114      def test_RemoteCreateInstance(self):
   115          dce, rpctransport = self.connect()
   116  
   117          scm = dcomrt.IRemoteSCMActivator(dce)
   118          scm.RemoteCreateInstance(comev.CLSID_EventSystem, comev.IID_IEventSystem)
   119  
   120      def tes_scmp(self):
   121          dce, rpctransport = self.connect()
   122  
   123          scm = dcomrt.IRemoteSCMActivator(dce)
   124          iInterface = scm.RemoteCreateInstance(scmp.CLSID_ShadowCopyProvider, scmp.IID_IVssSnapshotMgmt)
   125          iVssSnapshotMgmt = scmp.IVssSnapshotMgmt(iInterface)
   126          #iVssSnapshotMgmt.RemRelease()
   127          
   128          iVssEnumMgmtObject = iVssSnapshotMgmt.QueryVolumesSupportedForSnapshots(scmp.IID_ShadowCopyProvider, 31) 
   129          iVssEnumMgmtObject.Next(10)
   130          #iVssEnumObject = iVssSnapshotMgmt.QuerySnapshotsByVolume('C:\x00')
   131  
   132          #iProviderMgmtInterface = iVssSnapshotMgmt.GetProviderMgmtInterface()
   133          #enumObject =iProviderMgmtInterface.QueryDiffAreasOnVolume('C:\x00')
   134          #iVssSnapshotMgmt.RemQueryInterface(1, (scmp.IID_IVssEnumMgmtObject,))
   135          #iVssSnapshotMgmt.RemAddRef()
   136          #iVssSnapshotMgmt = dcom.hRemoteCreateInstance(dce, scmp.CLSID_ShadowCopyProvider, dcom.IID_IRemUnknown)
   137      
   138          #iVssEnumMgmtObject.RemQueryInterface(1, (scmp.IID_IVssEnumMgmtObject,))
   139  
   140      def tes_vds(self):
   141          dce, rpctransport = self.connect()
   142  
   143          #objExporter = dcom.IObjectExporter(dce)
   144          #objExporter.ComplexPing()
   145          #objExporter.ComplexPing()
   146  
   147          scm = dcomrt.IRemoteSCMActivator(dce)
   148          iInterface = scm.RemoteCreateInstance(vds.CLSID_VirtualDiskService, vds.IID_IVdsServiceInitialization)
   149          serviceInitialization = vds.IVdsServiceInitialization(iInterface)
   150          serviceInitialization.Initialize()
   151          
   152          iInterface = serviceInitialization.RemQueryInterface(1, (vds.IID_IVdsService,))
   153          vdsService = vds.IVdsService(iInterface)
   154     
   155          resp = vdsService.IsServiceReady()
   156          while resp['ErrorCode'] == 1:
   157              print("Waiting.. ")
   158              resp = vdsService.IsServiceReady()
   159  
   160          vdsService.WaitForServiceReady()
   161          vdsService.GetProperties()
   162          enumObject = vdsService.QueryProviders(1)
   163          interfaces = enumObject.Next(1)
   164          iii = interfaces[0].RemQueryInterface(1, (vds.IID_IVdsProvider,))
   165          provider = vds.IVdsProvider(iii)
   166          resp = provider.GetProperties()
   167          resp.dump()
   168  
   169      def tes_oaut(self):
   170          dce, rpctransport = self.connect()
   171          IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046')
   172          scm = dcomrt.IRemoteSCMActivator(dce)
   173          iInterface = scm.RemoteCreateInstance(string_to_bin('4E14FBA2-2E22-11D1-9964-00C04FBBB345'), IID_IDispatch)
   174          iDispatch = oaut.IDispatch(iInterface)
   175          kk = iDispatch.GetTypeInfoCount()
   176          kk.dump()
   177          iTypeInfo = iDispatch.GetTypeInfo()
   178          iTypeInfo.GetTypeAttr()
   179  
   180      def tes_comev(self):
   181          if len(self.hashes) > 0:
   182              lmhash, nthash = self.hashes.split(':')
   183          else:
   184              lmhash = ''
   185              nthash = ''
   186  
   187          dcom = dcomrt.DCOMConnection(self.machine, self.username, self.password, self.domain, lmhash, nthash)
