Expand on the matcher logic

zeroSteiner · zeroSteiner · commit 3a5b27587e8e · 2025-06-24T11:27:52.000-04:00
This is necessary to account for effects from multiple ACEs.
diff --git a/lib/msf/core/exploit/remote/ldap/active_directory.rb b/lib/msf/core/exploit/remote/ldap/active_directory.rb
@@ -8,6 +8,7 @@ module Exploit::Remote::LDAP
     module ActiveDirectory
       include Msf::Exploit::Remote::LDAP
       include Msf::Exploit::Remote::LDAP::EntryCache
+      include Msf::Exploit::Remote::LDAP::ActiveDirectory::SecurityDescriptorMatcher
 
       LDAP_CAP_ACTIVE_DIRECTORY_OID = '1.2.840.113556.1.4.800'.freeze
       LDAP_SERVER_SD_FLAGS_OID = '1.2.840.113556.1.4.801'.freeze
@@ -16,56 +17,6 @@ module ActiveDirectory
       DACL_SECURITY_INFORMATION = 0x4
       SACL_SECURITY_INFORMATION = 0x8
 
-      # Match an ACE when *any* of the specified permissions are allowed or *all* of the specified permissions are
-      # denied.
-      class ACEMatcherAllowAll
-        attr_reader :permissions
-
-        def initialize(permissions)
-          @permissions = Array.wrap(permissions)
-        end
-
-        def call(ace)
-          target_permissions = ace.body.access_mask.permissions
-
-          if target_permissions.empty?
-            return false
-          elsif Rex::Proto::MsDtyp::MsDtypAceType.allowed?(ace.header.ace_type)
-            return @permissions.all? { |perm| target_permissions.include?(perm) }
-          elsif Rex::Proto::MsDtyp::MsDtypAceType.denied?(ace.header.ace_type)
-            # if any target permission is denied, then all of them can't be allowed
-            return @permissions.any? { |perm| target_permissions.include?(perm) }
-          end
-
-          false
-        end
-      end
-
-      # Match an ACE when *all* of the specified permissions are allowed or *any* of the specified permissions are
-      # denied.
-      class ACEMatcherAllowAny
-        attr_reader :permissions
-
-        def initialize(permissions)
-          @permissions = Array.wrap(permissions)
-        end
-
-        def call(ace)
-          target_permissions = ace.body.access_mask.permissions
-
-          if target_permissions.empty?
-            return false
-          elsif Rex::Proto::MsDtyp::MsDtypAceType.allowed?(ace.header.ace_type)
-            return @permissions.any? { |perm| target_permissions.include?(perm) }
-          elsif Rex::Proto::MsDtyp::MsDtypAceType.denied?(ace.header.ace_type)
-            # if all target permissions are denied, then none of them can be allowed
-            return @permissions.all? { |perm| target_permissions.include?(perm) }
-          end
-
-          false
-        end
-      end
-
       # Query the remote server via the provided LDAP connection to determine if it's an Active Directory LDAP server.
       # More specifically, this ensures that it reports active directory capabilities and the whoami extension.
       #
@@ -298,7 +249,7 @@ def adds_get_domain_info(ldap)
       # @param [Net::LDAP::Connection] ldap The LDAP connection to use for querying.
       # @param [Rex::Proto::MsDtyp::MsDtypSecurityDescriptor] security_descriptor The security descriptor object to
       #   evaluate.
-      # @param [#call] matcher An object that will match ACEs that allow or deny the desired permissions.
+      # @param [SecurityDescriptorMatcher::Base] matcher An object that will match ACEs that allow or deny the desired permissions.
       # @param [Rex::Proto::MsDtyp::MsDtypSid] test_sid The SID to check for access.
       # @param [Rex::Proto::MsDtyp::MsDtypSid] self_sid The SID of the object who owns the security_descriptor. This is
       #   typically the objectSid LDAP attribute and is used when the security descriptor references the special 'SELF'
@@ -310,51 +261,45 @@ def adds_sd_grants_permissions?(ldap, security_descriptor, matcher, test_sid: ni
         end
 
         test_member_sids = nil
-        security_descriptor.dacl.aces.each do |ace|
-          # only processing simple allow and deny types right now
-          case ace.header.ace_type
-          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_ALLOWED_ACE_TYPE
-            eval_result = true
-          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_ALLOWED_OBJECT_ACE_TYPE
-            eval_result = true
-          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_DENIED_ACE_TYPE
-            eval_result = false
-          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_DENIED_OBJECT_ACE_TYPE
-            eval_result = false
-          else
-            next # skip ACEs that are neither allow or deny
-          end
 
