Expand on the matcher logic

This is necessary to account for effects from multiple ACEs.

Author: zeroSteiner

lib/msf/core/exploit/remote/ldap/active_directory.rb

@@ -8,6 +8,7 @@ module Exploit::Remote::LDAP
     module ActiveDirectory
       include Msf::Exploit::Remote::LDAP
       include Msf::Exploit::Remote::LDAP::EntryCache
+      include Msf::Exploit::Remote::LDAP::ActiveDirectory::SecurityDescriptorMatcher
 
       LDAP_CAP_ACTIVE_DIRECTORY_OID = '1.2.840.113556.1.4.800'.freeze
       LDAP_SERVER_SD_FLAGS_OID = '1.2.840.113556.1.4.801'.freeze
@@ -16,56 +17,6 @@ module ActiveDirectory
       DACL_SECURITY_INFORMATION = 0x4
       SACL_SECURITY_INFORMATION = 0x8
 
-      # Match an ACE when *any* of the specified permissions are allowed or *all* of the specified permissions are
-      # denied.
-      class ACEMatcherAllowAll
-        attr_reader :permissions
-
-        def initialize(permissions)
-          @permissions = Array.wrap(permissions)
-        end
-
-        def call(ace)
-          target_permissions = ace.body.access_mask.permissions
-
-          if target_permissions.empty?
-            return false
-          elsif Rex::Proto::MsDtyp::MsDtypAceType.allowed?(ace.header.ace_type)
-            return @permissions.all? { |perm| target_permissions.include?(perm) }
-          elsif Rex::Proto::MsDtyp::MsDtypAceType.denied?(ace.header.ace_type)
-            # if any target permission is denied, then all of them can't be allowed
-            return @permissions.any? { |perm| target_permissions.include?(perm) }
-          end
-
-          false
-        end
-      end
-
-      # Match an ACE when *all* of the specified permissions are allowed or *any* of the specified permissions are
-      # denied.
-      class ACEMatcherAllowAny
-        attr_reader :permissions
-
-        def initialize(permissions)
-          @permissions = Array.wrap(permissions)
-        end
-
-        def call(ace)
-          target_permissions = ace.body.access_mask.permissions
-
-          if target_permissions.empty?
-            return false
-          elsif Rex::Proto::MsDtyp::MsDtypAceType.allowed?(ace.header.ace_type)
-            return @permissions.any? { |perm| target_permissions.include?(perm) }
-          elsif Rex::Proto::MsDtyp::MsDtypAceType.denied?(ace.header.ace_type)
-            # if all target permissions are denied, then none of them can be allowed
-            return @permissions.all? { |perm| target_permissions.include?(perm) }
-          end
-
-          false
-        end
-      end
-
       # Query the remote server via the provided LDAP connection to determine if it's an Active Directory LDAP server.
       # More specifically, this ensures that it reports active directory capabilities and the whoami extension.
       #
@@ -310,51 +261,45 @@ def adds_sd_grants_permissions?(ldap, security_descriptor, matcher, test_sid: ni
         end
 
         test_member_sids = nil
-        security_descriptor.dacl.aces.each do |ace|
-          # only processing simple allow and deny types right now
-          case ace.header.ace_type
-          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_ALLOWED_ACE_TYPE
-            eval_result = true
-          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_ALLOWED_OBJECT_ACE_TYPE
-            eval_result = true
-          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_DENIED_ACE_TYPE
-            eval_result = false
-          when Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_DENIED_OBJECT_ACE_TYPE
-            eval_result = false
-          else
-            next # skip ACEs that are neither allow or deny
-          end
 
-          next unless matcher.call(ace)
+        dacl_aces = []
+        # because deny entries take precedence, process them first
+        dacl_aces += security_descriptor.dacl.aces.select { |ace| Rex::Proto::MsDtyp::MsDtypAceType.deny?(ace.header.ace_type) }
+        dacl_aces += security_descriptor.dacl.aces.select { |ace| Rex::Proto::MsDtyp::MsDtypAceType.allow?(ace.header.ace_type) }
+
+        dacl_aces.each do |ace|
+          next if matcher.ignore_ace?(ace)
 
           case ace.body.sid
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_WORLD_SID
-            return eval_result
+            matcher.apply_ace!(ace)
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_PRINCIPAL_SELF_SID
-            return eval_result if self_sid == test_sid
+            matcher.apply_ace!(ace) if self_sid == test_sid
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_OWNER_SID
-            return eval_result if security_descriptor.owner_sid == test_sid
+            matcher.apply_ace!(ace) if security_descriptor.owner_sid == test_sid
           when Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_GROUP_SID
-            return eval_result if security_descriptor.group_sid == test_sid
+            matcher.apply_ace!(ace) if security_descriptor.group_sid == test_sid
           when test_sid
-            return eval_result
+            matcher.apply_ace!(ace)
           else
             ldap_object = adds_get_object_by_sid(ldap, ace.body.sid)
             next unless ldap_object && ldap_object[:objectClass].include?('group')
 
-            member_sids = adds_query_group_members(ldap, ldap_object[:dN].first, inherited: false).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
-            return eval_result if member_sids.include?(test_sid)
+            member_sids = adds_query_group_members(ldap, ldap_object.dn, inherited: false).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
+            matcher.apply_ace!(ace) if member_sids.include?(test_sid)
 
             if test_member_sids.nil?
               test_obj = adds_get_object_by_sid(ldap, test_sid)
-              test_member_sids = adds_query_member_groups(ldap, test_obj[:dN].first, inherited: true).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
+              test_member_sids = adds_query_member_groups(ldap, test_obj.dn, inherited: true).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
             end
 
