Update the ad_cs_cert_template module too

Author: zeroSteiner

lib/msf/core/exploit/remote/ldap/active_directory.rb

@@ -41,7 +41,7 @@ def is_active_directory?(ldap)
       # security descriptor's DACL without the need for elevated permissions.
       #
       # @rtype String
-      def adds_build_ldap_sd_control
+      def adds_build_ldap_sd_control(owner: true, group: true, dacl: true, sacl: false)
         # Set the value of LDAP_SERVER_SD_FLAGS_OID flag so everything but
         # the SACL flag is set, as we need administrative privileges to retrieve
         # the SACL from the ntSecurityDescriptor attribute on Windows AD LDAP servers.
@@ -55,8 +55,12 @@ def adds_build_ldap_sd_control
         # however in reality LDAP will cause that attribute to just be blanked out if a part of it
         # cannot be retrieved, so we just will get nothing for the ntSecurityDescriptor attribute
         # in these cases if the user doesn't have permissions to read the SACL.
-        all_but_sacl_flag = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION
-        control_values = [all_but_sacl_flag].map(&:to_ber).to_ber_sequence.to_s.to_ber
+        flags = 0
+        flags |= OWNER_SECURITY_INFORMATION if owner
+        flags |= GROUP_SECURITY_INFORMATION if group
+        flags |= DACL_SECURITY_INFORMATION if dacl
+        flags |= SACL_SECURITY_INFORMATION if sacl
+        control_values = [flags].map(&:to_ber).to_ber_sequence.to_s.to_ber
         [LDAP_SERVER_SD_FLAGS_OID.to_ber, true.to_ber, control_values].to_ber_sequence
       end
 

lib/msf/core/exploit/remote/ldap/active_directory/security_descriptor_matcher.rb

@@ -44,14 +44,15 @@ def matches?
         end
       end
 
-      # A general purpose Security Descriptor matcher for a single permission.
+      # A general purpose Security Descriptor matcher for permissions in a single ACE. You typically want to use this to
+      # check for a single permission.
       class Allow < Base
         attr_reader :permissions
 
-        # @param [Symbol] permission The abbreviated permission name e.g. :WP.
+        # @param [Symbol, Array<Symbol>] permissions The abbreviated permission names e.g. :WP.
         # @param [String] object_id An optional object GUID to use when matching the permission.
-        def initialize(permission, object_id: nil)
-          @permission = permission
+        def initialize(permissions, object_id: nil)
+          @permissions = Array.wrap(permissions)
           @object_id = object_id
           @result = nil
         end
@@ -66,7 +67,8 @@ def ignore_ace?(ace)
             return true if @object_id
           end
 
-          !ace.body.access_mask.permissions.include?(@permission)
+          ace_permissions = ace.body.access_mask.permissions
+          !@permissions.all? { |perm| ace_permissions.include?(perm) }
         end
 
         def apply_ace!(ace)
@@ -107,9 +109,25 @@ def self.all(permissions, object_id: nil)
           MultipleAll.new(permissions.map { |permission| new(permission, object_id: object_id) })
         end
 
+        def self.full_control
+          # Full Control is special and shouldn't be split across multiple ACEs, so to check that we use #new instead of
+          # MultipleAll to ensure it's in 1 ACE.
+          new(%i[ CC DC LC SW RP WP DT LO CR SD RC WD WO ])
+        end
+
+        def self.certificate_autoenrollment
+          MultipleAny.new([
+            Allow.new(:CR, object_id: CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT),
+            full_control
+          ])
+        end
+
         # Build a matcher that will check for a certificate's enrollment permission.
         def self.certificate_enrollment
-          new(:CR, object_id: CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT)
+          MultipleAny.new([
+            Allow.new(:CR, object_id: CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT),
+            full_control
+          ])
         end
       end
 

modules/auxiliary/admin/ldap/ad_cs_cert_template.rb

@@ -5,7 +5,7 @@
 
 class MetasploitModule < Msf::Auxiliary
 
-  include Msf::Exploit::Remote::LDAP
+  include Msf::Exploit::Remote::LDAP::ActiveDirectory
   include Msf::OptionalSession::LDAP
   include Msf::Auxiliary::Report
 
@@ -30,13 +30,6 @@ class MetasploitModule < Msf::Auxiliary
     'msPKI-Template-Minor-Revision',
   ].freeze
 
