masthoon/lsass.py

## lsass.py
import windows.rpc
from windows.rpc import ndr
import windows.generated_def as gdef
import ctypes


class PLSAPR_OBJECT_ATTRIBUTES(ndr.NdrStructure):
    MEMBERS = [ndr.NdrLong,
                ndr.NdrUniquePTR(ndr.NdrWString),
                ndr.NdrUniquePTR(ndr.NdrLong), # We dont care of the subtype as we will pass None
                ndr.NdrLong,
                ndr.NdrUniquePTR(ndr.NdrLong), # We dont care of the subtype as we will pass None
                ndr.NdrUniquePTR(ndr.NdrLong)] # We dont care of the subtype as we will pass None

## From: RPCVIEW
# long Proc44_LsarOpenPolicy2(
# 	[in][unique][string] wchar_t* arg_0,
# 	[in]struct Struct_364_t* arg_1,
# 	[in]long arg_2,
# 	[out][context_handle] void** arg_3);

# This function has a [out][context_handle] meaning it return a context_handle
# Context handle are represented by 5 NdrLong where the first one is always 0
# PythonForWindows represent context_handle using NdrContextHandle
class LsarOpenPolicy2Parameter(ndr.NdrParameters):
    MEMBERS = [ndr.NdrUniquePTR(ndr.NdrWString),
                PLSAPR_OBJECT_ATTRIBUTES,
                ndr.NdrLong]

## From: RPCVIEW
# long Proc2_LsarEnumeratePrivileges(
# 	[in][context_handle] void* arg_0,
# 	[in][out]long *arg_1,
# 	[out]struct Struct_110_t* arg_2,
# 	[in]long arg_3);

# This function has a [in][context_handle] meaning it expect a context_handle
# We can pass the NdrContextHandle returned by Proc44_LsarOpenPolicy2
class LsarEnumeratePrivilegesParameter(ndr.NdrParameters):
    MEMBERS = [ndr.NdrContextHandle,
                ndr.NdrLong,
                ndr.NdrLong]

#  NTSTATUS LsarEnumerateAccounts(  [Opnum 11]
#    [in] LSAPR_HANDLE PolicyHandle,
#    [in] [out] unsigned long *EnumerationContext,
#    [out] PLSAPR_ACCOUNT_ENUM_BUFFER EnumerationBuffer,
#    [in] unsigned long PreferedMaximumLength
#  );

class LsarEnumerateAccountsParameter(ndr.NdrParameters):
    MEMBERS = [ndr.NdrContextHandle,
                ndr.NdrLong,
                ndr.NdrLong]

#  NTSTATUS LsarEnumerateAccountRights( [Opum 36]
#    [in] LSAPR_HANDLE PolicyHandle,
#    [in] PRPC_SID AccountSid,
#    [out] PLSAPR_USER_RIGHT_SET UserRights
#  );
class LsarEnumerateAccountRightsParameter(ndr.NdrParameters):
    MEMBERS = [ndr.NdrContextHandle,
                ndr.NdrSID]


class LSAPR_POLICY_PRIVILEGE_DEF(object):
    @classmethod
    def unpack(cls, stream):
        size1 = ndr.NdrShort.unpack(stream)
        ptr = ndr.NdrShort.unpack(stream)
        size2 = ndr.NdrLong.unpack(stream)
        luid = ndr.NdrHyper.unpack(stream)
        return ptr, luid


class LSAPR_PRIVILEGE_ENUM_BUFFER(object):
    @classmethod
    def unpack(cls, stream):
        entries = ndr.NdrLong.unpack(stream)
        array_size = ndr.NdrLong.unpack(stream)
        array_ptr = ndr.NdrLong.unpack(stream)
        # Unpack pointed array
        array_size2 = ndr.NdrLong.unpack(stream)
        assert array_size == array_size2
        x = []
        # unpack each elements LSAPR_POLICY_PRIVILEGE_DEF
        for i in range(array_size2):
            ptr, luid = LSAPR_POLICY_PRIVILEGE_DEF.unpack(stream)
            if ptr:
                x.append(luid)
        # unpack pointed strings
        result = []
        for luid in x:
            name = ndr.NdrWcharConformantVaryingArrays.unpack(stream)
            result.append((luid, name))
        return result


