diff --git a/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb b/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb index 22d54ec12a93..7df4fc6854ab 100644 --- a/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb +++ b/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb @@ -169,13 +169,13 @@ def query_ldap_server(raw_filter, attributes, base_prefix: nil) returned_entries end - def query_ldap_server_certificates(esc_raw_filter, esc_name, notes: []) + def query_ldap_server_certificates(esc_raw_filter, esc_id, notes: []) attributes = ['cn', 'name', 'description', 'ntSecurityDescriptor', 'msPKI-Enrollment-Flag', 'msPKI-RA-Signature', 'PkiExtendedKeyUsage'] base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration' esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: base_prefix) if esc_entries.empty? - print_warning("Couldn't find any vulnerable #{esc_name} templates!") + print_warning("Couldn't find any vulnerable #{esc_id} templates!") return end @@ -190,23 +190,18 @@ def query_ldap_server_certificates(esc_raw_filter, esc_name, notes: []) allowed_sids = parse_acl(security_descriptor.dacl) if security_descriptor.dacl next if allowed_sids.empty? - next if allowed_sids.empty? certificate_symbol = entry[:cn][0].to_sym if @certificate_details.key?(certificate_symbol) - @certificate_details[certificate_symbol][:techniques] << esc_name + @certificate_details[certificate_symbol][:techniques] << esc_id @certificate_details[certificate_symbol][:notes] += notes else - @certificate_details[certificate_symbol] = { - name: entry[:name][0].to_s, - techniques: [esc_name], - dn: entry[:dn][0].to_s, - enrollment_sids: convert_sids_to_human_readable_name(allowed_sids), - ca_servers: {}, - manager_approval: ([entry[%s(mspki-enrollment-flag)].first.to_i].pack('l').unpack1('L') & Rex::Proto::MsCrtd::CT_FLAG_PEND_ALL_REQUESTS) != 0, - required_signatures: [entry[%s(mspki-ra-signature)].first.to_i].pack('l').unpack1('L'), + @certificate_details[certificate_symbol] = build_certificate_details( + entry, + allowed_sids, + techniques: [esc_id], notes: notes - } + ) end end end @@ -324,7 +319,7 @@ def find_esc13_vuln_cert_templates (mspki-certificate-policy=*) ) FILTER - attributes = ['cn', 'description', 'ntSecurityDescriptor', 'msPKI-Certificate-Policy'] + attributes = ['cn', 'description', 'ntSecurityDescriptor', 'msPKI-Certificate-Policy', 'msPKI-Enrollment-Flag', 'msPKI-RA-Signature'] base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration' esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: base_prefix) @@ -369,18 +364,24 @@ def find_esc13_vuln_cert_templates @certificate_details[certificate_symbol][:techniques] << 'ESC13' @certificate_details[certificate_symbol][:notes] << note else - @certificate_details[certificate_symbol] = { - name: certificate_symbol.to_s, - techniques: ['ESC13'], - dn: entry[:dn][0].to_s, - enrollment_sids: convert_sids_to_human_readable_name(allowed_sids), - ca_servers: {}, - notes: [note] - } + @certificate_details[certificate_symbol] = build_certificate_details(entry, allowed_sids, techniques: %w[ESC13], notes: [note]) end end end + def build_certificate_details(ldap_object, allowed_sids, techniques: [], notes: []) + { + name: ldap_object[:cn][0].to_s, + techniques: techniques, + dn: ldap_object[:dn][0].to_s, + enrollment_sids: convert_sids_to_human_readable_name(allowed_sids), + ca_servers: {}, + manager_approval: ([ldap_object[%s(mspki-enrollment-flag)].first.to_i].pack('l').unpack1('L') & Rex::Proto::MsCrtd::CT_FLAG_PEND_ALL_REQUESTS) != 0, + required_signatures: [ldap_object[%s(mspki-ra-signature)].first.to_i].pack('l').unpack1('L'), + notes: notes + } + end + def find_esc15_vuln_cert_templates esc_raw_filter = '(&'\ '(objectclass=pkicertificatetemplate)'\