-          next unless matcher.call(ace)
+        dacl_aces = []
+        # because deny entries take precedence, process them first
+        dacl_aces += security_descriptor.dacl.aces.select { |ace| Rex::Proto::MsDtyp::MsDtypAceType.deny?(ace.header.ace_type) }
+        dacl_aces += security_descriptor.dacl.aces.select { |ace| Rex::Proto::MsDtyp::MsDtypAceType.allow?(ace.header.ace_type) }
+
+        dacl_aces.each do |ace|
+          next if matcher.ignore_ace?(ace)
 
           case ace.body.sid
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_WORLD_SID
-            return eval_result
+            matcher.apply_ace!(ace)
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_PRINCIPAL_SELF_SID
-            return eval_result if self_sid == test_sid
+            matcher.apply_ace!(ace) if self_sid == test_sid
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_OWNER_SID
-            return eval_result if security_descriptor.owner_sid == test_sid
+            matcher.apply_ace!(ace) if security_descriptor.owner_sid == test_sid
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_GROUP_SID
-            return eval_result if security_descriptor.group_sid == test_sid
+            matcher.apply_ace!(ace) if security_descriptor.group_sid == test_sid
           when test_sid
-            return eval_result
+            matcher.apply_ace!(ace)
           else
             ldap_object = adds_get_object_by_sid(ldap, ace.body.sid)
             next unless ldap_object && ldap_object[:objectClass].include?('group')
 
-            member_sids = adds_query_group_members(ldap, ldap_object[:dN].first, inherited: false).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
-            return eval_result if member_sids.include?(test_sid)
+            member_sids = adds_query_group_members(ldap, ldap_object.dn, inherited: false).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
+            matcher.apply_ace!(ace) if member_sids.include?(test_sid)
 
             if test_member_sids.nil?
               test_obj = adds_get_object_by_sid(ldap, test_sid)
-              test_member_sids = adds_query_member_groups(ldap, test_obj[:dN].first, inherited: true).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
+              test_member_sids = adds_query_member_groups(ldap, test_obj.dn, inherited: true).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
             end
 
-            return eval_result if member_sids.any? { |member_sid| test_member_sids.include?(member_sid) }
+            matcher.apply_ace!(ace) if member_sids.any? { |member_sid| test_member_sids.include?(member_sid) }
           end
+
+          break if matcher.satisfied?
         end
 
