hhdZddlZddlZddlmZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZmZmZmZddlmZmZmZmZmZddl m!Z!ddl"m#Z#ddl$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*Gd d e+Z,ej-d d ifd Z.dS)z! DCE/RPC client as per [MS-RPCE] N)conf)DceRpc5DceRpc5AlterContextDceRpc5AlterContextResp DceRpc5Auth3 DceRpc5BindDceRpc5BindAckDceRpc5BindNakDceRpc5Context DceRpc5FaultDceRpc5RequestDceRpc5ResponseDceRpc5AbstractSyntaxDceRpc5TransferSyntax DceRpcSocketDCERPC_Transportfind_dcerpc_interfaceCommonAuthVerifierDCE_C_AUTHN_LEVEL NDRPointerNDRContextHandle)SSP GSS_S_FAILUREGSS_S_COMPLETEGSS_S_CONTINUE_NEEDED GSS_C_FLAGS) STATUS_ERREF)SMB_RPC_SOCKET)ept_map_Requestept_map_Responsetwr_p_tprotocol_tower_tprot_and_addr_tUUIDceZdZdZddZeifdZddifd Zd Zd Z d Z d Z dZ dZ dZdZdZdZdZdifdZdZdS) DCERPC_Clientze A basic DCE/RPC client :param ndr64: Should ask for NDR64 when binding (default False) FlittleTc xd|_||_t|ts Jdd|_d|_||_||_||_| dtj |_ | dd|_ | dd|_d|_||_dS)Nz'transport must be from DCERPC_Transportr auth_levelauth_context_idssp)sock transport isinstancercall_idcont_idndr64 ndrendianverbpoprNONEr)r*r+ sspcontext dcesockargs)selfr-r1r2r3kwargss a/mounts/lovelace/software/anaconda3/lib/python3.11/site-packages/scapy/layers/msrpce/rpcclient.py__init__zDCERPC_Client.__init__Ds " '   5 5 4 5 5 5   "  **\3D3IJJ%zz*;Q??::eT**!c ttjfi|}t|fi|x}|_t |t f|j|j|j d|j |_ |S)zJ Build a DCERPC_Client from a SMB_Client.smblink directly r+r)r*) r&rNCACN_NPr smbrpcsockrrr+r)r*r7r,)clssmbcli smb_kwargsr9clientr,s r: from_smblinkzDCERPC_Client.from_smblinkUs /8CCFCC#1&#G#GJ#G#GGv "    ("2        r<Nc Z|G|jtjkrd}n/|jtjkrd}nt d|jzt j}|||jr+td|d|dt|jd| ||f|jrNttj d t|z|jtjkr?tj|fd |ji|x}|_t'|t(fi|j|_dS|jtjkr2t'|t(f|j|j|jd |j|_dSdS) z' Initiate a connection Niz&Can't guess the port for transport: %su┃ Connecting to z on port z via z...u└ Connected from %sr+r>)r-r NCACN_IP_TCPr? ValueErrorsocket settimeoutr3printreprconnectr color_themegreen getsocknamer from_tcpsockr+r@rrr7r,r)r*)r8ipporttimeoutrCr,s r:rOzDCERPC_Client.connectfs <~!1!>>>#3#<<< -6 6 6%3%@&&(&&0&& D4?%T7GGd6FGGDIII ^/< < <$H? $ 4  " DIII= |jr9ttjd|jjz|jt|j t||z fi|}t|vrb|jrIttj d|tj jjz|tj S|jr7t|vr+|tj rNt|tj tjs$|tj |jdkr-ttjdn|jdkr-ttjdn[ttjdt)j|jd z|dS|S) Nz>> REQUEST: %s)r0 alloc_hintz<< RESPONSE: %srF! nca_s_fault_access_denied!:! nca_s_fault_sec_pkg_error (error in checksum/encryption)! %sFailure)r3rMrrPopening __class____name__rbr r0lenrsuccesspayloadr r. raw_layershowstatusfailrget)r8rdr9resps r:sr1_reqzDCERPC_Client.sr1_reqs 9 W $"**+;cm>T+TUU V V Vtx 4> z on z (with %s)) context_elem)r]r) req_flagsF) auth_typer)r* auth_valuer\z+PFC_SUPPORT_HEADER_SIGN)r]r_)valrr[c3,K|]}|jdkVdS)rN)result.0xs r: z&DCERPC_Client._bind..s(OOaAHMOOOOOOr<rNDR32z<< z port 'z' using Tz6reject_reason: %DceRpc5BindNak.provider_reject_reason%z! Bind_nak (%s)rFrirjrkrlrmz ! Failure)@r3rMrrPrnrpr+ror-rr?r)r PKT_INTEGRITYrbrrGSS_Init_sec_contextr6rGSS_C_DCE_STYLEGSS_C_REPLAY_FLAGGSS_C_SEQUENCE_FLAGGSS_C_MUTUAL_FLAGGSS_C_INTEG_FLAG PKT_PRIVACYGSS_C_CONF_FLAGr clifailurerrr*r,sessionsupport_header_signingrr]r LegsAmountrfrrranyresultsintr1r/sec_addr port_specdecoder0rrr sprintfrwrsr.rtrur rvrrx) r8rreqclsrespclsryrvtokenrUndrerr_msgs r:_bindzDCERPC_Client._binds 9   (((%+___ii@EIXU|dh&8&AAASUW    xm  N.7 7 7"3"AAA88D$9$9)$D$DEEE"D$FF.2X-J-J /!34!56"34  ?.?.MMM$44 ?.?.KKK$33  .K.. *DOUF*3^DDD**,,,u88D$9$9)$D$DEEE ?DD+"&("4#'?