github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_rprn.py (about) 1 ############################################################################### 2 # Tested so far: 3 # 4 # RpcOpenPrinterEx 5 # hRpcOpenPrinterEx 6 # RpcOpenPrinter 7 # hRpcOpenPrinter 8 # RpcRemoteFindFirstPrinterChangeNotificationEx 9 # hRpcRemoteFindFirstPrinterChangeNotificationEx 10 # hRpcClosePrinter 11 # RpcClosePrinter 12 # RpcEnumPrinters 13 # 14 # Not yet: 15 # 16 # Shouldn't dump errors against a win7 17 # 18 ################################################################################ 19 20 from __future__ import division 21 from __future__ import print_function 22 23 import unittest 24 25 from six.moves import configparser 26 27 from impacket.dcerpc.v5 import rprn 28 from impacket.dcerpc.v5 import transport 29 from impacket.dcerpc.v5.dtypes import NULL 30 from impacket.structure import hexdump 31 32 33 class RPRNTests(unittest.TestCase): 34 def connect(self): 35 rpctransport = transport.DCERPCTransportFactory(self.stringBinding) 36 if len(self.hashes) > 0: 37 lmhash, nthash = self.hashes.split(':') 38 else: 39 lmhash = '' 40 nthash = '' 41 if hasattr(rpctransport, 'set_credentials'): 42 # This method exists only for selected protocol sequences. 43 rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) 44 dce = rpctransport.get_dce_rpc() 45 #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) 46 dce.connect() 47 dce.bind(rprn.MSRPC_UUID_RPRN, transfer_syntax = self.ts) 48 #resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS) 49 50 return dce, rpctransport#, resp['phKey'] 51 52 def test_RpcEnumPrinters(self): 53 dce, rpctransport = self.connect() 54 request = rprn.RpcEnumPrinters() 55 request['Flags'] = rprn.PRINTER_ENUM_LOCAL 56 request['Name'] = NULL 57 request['pPrinterEnum'] = NULL 58 request['Level'] = 1 59 request.dump() 60 bytesNeeded = 0 61 try: 62 resp = dce.request(request) 63 resp.dump() 64 except rprn.DCERPCSessionError as e: 65 if str(e).find('ERROR_INSUFFICIENT_BUFFER') < 0: 66 raise 67 bytesNeeded = e.get_packet()['pcbNeeded'] 68 69 request = rprn.RpcEnumPrinters() 70 request['Flags'] = rprn.PRINTER_ENUM_LOCAL 71 request['Name'] = NULL 72 request['Level'] = 1 73 74 request['cbBuf'] = bytesNeeded 75 request['pPrinterEnum'] = b'a'*bytesNeeded 76 77 request.dump() 78 resp = dce.request(request) 79 resp.dump() 80 hexdump(b''.join(resp['pPrinterEnum'])) 81 82 def test_hRpcEnumPrinters(self): 83 dce, rpctransport = self.connect() 84 resp = rprn.hRpcEnumPrinters(dce, rprn.PRINTER_ENUM_LOCAL, NULL, 1) 85 hexdump(b''.join(resp['pPrinterEnum'])) 86 87 def test_RpcOpenPrinter(self): 88 dce, rpctransport = self.connect() 89 request = rprn.RpcOpenPrinter() 90 request['pPrinterName'] = '\\\\%s\x00' % self.machine 91 request['pDatatype'] = NULL 92 request['pDevModeContainer']['pDevMode'] = NULL 93 request['AccessRequired'] = rprn.SERVER_READ 94 request.dump() 95 resp = dce.request(request) 96 resp.dump() 97 98 def test_RpcClosePrinter(self): 99 dce, rpctransport = self.connect() 100 101 request = rprn.RpcOpenPrinter() 102 request['pPrinterName'] = '\\\\%s\x00' % self.machine 103 request['pDatatype'] = NULL 104 request['pDevModeContainer']['pDevMode'] = NULL 105 request['AccessRequired'] = rprn.SERVER_READ 106 request.dump() 107 resp = dce.request(request) 108 resp.dump() 109 110 request = rprn.RpcClosePrinter() 111 request['phPrinter'] = resp['pHandle'] 112 request.dump() 113 resp = dce.request(request) 114 resp.dump() 115 116 def test_hRpcOpenPrinter(self): 117 dce, rpctransport = self.connect() 118 resp = rprn.hRpcOpenPrinter(dce, '\\\\%s\x00' % self.machine) 119 resp.dump() 120 121 def test_hRpcClosePrinter(self): 122 dce, rpctransport = self.connect() 123 resp = rprn.hRpcOpenPrinter(dce, '\\\\%s\x00' % self.machine) 124 resp.dump() 125 resp = rprn.hRpcClosePrinter(dce, resp['pHandle']) 126 resp.dump() 127 128 def test_RpcOpenPrinterEx(self): 129 dce, rpctransport = self.connect() 130 request = rprn.RpcOpenPrinterEx() 131 request['pPrinterName'] = '\\\\%s\x00' % self.machine 132 request['pDatatype'] = NULL 133 request['AccessRequired'] = rprn.SERVER_READ 134 request['pDevModeContainer']['pDevMode'] = NULL 135 request['pClientInfo']['Level'] = 1 136 request['pClientInfo']['ClientInfo']['tag'] = 1 137 request['pClientInfo']['ClientInfo']['pClientInfo1']['dwSize'] = 28 138 request['pClientInfo']['ClientInfo']['pClientInfo1']['pMachineName'] = '%s\x00' % self.machine 139 