-        false
+        matcher.matches?
       end
 
       # Determine if a security descriptor will grant the permissions identified by *matcher* to the
diff --git a/lib/msf/core/exploit/remote/ldap/active_directory/security_descriptor_matcher.rb b/lib/msf/core/exploit/remote/ldap/active_directory/security_descriptor_matcher.rb
@@ -0,0 +1,157 @@
+module Msf
+  ###
+  #
+  # This module exposes methods for querying a remote LDAP service
+  #
+  ###
+  module Exploit::Remote::LDAP::ActiveDirectory
+
+    module SecurityDescriptorMatcher
+      CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT = '0e10c968-78fb-11d2-90d4-00c04f79dc55'.freeze
+      CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT = 'a05b8cc2-17bc-4802-a710-e7c15ab866a2'.freeze
+
+      # This is a Base matcher class that can be used while analyzing security descriptors. It abstracts away the
+      # checking of the permissions but relies on an external source to identify when particular ACEs will be in effect
+      # based on a target principal SID.
+      class Base
+        # Check the ACE and determine if it should be ignored while processing. This allows processing to skip querying
+        # the LDAP server when it's known that the ACE is irrelevant.
+        #
+        # @param [Rex::Proto::MsDtyp::MsDtypAce] ace The ace to check.
+        def ignore_ace?(ace)
+          false
+        end
+
+        # Apply the specified ACE to the internal state of the matcher because it will be applied in the hypothetical
+        # access operation that is being analyzed.
+        #
+        # @param [Rex::Proto::MsDtyp::MsDtypAce] ace The ace to apply.
+        # @rtype Nil
+        def apply_ace!(ace)
+          nil
+        end
+
+        # The matcher is satisfied when it has all the information it needs from previous calls to #apply_ace! to make
+        # a determination with #matches?.
+        def satisfied?
+          false
+        end
+
+        # The matcher matches when it is satisfied and confident that the desired affect will be applied in the
+        # hypothetical access operation.
+        def matches?
+          false
+        end
+      end
+
+      # A general purpose Security Descriptor matcher for a single permission.
+      class Allow < Base
+        attr_reader :permissions
+
+        # @param [Symbol] permission The abbreviated permission name e.g. :WP.
+        # @param [String] object_id An optional object GUID to use when matching the permission.
+        def initialize(permission, object_id: nil)
+          @permission = permission
+          @object_id = object_id
+          @result = nil
+        end
+
+        def ignore_ace?(ace)
+          # ignore anything that's not an allow or deny ACE because those are the only two that will alter the outcome
+          return true unless Rex::Proto::MsDtyp::MsDtypAceType.allow?(ace.header.ace_type) || Rex::Proto::MsDtyp::MsDtypAceType.deny?(ace.header.ace_type)
+
+          if Rex::Proto::MsDtyp::MsDtypAceType.has_object?(ace.header.ace_type)
+            return true if ace.body.object_type != @object_id
+          else
+            return true if @object_id
+          end
+
+          !ace.body.access_mask.permissions.include?(@permission)
+        end
+
+        def apply_ace!(ace)
+          return if ignore_ace?(ace)
+
+          @result = ace.header.ace_type
+        end
+
+        def satisfied?
+          # A matcher is satisfied when there's nothing left for it to check.
+          !@result.nil?
+        end
+
+        def matches?
+          # This is named matches? instead of allow? so that other matchers can be made in the future
+          # to match on the desired outcome including audit and alarm events. We are affirming that the
+          # security descriptor will apply the desired affect which in this case is to allow access.
+          satisfied? && Rex::Proto::MsDtyp::MsDtypAceType.allow?(@result)
+        end
+
+        # Build a matcher that will check for any of the specified permissions.
+        #
+        # @param [Array<Symbol>] The permissions to check for in their 2 letter abbreviated format, e.g. WP.
+        # @param [String,Nil] An optional object ID that will be used for matching all the permissions.
+        # @rtype MultipleAny
+        def self.any(permissions, object_id: nil)
+          permissions = Array.wrap(permissions)
+          MultipleAll.new(permissions.map { |permission| new(permission, object_id: object_id) })
+        end
+
+        # Build a matcher that will check for all of the specified permissions.
+        #
+        # @param [Array<Symbol>] The permissions to check for in their 2 letter abbreviated format, e.g. WP.
+        # @param [String,Nil] An optional object ID that will be used for matching all the permissions.
+        # @rtype MultipleAll
+        def self.all(permissions, object_id: nil)
+          permissions = Array.wrap(permissions)
+          MultipleAll.new(permissions.map { |permission| new(permission, object_id: object_id) })
+        end
+
+        # Build a matcher that will check for a certificate's enrollment permission.
+        def self.certificate_enrollment
+          new(:CR, object_id: CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT)
+        end
+      end
+
+      # A compound matcher that will match when any of the sub-matchers match.
+      class MultipleAny < Base
+        attr_reader :matchers
+
+        def initialize(matchers)
+          @matchers = Array.wrap(matchers)
+        end
+
+        def ignore_ace?(ace)
+          @matchers.all? { |matcher| matcher.ignore_ace?(ace) }
+        end
+
+        def apply_ace!(ace)
+          @matchers.each do |matcher|
+            next if matcher.ignore_ace?(ace)
+
+            matcher.apply_ace!(ace)
+          end
+        end
+
+        def satisfied?
+          @matchers.any? { |matcher| matcher.satisfied? }
+        end
+
+        def matches?
+          @matchers.any? { |matcher| matcher.matches? }
+        end
+      end
+
+      # A compound matcher that will match when all of the sub-matchers match.
+      class MultipleAll < MultipleAny
+        def satisfied?
+          @matchers.all? { |matcher| matcher.satisfied? }
+        end
+
+        def matches?
+          @matchers.all? { |matcher| matcher.matches? }
+        end
+      end
+    end
+  end
+end
diff --git a/lib/rex/proto/ms_dtyp.rb b/lib/rex/proto/ms_dtyp.rb
@@ -340,7 +340,7 @@ def self.alarm?(type)
       ].include? type
     end
 
-    def self.allowed?(type)
+    def self.allow?(type)
       [
         ACCESS_ALLOWED_ACE_TYPE,
         ACCESS_ALLOWED_COMPOUND_ACE_TYPE,
@@ -359,14 +359,27 @@ def self.audit?(type)
       ].include? type
     end
 
-    def self.denied?(type)
+    def self.deny?(type)
       [
         ACCESS_DENIED_ACE_TYPE,
         ACCESS_DENIED_OBJECT_ACE_TYPE,
         ACCESS_DENIED_CALLBACK_ACE_TYPE,
         ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE,
       ].include? type
     end
+
+    def self.has_object?(type)
+      [
+        ACCESS_ALLOWED_OBJECT_ACE_TYPE,
+        ACCESS_DENIED_OBJECT_ACE_TYPE,
+        SYSTEM_AUDIT_OBJECT_ACE_TYPE,
+        SYSTEM_ALARM_OBJECT_ACE_TYPE,
+        ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE,
+        ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE,
+        SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE,
+        SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
+      ].include? type
+    end
   end
 
   # [2.4.4.1 ACE_HEADER](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/628ebb1d-c509-4ea0-a10f-77ef97ca4586)
diff --git a/modules/auxiliary/admin/ldap/rbcd.rb b/modules/auxiliary/admin/ldap/rbcd.rb
@@ -115,7 +115,7 @@ def check
         return Exploit::CheckCode::Unknown('Failed to find the specified object.')
       end
 
-      unless adds_obj_grants_permissions?(@ldap, obj, ACEMatcherAllowAll.new(%i[RP WP]))
+      unless adds_obj_grants_permissions?(@ldap, obj, SecurityDescriptorMatcher::Allow.all(%i[RP WP]))
         return Exploit::CheckCode::Safe('The object can not be written to.')
       end
 
diff --git a/modules/auxiliary/admin/ldap/shadow_credentials.rb b/modules/auxiliary/admin/ldap/shadow_credentials.rb
