h:dZddlZddlZddlmZddlmZmZddlm Z m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$ddl%m&Z&m'Z'ddl(m)Z)m*Z*m+Z+m,Z,dJd Z-dJd Z.ej/d Z0ej/d Z1ej/dZ2ej/dZ3ej/dZ4ej/dZ5ej/dZ6ej/dZ7ej/dZ8ej/dZ9ej/dZ:ej/dZ;ej/dZ<ej/dZ=ej/dZ>ej/dZ?ej/dZ@ej/dZAGddeZBGdd eZCGd!d"eZDGd#d$eZEGd%d&eZFGd'd(eZGGd)d*eZHGd+d,eZIGd-d.eZJGd/d0eZKd1ZLGd2d3eZMGd4d5eZNGd6d7eZOGd8d9eZPGd:d;e!ZQGd<d=eZRGd>d?eZSGd@dAeZTGdBdCeZUGdDdEeZVeeSeTdFGGdHdIe&ZWdS)Kzw [MS-DCOM] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0 N)conf)Packet bind_layers) ConditionalField LEIntFieldLEShortEnumField LEShortField PacketFieldPacketListFieldStrNullFieldUtf16 UUIDFieldXStrFixedLenField XShortField)NDRFieldListField NDRIntField NDRLongField NDRPacketNDRPacketFieldNDRFullPointerFieldNDRConfPacketListFieldNDRConfFieldListFieldNDRConfStrLenFieldUtf16NDRConfVarStrNullFieldUtf16 NDRShortFieldNDRSignedIntFieldNDRSerializeType1PacketField NDRSerializeType1PacketListFieldndr_deserialize1find_dcerpc_interface RPC_C_AUTHN) DCERPC_ClientDCERPC_Transport) COMVERSIONGUIDServerAlive2_RequestMInterfacePointerlittlec|dkrtj|jS|dkrtj|jSt d)Nr'big bad ndrendian)uuidUUIDbytes_lebytes ValueErrorx ndrendians ^/mounts/lovelace/software/anaconda3/lib/python3.11/site-packages/scapy/layers/msrpce/msdcom.py _uid_to_bytesr4:sHHy||$$ e  y||!!)))c|dkrtj|S|dkrtj|Std)Nr')r-r))r.r*)r+r,r/r0s r3_uid_from_bytesr7CsLHy!$$$$ e  yq!!!!)))r5z$000001a5-0000-0000-c000-000000000046z$00000338-0000-0000-c000-000000000046z$00000339-0000-0000-c000-000000000046z$00000334-0000-0000-c000-000000000046z$0000033b-0000-0000-c000-000000000046z$0000031c-0000-0000-c000-000000000046z$0000031b-0000-0000-c000-000000000046z$000001ad-0000-0000-c000-000000000046z$000001ab-0000-0000-c000-000000000046z$000001b6-0000-0000-c000-000000000046z$000001aa-0000-0000-c000-000000000046z$000001a6-0000-0000-c000-000000000046z$000001a4-0000-0000-c000-000000000046z$000001b9-0000-0000-c000-000000000046z$000001A2-0000-0000-C000-000000000046z$000001A3-0000-0000-C000-000000000046z$000001c0-0000-0000-C000-000000000046c0eZdZdZedeeeddeddeddeddeddee d eged d eddede e g Z dS)InstantiationInfoDataclassIdclassCtxr actvflags fIsSurrogatecIIDinstFlagpIIDc|jSN)rApkts r3zInstantiationInfoData.rsxr5 count_fromTdeferredthisSizeclientCOMVersionN) __name__ __module__ __qualname__ ALIGNMENTrr$rrrrr# fields_descr5r3r9r9gsIy$$&&$// J"" K##.!,, FA J"" " "$3G3G        J"")::<<DDKKKr5r9cLeZdZdZeddeddeddeddeddedeeed ded ded ded ded de dgedddg Z dS)SpecialPropertiesDatar<r< dwSessionIdrfRemoteThisSessionIdfClientImpersonatingfPartitionIDPresentdwDefaultAuthnLvl guidPartition dwPRTFlags dwOrigClsctxdwFlags Reserved1 Reserved2 Reserved3cdS)NrU)_s r3rHzSpecialPropertiesData.sTUr5rJN) rPrQrRrSrrrr$rrrTrUr5r3rWrW~sI M1%%0!440!44/33 '++55 L!