Update some modules to print the SDDL

zeroSteiner · zeroSteiner · commit 16219ba8abb3 · 2025-02-13T16:46:31.000-05:00
diff --git a/lib/msf/core/exploit/remote/ldap/queries.rb b/lib/msf/core/exploit/remote/ldap/queries.rb
@@ -284,6 +284,14 @@ def normalize_entry(entry, attribute_properties)
             end
             normalized_attribute[0] = time_string
           when 66 # String (Nt Security Descriptor)
+            if attribute_property[:attributesyntax] == '2.5.5.15'
+              begin
+                sd = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(entry[attribute_name][0])
+                normalized_attribute[0] = sd.to_sddl_text(domain_sid: nil)
+              rescue StandardError => e
+                elog('failed to parse a binary security descriptor to SDDL', error: e)
+              end
+            end
           when 127 # Object
           else
             print_error("Unknown oMSyntax entry: #{attribute_property[:omsyntax]}")
diff --git a/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb b/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
@@ -339,11 +339,21 @@ def action_read
     obj, stored = get_certificate_template
 
     print_status('Certificate Template:')
-    print_status("  distinguishedName: #{obj['distinguishedname'].first}")
-    print_status("  displayName:       #{obj['displayname'].first}") if obj['displayname'].present?
+    print_status("  distinguishedName:    #{obj['distinguishedname'].first}")
+    print_status("  displayName:          #{obj['displayname'].first}") if obj['displayname'].present?
     if obj['objectguid'].first.present?
       object_guid = Rex::Proto::MsDtyp::MsDtypGuid.read(obj['objectguid'].first)
-      print_status("  objectGUID:        #{object_guid}")
+      print_status("  objectGUID:           #{object_guid}")
+    end
+    if obj['ntsecuritydescriptor'].first.present?
+      begin
+        sd = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(obj['ntsecuritydescriptor'].first)
+        sddl_text = sd.to_sddl_text(domain_sid: get_domain_sid)
+      rescue StandardError => e
+        elog('failed to parse a binary security descriptor to SDDL', error: e)
+      else
+        print_status("  nTSecurityDescriptor: #{sddl_text}")
+      end
     end
 
     pki_flag = obj['flags']&.first
diff --git a/modules/auxiliary/admin/ldap/rbcd.rb b/modules/auxiliary/admin/ldap/rbcd.rb
@@ -167,12 +167,16 @@ def run
   def action_read(obj)
     security_descriptor = obj[ATTRIBUTE]
     if security_descriptor.nil?
-      print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.')
+      print_status("The #{ATTRIBUTE} field is empty.")
       return
     end
 
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("#{ATTRIBUTE}: #{sddl}")
+    end
+
     if security_descriptor.dacl.nil?
-      print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity DACL field is empty.')
+      print_status("The #{ATTRIBUTE} DACL field is empty.")
       return
     end
 
@@ -211,22 +215,22 @@ def action_remove(obj)
     security_descriptor.dacl.acl_size.clear
 
     unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
-      fail_with_ldap_error('Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+      fail_with_ldap_error("Failed to update the #{ATTRIBUTE} attribute.")
     end
-    print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    print_good("Successfully updated the #{ATTRIBUTE} attribute.")
   end
 
   def action_flush(obj)
     unless obj[ATTRIBUTE]
-      print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. No changes are necessary.')
+      print_status("The #{ATTRIBUTE} field is empty. No changes are necessary.")
       return
     end
 
     unless @ldap.delete_attribute(obj['dn'], ATTRIBUTE)
-      fail_with_ldap_error('Failed to deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+      fail_with_ldap_error("Failed to deleted the #{ATTRIBUTE} attribute.")
     end
 
-    print_good('Successfully deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    print_good("Successfully deleted the #{ATTRIBUTE} attribute.")
   end
 
   def action_write(obj)
@@ -239,26 +243,37 @@ def action_write(obj)
   end
 
   def _action_write_create(obj, delegate_from)
+    vprint_status("Creating new #{ATTRIBUTE}...")
     security_descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.new
     security_descriptor.owner_sid = Rex::Proto::MsDtyp::MsDtypSid.new('S-1-5-32-544')
     security_descriptor.dacl = Rex::Proto::MsDtyp::MsDtypAcl.new
     security_descriptor.dacl.acl_revision = Rex::Proto::MsDtyp::MsDtypAcl::ACL_REVISION_DS
     security_descriptor.dacl.aces << build_ace(delegate_from['ObjectSid'])
 
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("New #{ATTRIBUTE}: #{sddl}")
+    end
+
     unless @ldap.add_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
-      fail_with_ldap_error('Failed to create the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+      fail_with_ldap_error("Failed to create the #{ATTRIBUTE} attribute.")
     end
 
-    print_good('Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    print_good("Successfully created the #{ATTRIBUTE} attribute.")
     print_status('Added account:')
     print_status("  #{delegate_from['ObjectSid']} (#{delegate_from['sAMAccountName']})")
   end
 
   def _action_write_update(obj, delegate_from)
+    vprint_status("Updating existing #{ATTRIBUTE}...")
     security_descriptor = obj[ATTRIBUTE]
+
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("Old #{ATTRIBUTE}: #{sddl}")
+    end
+
     if security_descriptor.dacl
       if security_descriptor.dacl.aces.any? { |ace| ace.body[:sid].to_s == delegate_from['ObjectSid'].to_s }
-        print_status("Delegation from #{delegate_from['sAMAccountName']} to #{obj['sAMAccountName']} is already enabled.")
+        print_status("Delegation from #{delegate_from['sAMAccountName']} to #{obj['sAMAccountName']} is already configured.")
       end
       # clear these fields so they'll be calculated automatically after the update
       security_descriptor.dacl.acl_count.clear
@@ -271,10 +286,20 @@ def _action_write_update(obj, delegate_from)
 
     security_descriptor.dacl.aces << build_ace(delegate_from['ObjectSid'])
 
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("New #{ATTRIBUTE}: #{sddl}")
+    end
+
     unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
-      fail_with_ldap_error('Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+      fail_with_ldap_error("Failed to update the #{ATTRIBUTE} attribute.")
     end
 
-    print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    print_good("Successfully updated the #{ATTRIBUTE} attribute.")
+  end
+
+  def sd_to_sddl(sd)
+    sd.to_sddl_text
+  rescue StandardError => e
+    elog('failed to parse a binary security descriptor to SDDL', error: e)
   end
 end