(,(<#( 3 8/ I-D032 D.d""&261N1NO);)F2O22./@@@&TX00AAAEJJII$&8&*h&8'+,0,@', ''',FF  "9#xx/-1-B-B9-M-M+=*.(*<+/?040D+0 +++ (  #$..%2F!-5%3F!9=9V9V O1C1N:W::6' 0 n $ $4OO4<8M#dj//A:M8M+NOOOOO DL=*1133D)#)5g@Cty0677DLy $,,Jg.JJtJJSJJ ,0?DI  (4y# !T))"llPG$*//0AG0KLLMMM%--/7@  08$.AA@!08==???!T)){j00d.334QRRSSSS 22 ,11!A ,11 &)9$+y)Q)Q Q  #t++ -5>j .6??>!.6;;===$*// <<===IIKKK5r<cD||ttS)z1 Bind the client to an interface )rrr rs r:bindzDCERPC_Client.bindszz)[.AAAr<cD||ttS)z> Alter context: post-bind context negotiation )rrrrs r: alter_contextzDCERPC_Client.alter_contextszz)%8:QRRRr<c|jjjs||dS||dS)zW Bind the client to an interface or alter the context if already bound N)r,rrpc_bind_interfacerrrs r: bind_or_alterzDCERPC_Client.bind_or_altersHy 3 * IIi    y ) ) ) ) )r<cx|jd|_|j|dS)zB Open a certain filehandle with the SMB automaton zIPC$N)r@ tree_connectipc_tid open_pipe)r8names r: open_smbpipezDCERPC_Client.open_smbpipes733F;;  !!$'''''r<c|j|j|j|jdS)z2 Close the previously opened pipe N)r@set_TIDr close_pipetree_disconnectrYs r: close_smbpipezDCERPC_Client.close_smbpipesJ  --- ""$$$ '')))))r<c|jtjkrEt|||j|j}|r |d\}}ndS|||n|jtjkrqt|||j|j|j|}|r|dd}ndS||||| || |dS)z Asks the Endpoint Mapper what address to use to connect to the interface, then uses connect() followed by a bind() )r2r3rN)rU)r-r2r3rCz\pipe\)rUrC) r-rrI get_endpointr2r3rOr?lstriprr)r8rTrrUrC endpointspipenames r:connect_and_bindzDCERPC_Client.connect_and_binds >-: : :%.Y I  $Q<DD LL$L ' ' ' ' ^/8 8 8%..Y% I $Q<..z:: LL$:L > > >   h ' ' ' )r<c|jrd}d}nd}d}|ttdt ddddtdt t ttd d |j |j d|j td d ||dd tdd dd tj tdddd tjtdddd i|jtj tdddd tjtdddd i|jgt!ddd|j|j}|rt$|vr|t$j}|dkrd|t$jjdjD}g}|D]c}|jdj |j kr:|jr,t1t2jdt8|jdd |kr:|jr,t1t2jd!t8|jtj kr9||jdj|jd"jf|jtjkrJ||jd"j d#!e|S|d$krN|jr@|"t1t2jd%t8t1t2jd&|r|"t9d')(z6 Calls ept_map (the EndPoint Manager) rr[r~rrN)Data1Data2Data3Data4) referent_idvalue ) lhs_lengthprotocol_identifierrversion rhs_lengthrhsz RPC connection-oriented protocol)rrrrrIrHr?s0IPz0.0.0.0NCACN_NB s 127.0.0.1)floors)tower_octet_strings) attributesri)obj map_tower entry_handle max_towersr1r2c@g|]}t|jjS)r"rrrs r: z)DCERPC_Client.epm_map..~s5%QW%?@@r<z-! Server answered with a different interface.z%uuid%z/! Server answered with a different NDR version.i֠zU! Server errored: 'There are no elements that satisfy the specified search criteria'.z ! Failure.zEPM Map failed)#r1rzrrr$r!bytesr"r#r major_version minor_versionrrIr?r-rr2r rvITowersrrr3rMrrPrwrJrappendrrstriprru) r8rndr_uuid ndr_versionrdrvtowersrts r:epm_mapzDCERPC_Client.epm_mapsy : HKK HKll  !" % !!+0,$335999! $ 0 5 5$S!"!" )(x{**844@@9! $ 0 5 5$U!"!" )(~)9)FFF!((!(1+/18A;?)KLLLL+;+DDD!((!)?)?)H)H)O)O)Q)QRRR  :%%9HHJJJ(--? !  d##L11222   HHJJJ)***r<)Fr'T)rp __module__ __qualname____doc__r; classmethodrErOrXrbrfrzrrrrrrrrrrr<r:r&r&=sU """""-/[ $Q2))))V 7 7 7 - - -)))V0 0 0 dnnn`BBB SSS * * *(((*** ....`P+P+P+P+P+r<r&r'Tc:t|d||}||||tjkr|d|t d||}||S)z Call the endpoint mapper on a remote IP to find an interface :param ip: :param interface: :param mode: :param verb: :return: a list of connection tuples for this interface F)r1r2r3)rCepmapperept) r&rOrr?rrrrrX)rTrr-r2r3rCrDrs r:rrs$  F  NN2*N---$---J''' KK%e,,---y))I LLNNN r<)/rrrK scapy.configrscapy.layers.dcerpcrrrrrr r r r r rrrrrrrrrrscapy.layers.gssapirrrrrscapy.layers.smb2rscapy.layers.smbclientrscapy.layers.msrpce.eptrr r!r"r#r$objectr&rIrrr<r:rs;  .+***** j +j +j +j +j +Fj +j +j +`+  r<