class LSAPR_ACCOUNT_ENUM_BUFFER(object):
    @classmethod
    def unpack(cls, stream):
        entries = ndr.NdrLong.unpack(stream)
        array_size = ndr.NdrLong.unpack(stream)
        array_ptr = ndr.NdrLong.unpack(stream)
        # Unpack pointed array
        array_size2 = ndr.NdrLong.unpack(stream)
        assert array_size == array_size2
        x = []
        # unpack each elements
        for i in range(array_size2):
            ptr = ndr.NdrLong.unpack(stream)
            if ptr:
                x.append(ptr)
        # unpack pointed SID
        result = []
        for ptr in x:
            sid = ndr.NdrSID.unpack(stream)
            # Convert to PSID
            s = ctypes.create_string_buffer(sid)
            sid = gdef.PSID(ctypes.addressof(s))
            sid.raw = s # keep reference on string_buffer
            result.append(sid)
        return result


class RPC_UNICODE_STRING(object):
    @classmethod
    def unpack(cls, stream):
        length = ndr.NdrShort.unpack(stream)
        max_length = ndr.NdrShort.unpack(stream)
        ptr = ndr.NdrLong.unpack(stream)
        return ptr


class LSAPR_USER_RIGHT_SET(object):
    @classmethod
    def unpack(cls, stream):
        entries = ndr.NdrLong.unpack(stream)
        array_ptr = ndr.NdrLong.unpack(stream)
        # Unpack pointed array
        array_size2 = ndr.NdrLong.unpack(stream)
        if entries != array_size2:
            # error raise(windows.winproxy.error.NtStatusException(array_size2))
            return []
        x = []
        # unpack each elements RPC_UNICODE_STRING
        for i in range(array_size2):
            ptr = RPC_UNICODE_STRING.unpack(stream)
            if ptr:
                x.append(ptr)
        # unpack pointed strings
        result = []
        for ptr in x:
            name = ndr.NdrWcharConformantVaryingArrays.unpack(stream)
            result.append(name)
        return result


# Actual code

## LSASS alpc endpoints is fixed, no need for the epmapper
client = windows.rpc.RPCClient(r"\RPC Control\lsasspirpc")
## Bind to the desired interface
iid = client.bind('12345778-1234-abcd-ef00-0123456789ab', version=(0,0))

## Craft parameters and call 'LsarOpenPolicy2'
params = LsarOpenPolicy2Parameter.pack([None, (0, None, None, 0, None, None), 0x20000000])
res = client.call(iid, 44, params)
## Unpack the resulting handle
handle = ndr.NdrContextHandle.unpack(ndr.NdrStream(res))

# As context_handle have 4 NdrLong of effective data
# We can represent them as GUID
# NdrContextHandle is just a wrapper packing/unpacking GUID and taking
# care of the leading NdrLong(0) in the actual ndr representation of context_handle
print("Context Handle is: {0}\n".format(handle))

## Craft parameters and call 'LsarEnumeratePrivileges'
x = LsarEnumeratePrivilegesParameter.pack([handle, 0, 10000]);
res = client.call(iid, 2, x)

print("Privileges:")
## Unpack the resulting 'LSAPR_PRIVILEGE_ENUM_BUFFER'
priviledges = LSAPR_PRIVILEGE_ENUM_BUFFER.unpack(ndr.NdrStream(res))
for priv in priviledges:
    print priv

# Helper function
def enumerate_account_rights(handle, sid):
    x = LsarEnumerateAccountRightsParameter.pack([handle, sid])
    res = client.call(iid, 36, x)
    return LSAPR_USER_RIGHT_SET.unpack(ndr.NdrStream(res))

## Craft parameters and call 'LsarEnumerateAccounts'
x = LsarEnumerateAccountsParameter.pack([handle, 0, 10000])
res = client.call(iid, 11, x)