   188          iInterface = dcom.CoCreateInstanceEx(comev.CLSID_EventSystem, comev.IID_IEventSystem)
   189  
   190          #scm = dcomrt.IRemoteSCMActivator(dce)
   191          
   192          #iInterface = scm.RemoteCreateInstance(comev.CLSID_EventSystem, comev.IID_IEventSystem)
   193          #iInterface = scm.RemoteCreateInstance(comev.CLSID_EventSystem,oaut.IID_IDispatch)
   194          iDispatch = oaut.IDispatch(iInterface)
   195          #scm = dcomrt.IRemoteSCMActivator(dce)
   196          #resp = iDispatch.GetIDsOfNames(('Navigate\x00', 'ExecWB\x00'))
   197          #resp.dump()
   198          iEventSystem = comev.IEventSystem(iInterface)
   199          iTypeInfo = iEventSystem.GetTypeInfo()
   200          resp = iTypeInfo.GetTypeAttr()
   201          #resp.dump()
   202          for i in range(1,resp['ppTypeAttr']['cFuncs']):
   203              resp = iTypeInfo.GetFuncDesc(i)
   204              #resp.dump()
   205              iTypeInfo.GetNames(resp['ppFuncDesc']['memid'])
   206              iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid'])
   207          #iEventSystem.get_EventObjectChangeEventClassID()
   208          iEventSystem.RemRelease()
   209          iTypeInfo.RemRelease()
   210  
   211          objCollection = iEventSystem.Query('EventSystem.EventSubscriptionCollection', 'ALL')
   212  
   213          objCollection.get_Count()
   214  
   215          evnObj = objCollection.get_NewEnum()
   216          for i in range(3):
   217              iUnknown = evnObj.Next(1)[0]
   218              es = iUnknown.RemQueryInterface(1, (comev.IID_IEventSubscription3,))
   219              es = comev.IEventSubscription3(es)
   220  
   221              #es.get_SubscriptionID()
   222              print(es.get_SubscriptionName()['pbstrSubscriptionName']['asData'])
   223              ##es.get_PublisherID()
   224              #es.get_EventClassID()
   225              #es.get_MethodName()
   226              ##es.get_SubscriberCLSID()
   227              #es.get_SubscriberInterface()
   228              #es.get_PerUser()
   229              #es.get_OwnerSID()
   230              #es.get_Enabled()
   231              ##es.get_Description()
   232              ##es.get_MachineName()
   233              ##es.GetPublisherProperty()
   234              #es.GetPublisherPropertyCollection()
   235              ##es.GetSubscriberProperty()
   236              #es.GetSubscriberPropertyCollection()
   237              #es.get_InterfaceID()
   238              es.RemRelease()
   239  
   240  
   241          objCollection = iEventSystem.Query('EventSystem.EventClassCollection', 'ALL')
   242          objCollection.get_Count()
   243  
   244          #objCollection.get_Item('EventClassID={D5978630-5B9F-11D1-8DD2-00AA004ABD5E}')
   245          evnObj = objCollection.get_NewEnum()
   246          for i in range(3):
   247  
   248              iUnknown = evnObj.Next(1)[0]
   249  
   250              ev = iUnknown.RemQueryInterface(1, (comev.IID_IEventClass2,))
   251              ev = comev.IEventClass2(ev)
   252  
   253              ev.get_EventClassID() 
   254              #ev.get_EventClassName() 
   255              #ev.get_OwnerSID() 
   256              #ev.get_FiringInterfaceID() 
   257              #ev.get_Description() 
   258              #try:
   259              #    ev.get_TypeLib() 
   260              #except:
   261              #    pass
   262  
   263              #ev.get_PublisherID()
   264              #ev.get_MultiInterfacePublisherFilterCLSID()
   265              #ev.get_AllowInprocActivation()
   266              #ev.get_FireInParallel()
   267              ev.RemRelease()
   268  