$$ NA&& Iq!! K## [!$$+r;;r1+=+=++VVV KKKr5rWc eZdZdZeedddeddeedeedeed eedgZ d S) InstanceInfoDatar:fileNamereTrLmoderifdROTifdStgN) rPrQrRrSrrrrr&rTrUr5r3rjrjsI77 BGGRVWWW FA N8%6%6%8%8:K L L     N8%6%6%8%8:K L L    KKKr5rjc teZdZdZeddeddeedddd gZd S) customREMOTE_REQUEST_SCM_INFOr:ClientImpLevelrcRequestedProtseqspRequestedProtseqsrec|jSrE)rrrFs r3rHz&customREMOTE_REQUEST_SCM_INFO.s #BXr5 length_fromTrLN) rPrQrRrSrrrrrTrUr5r3rprpstI $a(( *A.. # #$b6X6X        KKKr5rpceZdZdZeedddeedeedgZdS)ScmRequestInfoDatar: pdwReservedrTrL remoteRequestN) rPrQrRrSrrrrprTrUr5r3rxrxstIKK q99DIII N--//-        KKKr5rxc eZdZdZeddeddeddeddeedeed eed eed gZ d S) ActivationContextInfoDatar:clientOKr bReserved1 dwReserved1 dwReserved2 pIFDClientCtxTrLpIFDPrototypeCtxN) rPrQrRrSrrrrr&rTrUr5r3r|r|sI*a((,** M1%% M1%% N?,=,=,?,?AR S S     N-/@/@/B/BDU V V    KKKr5r|ceZdZdZeedddeddedded dgZd S) LocationInfoDatar: machineNamereTrL processIdr apartmentId contextIdN)rPrQrRrSrrrrTrUr5r3rrspI ' ' r : :T     K## M1%% K## KKKr5rceZdZdZeddeedddeeddded dgZd S) COSERVERINFOr:rrpwszNamereTrLryrN)rPrQrRrSrrrrTrUr5r3rrsyI M1%%77 BGGRVWWWKK q99DIII M1%% KKKr5rceZdZdZeddeedeedeedddgZdS) SecurityInfoDatar: dwAuthnFlagsr pServerInfoTrLryN) rPrQrRrSrrrrrTrUr5r3rrsyI NA&& N=,,.., G GRV    KK q99DIII KKKr5rcbeZdZdZdZeddeddeddd gZd S) DUALSTRINGARRAYr: wNumEntriesrwSecurityOffset aStringArrayrec|jSrE)rrFs r3rHzDUALSTRINGARRAY. sr5ruN)rPrQrRrSCONFORMANT_COUNTrrrTrUr5r3rrs_I mQ'' '++ B,G,G   KKKr5rc&tdgt}tdgt}|||jd|jdzd}|||j|jdzdd}||fS)z Process aStringArray reNr)r STRINGBINDINGSECURITYBINDINGgetfieldrr)selfstr_fldsec_fldstringsecss r3_parseStringArrayrsb"m44Gb"o66G   dD$56P8Lq8P6P$Q R RST UF   D$"3D4H14L4N4N"O P PQR SD 4<r5c eZdZdZeddeedeededeee dded e e gZ d S) customREMOTE_REPLY_SCM_INFOrXOxidrpdsaOxidBindingsTrLipidRemUnknown authnHint serverVersionN) rPrQrRrSrrrrr$rr#rTrUr5r3rrsI VQ N-/@/@/ R R    '66 K## jAA KKKr5rceZdZdZeedddeedeedgZdS)ScmReplyInfoDatar:ryrTrL remoteReplyN) rPrQrRrSrrrrrTrUr5r3rr'stIKK q99DIII N++--+        KKKr5rc eZdZdZeddeedegeddeed ge d dd deed e ge d dgZ dS) PropsOutInfor:cIfsrpiidc|jSrErrFs r3rHzPropsOutInfo.?rIr5rJTrL phresultsrec|jSrErrFs r3rHzPropsOutInfo.Hsxr5 ppIntfDatac|jSrErrFs r3rHzPropsOutInfo.Qrr5N) rPrQrRrSrrrr$rrr&rTrUr5r3rr9sI FA " "$3G3G        ! !!!"a((//          " """$$%!//        #KKKr5rcfeZdZdZeddeddeddeddeddedeeeed eged d ee dgeddd d eeddd g Z dS) CustomHeaderr: totalSizer headerSize dwReserveddestCtxrclassInfoClsidpclsidc|jSrErrFs r3rHzCustomHeader.fsr5rJTrLpSizesrec|jSrErrFs r3rHzCustomHeader.lsr5ryN) rPrQrRrSrrr$rrrrTrUr5r3rr[s,I K## L!