## Unpack the resulting 'LSAPR_ACCOUNT_ENUM_BUFFER'
users = LSAPR_ACCOUNT_ENUM_BUFFER.unpack(ndr.NdrStream(res))

print("Users & Rights:")
for user in users:
    print "- {0}\\{1}".format(*windows.utils.lookup_sid(user))
    for right in enumerate_account_rights(handle, user):
        print "\t[*] {}".format(right)
	import windows.rpc
	from windows.rpc import ndr
	import windows.generated_def as gdef
	import ctypes


	class PLSAPR_OBJECT_ATTRIBUTES(ndr.NdrStructure):
	MEMBERS = [ndr.NdrLong,
	ndr.NdrUniquePTR(ndr.NdrWString),
	ndr.NdrUniquePTR(ndr.NdrLong), # We dont care of the subtype as we will pass None
	ndr.NdrLong,
	ndr.NdrUniquePTR(ndr.NdrLong), # We dont care of the subtype as we will pass None
	ndr.NdrUniquePTR(ndr.NdrLong)] # We dont care of the subtype as we will pass None

	## From: RPCVIEW
	# long Proc44_LsarOpenPolicy2(
	# [in][unique][string] wchar_t* arg_0,
	# [in]struct Struct_364_t* arg_1,
	# [in]long arg_2,
	# [out][context_handle] void** arg_3);

	# This function has a [out][context_handle] meaning it return a context_handle
	# Context handle are represented by 5 NdrLong where the first one is always 0
	# PythonForWindows represent context_handle using NdrContextHandle
	class LsarOpenPolicy2Parameter(ndr.NdrParameters):
	MEMBERS = [ndr.NdrUniquePTR(ndr.NdrWString),
	PLSAPR_OBJECT_ATTRIBUTES,
	ndr.NdrLong]

	## From: RPCVIEW
	# long Proc2_LsarEnumeratePrivileges(
	# [in][context_handle] void* arg_0,
	# [in][out]long *arg_1,
	# [out]struct Struct_110_t* arg_2,
	# [in]long arg_3);

	# This function has a [in][context_handle] meaning it expect a context_handle
	# We can pass the NdrContextHandle returned by Proc44_LsarOpenPolicy2
	class LsarEnumeratePrivilegesParameter(ndr.NdrParameters):
	MEMBERS = [ndr.NdrContextHandle,
	ndr.NdrLong,
	ndr.NdrLong]

	# NTSTATUS LsarEnumerateAccounts( [Opnum 11]
	# [in] LSAPR_HANDLE PolicyHandle,
	# [in] [out] unsigned long *EnumerationContext,
	# [out] PLSAPR_ACCOUNT_ENUM_BUFFER EnumerationBuffer,
	# [in] unsigned long PreferedMaximumLength
	# );

	class LsarEnumerateAccountsParameter(ndr.NdrParameters):
	MEMBERS = [ndr.NdrContextHandle,
	ndr.NdrLong,
	ndr.NdrLong]

	# NTSTATUS LsarEnumerateAccountRights( [Opum 36]
	# [in] LSAPR_HANDLE PolicyHandle,
	# [in] PRPC_SID AccountSid,
	# [out] PLSAPR_USER_RIGHT_SET UserRights
	# );
	class LsarEnumerateAccountRightsParameter(ndr.NdrParameters):
	MEMBERS = [ndr.NdrContextHandle,
	ndr.NdrSID]


	class LSAPR_POLICY_PRIVILEGE_DEF(object):
	@classmethod
	def unpack(cls, stream):
	size1 = ndr.NdrShort.unpack(stream)
	ptr = ndr.NdrShort.unpack(stream)
	size2 = ndr.NdrLong.unpack(stream)
	luid = ndr.NdrHyper.unpack(stream)
	return ptr, luid


	class LSAPR_PRIVILEGE_ENUM_BUFFER(object):
	@classmethod
	def unpack(cls, stream):
	entries = ndr.NdrLong.unpack(stream)
	array_size = ndr.NdrLong.unpack(stream)
	array_ptr = ndr.NdrLong.unpack(stream)
	# Unpack pointed array
	array_size2 = ndr.NdrLong.unpack(stream)
	assert array_size == array_size2
	x = []
	# unpack each elements LSAPR_POLICY_PRIVILEGE_DEF
	for i in range(array_size2):
	ptr, luid = LSAPR_POLICY_PRIVILEGE_DEF.unpack(stream)
	if ptr:
	x.append(luid)
	# unpack pointed strings
	result = []
	for luid in x:
	name = ndr.NdrWcharConformantVaryingArrays.unpack(stream)
	result.append((luid, name))
	return result