request['pClientInfo']['ClientInfo']['pClientInfo1']['pUserName'] = '%s\\%s\x00' % (self.domain, self.username) 140 request['pClientInfo']['ClientInfo']['pClientInfo1']['dwBuildNum'] = 0x0 141 request['pClientInfo']['ClientInfo']['pClientInfo1']['dwMajorVersion'] = 0x00000000 142 request['pClientInfo']['ClientInfo']['pClientInfo1']['dwMinorVersion'] = 0x00000000 143 request['pClientInfo']['ClientInfo']['pClientInfo1']['wProcessorArchitecture'] = 0x0009 144 request.dump() 145 resp = dce.request(request) 146 resp.dump() 147 148 def test_hRpcOpenPrinterEx(self): 149 dce, rpctransport = self.connect() 150 clientInfo = rprn.SPLCLIENT_CONTAINER() 151 clientInfo['Level'] = 1 152 clientInfo['ClientInfo']['tag'] = 1 153 clientInfo['ClientInfo']['pClientInfo1']['dwSize'] = 28 154 clientInfo['ClientInfo']['pClientInfo1']['pMachineName'] = '%s\x00' % self.machine 155 clientInfo['ClientInfo']['pClientInfo1']['pUserName'] = '%s\\%s\x00' % (self.domain, self.username) 156 clientInfo['ClientInfo']['pClientInfo1']['dwBuildNum'] = 0x0 157 clientInfo['ClientInfo']['pClientInfo1']['dwMajorVersion'] = 0x00000000 158 clientInfo['ClientInfo']['pClientInfo1']['dwMinorVersion'] = 0x00000000 159 clientInfo['ClientInfo']['pClientInfo1']['wProcessorArchitecture'] = 0x0009 160 161 resp = rprn.hRpcOpenPrinterEx(dce, '\\\\%s\x00' % self.machine, pClientInfo=clientInfo) 162 resp.dump() 163 164 def test_RpcRemoteFindFirstPrinterChangeNotificationEx(self): 165 dce, rpctransport = self.connect() 166 167 request = rprn.RpcOpenPrinter() 168 request['pPrinterName'] = '\\\\%s\x00' % self.machine 169 request['pDatatype'] = NULL 170 request['pDevModeContainer']['pDevMode'] = NULL 171 request['AccessRequired'] = rprn.SERVER_READ | rprn.SERVER_ALL_ACCESS | rprn.SERVER_ACCESS_ADMINISTER 172 request.dump() 173 resp = dce.request(request) 174 resp.dump() 175 176 request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx() 177 request['hPrinter'] = resp['pHandle'] 178 request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB 179 request['pszLocalMachine'] = '\\\\%s\x00' % self.machine 180 request['pOptions'] = NULL 181 request.dump() 182 try: 183 resp = dce.request(request) 184 resp.dump() 185 except Exception as e: 186 if str(e).find('ERROR_INVALID_HANDLE') < 0: 187 raise 188 189 def test_hRpcRemoteFindFirstPrinterChangeNotificationEx(self): 190 dce, rpctransport = self.connect() 191 192 resp = rprn.hRpcOpenPrinter(dce, '\\\\%s\x00' % self.machine) 193 194 try: 195 resp = rprn.hRpcRemoteFindFirstPrinterChangeNotificationEx(dce, resp['pHandle'], rprn.PRINTER_CHANGE_ADD_JOB, pszLocalMachine = '\\\\%s\x00' % self.machine ) 196 resp.dump() 197 except Exception as e: 198 if str(e).find('ERROR_INVALID_HANDLE') < 0: 199 raise 200 201 class SMBTransport(RPRNTests): 202 def setUp(self): 203 RPRNTests.setUp(self) 204 configFile = configparser.ConfigParser() 205 configFile.read('dcetests.cfg') 206 self.username = configFile.get('SMBTransport', 'username') 207 self.domain = configFile.get('SMBTransport', 'domain') 208 self.serverName = configFile.get('SMBTransport', 'servername') 209 self.password = configFile.get('SMBTransport', 'password') 210 self.machine = configFile.get('SMBTransport', 'machine') 211 self.hashes = configFile.get('SMBTransport', 'hashes') 212 self.stringBinding = r'ncacn_np:%s[\PIPE\spoolss]' % self.machine 213 self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0') 214 self.rrpStarted = False 215 216 class SMBTransport64(RPRNTests): 217 def setUp(self): 218 RPRNTests.setUp(self) 219 configFile = configparser.ConfigParser() 220 configFile.read('dcetests.cfg') 221 self.username = configFile.get('SMBTransport', 'username') 222 self.domain = configFile.get('SMBTransport', 'domain') 223 self.serverName = configFile.get('SMBTransport', 'servername') 224 self.password = configFile.get('SMBTransport', 'password') 225 self.machine = configFile.get('SMBTransport', 'machine') 226 self.hashes = configFile.get('SMBTransport', 'hashes') 227 self.stringBinding = r'ncacn_np:%s[\PIPE\spoolss]' % self.machine 228 self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0') 229 230 # Process command-line arguments. 231 if __name__ == '__main__': 232 import sys 233 if len(sys.argv) > 1: 234 testcase = sys.argv[1] 235 suite = unittest.TestLoader().loadTestsFromTestCase(globals()[testcase]) 236 else: 237 suite = unittest.TestLoader().loadTestsFromTestCase(SMBTransport) 238 suite.addTests(unittest.TestLoader().loadTestsFromTestCase(SMBTransport64)) 239 unittest.TextTestRunner(verbosity=1).run(suite)