$$ L!$$ Iq!! FA'66 " "4466(D5I5I        ! !"kk"a00=Q=Q       KK q99DIII'KKKr5rc$eZdZfdZdZxZS)_ActivationPropertiesFieldc\|j|d<tt|j|i|dS)N next_cls_cb)_get_cls_activationsuperr__init__rargskwargs __class__s r3rz#_ActivationPropertiesField.__init__us9 $ 8}8($//8$I&IIIIIr5c |jjjjj}|jjj}t |t t|z}|t |krdSt|||}tttttttt t"t$t&t(t*t,t.t0t2t4i | fdS)N)r2c(t|dS)NFndr64)r)r1clss r3rHz@_ActivationPropertiesField._get_cls_activation..s)!S>>>r5)rdatarvaluer2lenintboolr7CLSID_ActivationContextInfor|CLSID_InstanceInforjCLSID_InstantiationInfor9CLSID_PropsOutInforCLSID_ScmReplyInforCLSID_ScmRequestInforxCLSID_SecurityInforCLSID_ServerLocationInforCLSID_SpecialSystemPropertiesrW) rrGlstcurremainrr2inext_uidrs @r3rz._ActivationPropertiesField._get_cls_activationzs!&-39$)3 HHs499~~ % F   F"6!9 BBB ()B  0 #%:   0 "4  0 $&6 )+@    ?>>>>r5)rPrQrRrr __classcell__rs@r3rrtsLJJJJJ ???????r5rceZdZeddeddedeeedggZdZdS)ActivationPropertiesBlobdwSizerrrPropertyctjSrEr padding_layerrpayloads r3default_payload_classz.ActivationPropertiesBlob.default_payload_class !!r5N) rPrQrRrrrrrTrrUr5r3rrsp 8Q <##$$^\\^^\RR"":r22 K"""""r5rc\eZdZedddeddededgZdS) OBJREF signaturesMEOWr;)lengthflagsiidN)rPrQrRrrIID_IActivationPropertiesInrTrUr5r3rrsO+wq999 7D!!%!scmr5 aPrincNamerec|jSrEr rFs r3rHzSECURITYBINDING.sS]r5ctjSrErrs r3rz%SECURITYBINDING.default_payload_classrr5N) rPrQrRrr rrr rTrrUr5r3rrsa55Z88:S:STT  lB / /1J1J  K"""""r5rr;)rc4eZdZdZdfd ZfdZdZxZS) DCOM_Clienta_ A wrapper of DCERPC_Client that adds functions to use COM interfaces. In this client, the DCE/RPC is abstracted to allow to focus on the upper DCOM one. DCE/RPC interfaces are bound automatically and ORPCTHIS/ORPCTHAT automatically added/extracted. It also provides common handlers for the few [MS-DCOM] special interfaces. Tc dtt|jtjfd|d|dS)NF)rverb)rrrr" NCACN_IP_TCP)rrrrs r3rzDCOM_Client.__init__sK)k4  )  ) 16T  EK     r5ct|ddtt|j|i|dS)Nport) setdefaultrrconnectrs r3rzDCOM_Client.connectsA&#&&&(k4  ($9&99999r5c|td|td}t |jj\}}tjdddg}g}g}|D](}|j dkr| |j )|D]?}| | d|j r d |j zpd @|||S) z4 Call IObjectExporter::ServerAlive2 IObjectExporterFr DCOMResults addressessspsrz %wAuthnSvc%z%s/re) bind_or_alterrsr1_reqr%rppdsaOrBindingsr collections namedtuplerappendrsprintfr )rrespbindsrrrrbs r3 ServerAlive2zDCOM_Client.ServerAlive2s 01BCCDDD||0u===>>'(<(BCC t!,][&r6s   ,,,,,,,,                        &JIIIIIII********(di(NOO(ty)OPP ) *P Q Q#$)$JKK"#IJJ! "HIIDIDEETYEFF#$)$JKKTYEFFTYEFF ty!GHHTYEFF$49%KLL ) *P Q Q(di(NOO(ty)OPPty?@@ I.I*     y   &     I           $ *     y   9y     i        )        y   $9D92?????!A???8 " " " " "v " " "VF"""""F""" " " " " "f " " " FM++++*,*,*,*,*,-*,*,*,*,*,r5