Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# Impacket - Collection of Python classes for working with network protocols. 

2# 

3# SECUREAUTH LABS. Copyright (C) 2020 SecureAuth Corporation. All rights reserved. 

4# 

5# This software is provided under a slightly modified version 

6# of the Apache Software License. See the accompanying LICENSE file 

7# for more information. 

8# 

9# Description: 

10# [MS-OXABREF]: Address Book Name Service Provider Interface (NSPI) Referral Protocol 

11# 

12# Author: 

13# Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/) 

14# 

15 

16from impacket import hresult_errors, mapi_constants 

17from impacket.dcerpc.v5.dtypes import NULL, STR, ULONG 

18from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER 

19from impacket.dcerpc.v5.rpcrt import DCERPCException 

20from impacket.uuid import uuidtup_to_bin 

21 

22MSRPC_UUID_OXABREF = uuidtup_to_bin(('1544F5E0-613C-11D1-93DF-00C04FD7BD09','1.0')) 

23 

24class DCERPCSessionError(DCERPCException): 

25 def __init__(self, error_string=None, error_code=None, packet=None): 

26 DCERPCException.__init__(self, error_string, error_code, packet) 

27 

28 def __str__( self ): 

29 key = self.error_code 

30 if key in mapi_constants.ERROR_MESSAGES: 

31 error_msg_short = mapi_constants.ERROR_MESSAGES[key] 

32 return 'OXABREF SessionError: code: 0x%x - %s' % (self.error_code, error_msg_short) 

33 elif key in hresult_errors.ERROR_MESSAGES: 

34 error_msg_short = hresult_errors.ERROR_MESSAGES[key][0] 

35 error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1] 

36 return 'OXABREF SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) 

37 else: 

38 return 'OXABREF SessionError: unknown error code: 0x%x' % self.error_code 

39 

40################################################################################ 

41# STRUCTURES 

42################################################################################ 

43class PUCHAR_ARRAY(NDRPOINTER): 

44 referent = ( 

45 ('Data', STR), 

46 ) 

47 

48class PPUCHAR_ARRAY(NDRPOINTER): 

49 referent = ( 

50 ('Data', PUCHAR_ARRAY), 

51 ) 

52 

53################################################################################ 

54# RPC CALLS 

55################################################################################ 

56 

57# 3.1.4.1 RfrGetNewDSA (opnum 0) 

58class RfrGetNewDSA(NDRCALL): 

59 opnum = 0 

60 structure = ( 

61 ('ulFlags', ULONG), 

62 ('pUserDN', STR), 

63 ('ppszUnused', PPUCHAR_ARRAY), 

64 ('ppszServer', PPUCHAR_ARRAY), 

65 ) 

66 

67class RfrGetNewDSAResponse(NDRCALL): 

68 structure = ( 

69 ('ppszUnused', PPUCHAR_ARRAY), 

70 ('ppszServer', PPUCHAR_ARRAY), 

71 ) 

72 

73# 3.1.4.2 RfrGetFQDNFromServerDN (opnum 1) 

74class RfrGetFQDNFromServerDN(NDRCALL): 

75 opnum = 1 

76 structure = ( 

77 ('ulFlags', ULONG), 

78 ('cbMailboxServerDN', ULONG), 

79 ('szMailboxServerDN', STR), 

80 ) 

81 

82class RfrGetFQDNFromServerDNResponse(NDRCALL): 

83 structure = ( 

84 ('ppszServerFQDN', PUCHAR_ARRAY), 

85 ('ErrorCode', ULONG), 

86 ) 

87 

88################################################################################ 

89# OPNUMs and their corresponding structures 

90################################################################################ 

91OPNUMS = { 

92 0 : (RfrGetNewDSA, RfrGetNewDSAResponse), 

93 1 : (RfrGetFQDNFromServerDN, RfrGetFQDNFromServerDNResponse), 

94} 

95 

96################################################################################ 

97# HELPER FUNCTIONS 

98################################################################################ 

99def checkNullString(string): 

100 if string == NULL: 

101 return string 

102 

103 if string[-1:] != '\x00': 

104 return string + '\x00' 

105 else: 

106 return string 

107 

108def hRfrGetNewDSA(dce, pUserDN=''): 

109 request = RfrGetNewDSA() 

110 request['ulFlags'] = 0 

111 request['pUserDN'] = checkNullString(pUserDN) 

112 request['ppszUnused'] = NULL 

113 request['ppszServer'] = '\x00' 

114 

115 resp = dce.request(request) 

116 resp['ppszServer'] = resp['ppszServer'][:-1] 

117 

118 if request['ppszUnused'] != NULL: 

119 resp['ppszUnused'] = resp['ppszUnused'][:-1] 

120 

121 return resp 

122 

123def hRfrGetFQDNFromServerDN(dce, szMailboxServerDN): 

124 szMailboxServerDN = checkNullString(szMailboxServerDN) 

125 request = RfrGetFQDNFromServerDN() 

126 request['ulFlags'] = 0 

127 request['szMailboxServerDN'] = szMailboxServerDN 

128 request['cbMailboxServerDN'] = len(szMailboxServerDN) 

129 

130 resp = dce.request(request) 

131 resp['ppszServerFQDN'] = resp['ppszServerFQDN'][:-1] 

132 

133 return resp