	class LSAPR_ACCOUNT_ENUM_BUFFER(object):
	@classmethod
	def unpack(cls, stream):
	entries = ndr.NdrLong.unpack(stream)
	array_size = ndr.NdrLong.unpack(stream)
	array_ptr = ndr.NdrLong.unpack(stream)
	# Unpack pointed array
	array_size2 = ndr.NdrLong.unpack(stream)
	assert array_size == array_size2
	x = []
	# unpack each elements
	for i in range(array_size2):
	ptr = ndr.NdrLong.unpack(stream)
	if ptr:
	x.append(ptr)
	# unpack pointed SID
	result = []
	for ptr in x:
	sid = ndr.NdrSID.unpack(stream)
	# Convert to PSID
	s = ctypes.create_string_buffer(sid)
	sid = gdef.PSID(ctypes.addressof(s))
	sid.raw = s # keep reference on string_buffer
	result.append(sid)
	return result


	class RPC_UNICODE_STRING(object):
	@classmethod
	def unpack(cls, stream):
	length = ndr.NdrShort.unpack(stream)
	max_length = ndr.NdrShort.unpack(stream)
	ptr = ndr.NdrLong.unpack(stream)
	return ptr


	class LSAPR_USER_RIGHT_SET(object):
	@classmethod
	def unpack(cls, stream):
	entries = ndr.NdrLong.unpack(stream)
	array_ptr = ndr.NdrLong.unpack(stream)
	# Unpack pointed array
	array_size2 = ndr.NdrLong.unpack(stream)
	if entries != array_size2:
	# error raise(windows.winproxy.error.NtStatusException(array_size2))
	return []
	x = []
	# unpack each elements RPC_UNICODE_STRING
	for i in range(array_size2):
	ptr = RPC_UNICODE_STRING.unpack(stream)
	if ptr:
	x.append(ptr)
	# unpack pointed strings
	result = []
	for ptr in x:
	name = ndr.NdrWcharConformantVaryingArrays.unpack(stream)
	result.append(name)
	return result


	# Actual code

	## LSASS alpc endpoints is fixed, no need for the epmapper
	client = windows.rpc.RPCClient(r"\RPC Control\lsasspirpc")
	## Bind to the desired interface
	iid = client.bind('12345778-1234-abcd-ef00-0123456789ab', version=(0,0))

	## Craft parameters and call 'LsarOpenPolicy2'
	params = LsarOpenPolicy2Parameter.pack([None, (0, None, None, 0, None, None), 0x20000000])
	res = client.call(iid, 44, params)
	## Unpack the resulting handle
	handle = ndr.NdrContextHandle.unpack(ndr.NdrStream(res))

	# As context_handle have 4 NdrLong of effective data
	# We can represent them as GUID
	# NdrContextHandle is just a wrapper packing/unpacking GUID and taking
	# care of the leading NdrLong(0) in the actual ndr representation of context_handle
	print("Context Handle is: {0}\n".format(handle))

	## Craft parameters and call 'LsarEnumeratePrivileges'
	x = LsarEnumeratePrivilegesParameter.pack([handle, 0, 10000]);
	res = client.call(iid, 2, x)

	print("Privileges:")
	## Unpack the resulting 'LSAPR_PRIVILEGE_ENUM_BUFFER'
	priviledges = LSAPR_PRIVILEGE_ENUM_BUFFER.unpack(ndr.NdrStream(res))
	for priv in priviledges:
	print priv

	# Helper function
	def enumerate_account_rights(handle, sid):
	x = LsarEnumerateAccountRightsParameter.pack([handle, sid])
	res = client.call(iid, 36, x)
	return LSAPR_USER_RIGHT_SET.unpack(ndr.NdrStream(res))

	## Craft parameters and call 'LsarEnumerateAccounts'
	x = LsarEnumerateAccountsParameter.pack([handle, 0, 10000])
	res = client.call(iid, 11, x)

	## Unpack the resulting 'LSAPR_ACCOUNT_ENUM_BUFFER'
	users = LSAPR_ACCOUNT_ENUM_BUFFER.unpack(ndr.NdrStream(res))

	print("Users & Rights:")
	for user in users:
	print "- {0}\\{1}".format(*windows.utils.lookup_sid(user))
	for right in enumerate_account_rights(handle, user):
	print "\t[*] {}".format(right)