-            return eval_result if member_sids.any? { |member_sid| test_member_sids.include?(member_sid) }
+            matcher.apply_ace!(ace) if member_sids.any? { |member_sid| test_member_sids.include?(member_sid) }
           end
+
+          break if matcher.satisfied?
         end
 
-        false
+        matcher.affirmative?
       end
 
       # Determine if a security descriptor will grant the permissions identified by *matcher* to the

lib/msf/core/exploit/remote/ldap/active_directory/security_descriptor_matcher.rb

@@ -0,0 +1,102 @@
+module Msf
+  ###
+  #
+  # This module exposes methods for querying a remote LDAP service
+  #
+  ###
+  module Exploit::Remote::LDAP::ActiveDirectory
+
+    module SecurityDescriptorMatcher
+      # Match an ACE when *any* of the specified permissions are allowed or *all* of the specified permissions are
+      # denied.
+      class Allow
+        attr_reader :permissions
+
+        def initialize(permission, object_id: nil)
+          @permission = permission
+          @object_id = object_id
+          @result = nil
+        end
+
+        def ignore_ace?(ace)
+          # ignore anything that's not an allow or deny ACE because those are the only two that will alter the outcome
+          return true unless Rex::Proto::MsDtyp::MsDtypAceType.allow?(ace.header.ace_type) || Rex::Proto::MsDtyp::MsDtypAceType.deny?(ace.header.ace_type)
+
+          if Rex::Proto::MsDtyp::MsDtypAceType.has_object?(ace.header.ace_type)
+            return true if ace.body.object_type != @object_id
+          else
+            return true if @object_id
+          end
+
+          !ace.body.access_mask.permissions.include?(@permission)
+        end
+
+        def apply_ace!(ace)
+          return if ignore_ace?(ace)
+
+          @result = ace.header.ace_type
+        end
+
+        def satisfied?
+          # A matcher is satisfied when there's nothing left for it to check.
+          !@result.nil?
+        end
+
+        def affirmative?
+          # This is named affirmative? instead of allow? so that other matchers can be made in the future
+          # to match on the desired outcome including audit and alarm events. We are affirming that the
+          # security descriptor will apply the desired affect which in this case is to allow access.
+          satisfied? && Rex::Proto::MsDtyp::MsDtypAceType.allow?(@result)
+        end
+
+        def self.any(permissions, object_id: nil)
+          permissions = Array.wrap(permissions)
+          MultipleAll.new(permissions.map { |permission| new(permission, object_id: object_id) })
+        end
+
+        def self.all(permissions, object_id: nil)
+          permissions = Array.wrap(permissions)
+          MultipleAll.new(permissions.map { |permission| new(permission, object_id: object_id) })
+        end
+      end
+
+      class MultipleAny
+        attr_reader :matchers
+
+        def initialize(matchers)
+          @matchers = Array.wrap(matchers)
+        end
+
+        def ignore_ace?(ace)
+          @matchers.all? { |matcher| matcher.ignore_ace?(ace) }
+        end
+
+        def apply_ace!(ace)
+          @matchers.each do |matcher|
+            next if matcher.ignore_ace?(ace)
+
+            matcher.apply_ace!(ace)
+          end
+        end
+
+        def satisfied?
+          @matchers.any? { |matcher| matcher.satisfied? }
+        end
+
+        def affirmative?
+          @matchers.any? { |matcher| matcher.affirmative? }
+        end
+      end
+
+      class MultipleAll < MultipleAny
+        def satisfied?
+          @matchers.all? { |matcher| matcher.satisfied? }
+        end
+
+        def affirmative?
+          @matchers.all? { |matcher| matcher.affirmative? }
+        end
+      end
+    end
+  end
+end

lib/rex/proto/ms_dtyp.rb

@@ -340,7 +340,7 @@ def self.alarm?(type)
       ].include? type
     end
 
-    def self.allowed?(type)
+    def self.allow?(type)
       [
         ACCESS_ALLOWED_ACE_TYPE,
         ACCESS_ALLOWED_COMPOUND_ACE_TYPE,
@@ -359,14 +359,27 @@ def self.audit?(type)
       ].include? type
     end
 
-    def self.denied?(type)
+    def self.deny?(type)
       [
         ACCESS_DENIED_ACE_TYPE,
         ACCESS_DENIED_OBJECT_ACE_TYPE,
         ACCESS_DENIED_CALLBACK_ACE_TYPE,
         ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE,
       ].include? type
     end
+
+    def self.has_object?(type)
+      [
+        ACCESS_ALLOWED_OBJECT_ACE_TYPE,
+        ACCESS_DENIED_OBJECT_ACE_TYPE,
+        SYSTEM_AUDIT_OBJECT_ACE_TYPE,
+        SYSTEM_ALARM_OBJECT_ACE_TYPE,
+        ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE,
+        ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE,
+        SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE,
+        SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
+      ].include? type
+    end
   end
 
   # [2.4.4.1 ACE_HEADER](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/628ebb1d-c509-4ea0-a10f-77ef97ca4586)

modules/auxiliary/admin/ldap/rbcd.rb

@@ -115,7 +115,7 @@ def check
         return Exploit::CheckCode::Unknown('Failed to find the specified object.')
       end
 
-      unless adds_obj_grants_permissions?(@ldap, obj, ACEMatcherAllowAll.new(%i[RP WP]))
+      unless adds_obj_grants_permissions?(@ldap, obj, SecurityDescriptorMatcher::Allow.all(%i[RP WP]))
         return Exploit::CheckCode::Safe('The object can not be written to.')
       end