   269          print("="*80)
   270  
   271          dcom.disconnect()
   272          #eventSubscription.get_SubscriptionID()
   273  
   274  
   275      # def tes_ie(self):
   276      #     dce, rpctransport = self.connect()
   277      #     scm = dcomrt.IRemoteSCMActivator(dce)
   278      #
   279      #     #iInterface = scm.RemoteCreateInstance(string_to_bin('0002DF01-0000-0000-C000-000000000046'),ie.IID_WebBrowser)
   280      #     iInterface = scm.RemoteCreateInstance(string_to_bin('72C24DD5-D70A-438B-8A42-98424B88AFB8'),dcomrt.IID_IRemUnknown)
   281      #
   282      #     iDispatch = ie.IWebBrowser(iInterface)
   283      #     resp = iDispatch.GetIDsOfNames(('Navigate',))
   284      #     print resp
   285      #     #sys.exit(1)
   286      #     iTypeInfo = iDispatch.GetTypeInfo()
   287      #     resp = iTypeInfo.GetTypeAttr()
   288      #     #resp.dump()
   289      #     for i in range(0,resp['ppTypeAttr']['cFuncs']):
   290      #         resp = iTypeInfo.GetFuncDesc(i)
   291      #         #resp.dump()
   292      #         #resp2 = iTypeInfo.GetNames(resp['ppFuncDesc']['memid'])
   293      #         #print resp2['rgBstrNames'][0]['asData']
   294      #         resp = iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid'])
   295      #         print resp['pBstrName']['asData']
   296      #     #iEventSystem.get_EventObjectChangeEventClassID()
   297      #     print "ACA"
   298      #     iTypeInfo.RemRelease()
   299      #     iDispatch.RemRelease()
   300      #
   301      #     sys.exit(1)
   302  
   303  class TCPTransport(DCOMTests):
   304      def setUp(self):
   305          DCOMTests.setUp(self)
   306          configFile = ConfigParser.ConfigParser()
   307          configFile.read('dcetests.cfg')
   308          self.username = configFile.get('TCPTransport', 'username')
   309          self.domain   = configFile.get('TCPTransport', 'domain')
   310          self.serverName = configFile.get('TCPTransport', 'servername')
   311          self.password = configFile.get('TCPTransport', 'password')
   312          self.machine  = configFile.get('TCPTransport', 'machine')
   313          self.hashes   = configFile.get('TCPTransport', 'hashes')
   314          self.stringBinding = r'ncacn_ip_tcp:%s' % self.machine
   315          self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')
   316  
   317  class TCPTransport64(DCOMTests):
   318      def setUp(self):
   319          DCOMTests.setUp(self)
   320          configFile = ConfigParser.ConfigParser()
   321          configFile.read('dcetests.cfg')
   322          self.username = configFile.get('TCPTransport', 'username')
   323          self.domain   = configFile.get('TCPTransport', 'domain')
   324          self.serverName = configFile.get('TCPTransport', 'servername')
   325          self.password = configFile.get('TCPTransport', 'password')
   326          self.machine  = configFile.get('TCPTransport', 'machine')
   327          self.hashes   = configFile.get('TCPTransport', 'hashes')
   328          self.stringBinding = r'ncacn_ip_tcp:%s' % self.machine
   329          self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
   330  
   331  
   332  # Process command-line arguments.
   333  if __name__ == '__main__':
   334      import sys
   335      if len(sys.argv) > 1:
   336          testcase = sys.argv[1]
   337          suite = unittest.TestLoader().loadTestsFromTestCase(globals()[testcase])
   338      else:
   339          suite = unittest.TestLoader().loadTestsFromTestCase(TCPTransport)
   340          suite.addTests(unittest.TestLoader().loadTestsFromTestCase(TCPTransport64))
   341      unittest.TextTestRunner(verbosity=1).run(suite)