-  # LDAP_SERVER_SD_FLAGS constant definition, taken from https://ldapwiki.com/wiki/LDAP_SERVER_SD_FLAGS_OID
-  LDAP_SERVER_SD_FLAGS_OID = '1.2.840.113556.1.4.801'.freeze
-  OWNER_SECURITY_INFORMATION = 0x1
-  GROUP_SECURITY_INFORMATION = 0x2
-  DACL_SECURITY_INFORMATION = 0x4
-  SACL_SECURITY_INFORMATION = 0x8
-
   def initialize(info = {})
     super(
       update_info(
@@ -88,20 +81,6 @@ def initialize(info = {})
     ])
   end
 
-  def ldap_get(filter, attributes: [], base: nil, controls: [])
-    base ||= @base_dn
-    raw_obj = @ldap.search(base: base, filter: filter, attributes: attributes, controls: controls).first
-    validate_query_result!(@ldap.get_operation_result.table)
-    return nil unless raw_obj
-
-    obj = {}
-    raw_obj.attribute_names.each do |attr|
-      obj[attr.to_s] = raw_obj[attr].map(&:to_s)
-    end
-
-    obj
-  end
-
   def run
     ldap_connect do |ldap|
       validate_bind_success!(ldap)
@@ -131,15 +110,20 @@ def run
     fail_with(Failure::Unknown, "#{e.class}: #{e.message}")
   end
 
+  def ms_security_descriptor_control(flags)
+    control_values = [flags].map(&:to_ber).to_ber_sequence.to_s.to_ber
+    [LDAP_SERVER_SD_FLAGS_OID.to_ber, control_values].to_ber_sequence
+  end
+
   def get_certificate_template
-    obj = ldap_get(
-      "(&(cn=#{datastore['CERT_TEMPLATE']})(objectClass=pKICertificateTemplate))",
+    obj = @ldap.search(
+      filter: "(&(cn=#{datastore['CERT_TEMPLATE']})(objectClass=pKICertificateTemplate))",
       base: "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,#{@base_dn}",
-      controls: [ms_security_descriptor_control(DACL_SECURITY_INFORMATION)]
-    )
+      controls: [ms_security_descriptor_control(4)]
+    )&.first
     fail_with(Failure::NotFound, 'The specified template was not found.') unless obj
 
-    print_good("Read certificate template data for: #{obj['dn'].first}")
+    print_good("Read certificate template data for: #{obj.dn}")
     stored = store_loot(
       'windows.ad.cs.template',
       'application/json',
@@ -152,15 +136,6 @@ def get_certificate_template
     [obj, stored]
   end
 
-  def get_domain_sid
-    return @domain_sid if @domain_sid.present?
-
-    obj = ldap_get('(objectClass=domain)', attributes: %w[name objectSID])
-    fail_with(Failure::NotFound, 'The domain SID was not found!') unless obj&.fetch('objectsid', nil)
-
-    Rex::Proto::MsDtyp::MsDtypSid.read(obj['objectsid'].first)
-  end
-
   def get_pki_oids
     return @pki_oids if @pki_oids.present?
 
@@ -231,9 +206,12 @@ def load_from_yaml(yaml)
 
         # if the string only contains printable characters, treat it as SDDL
         if value !~ /[^[:print:]]/
+          vprint_status("Parsing SDDL text: #{value}")
+          domain_info = adds_get_domain_info(@ldap)
+          fail_with(Failure::Unknown, 'Failed to obtain the domain SID.') unless domain_info
+
           begin
-            vprint_status("Parsing SDDL text: #{value}")
-            descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.from_sddl_text(value, domain_sid: get_domain_sid)
+            descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.from_sddl_text(value, domain_sid: domain_info[:sid])
           rescue RuntimeError => e
             fail_with(Failure::BadConfig, e.message)
           end
@@ -270,11 +248,6 @@ def load_local_template
     end
   end
 
-  def ms_security_descriptor_control(flags)
-    control_values = [flags].map(&:to_ber).to_ber_sequence.to_s.to_ber
-    [LDAP_SERVER_SD_FLAGS_OID.to_ber, control_values].to_ber_sequence
-  end
-
   def action_create
     dn = "CN=#{datastore['CERT_TEMPLATE']},"
     dn << 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,'
@@ -346,14 +319,24 @@ def action_read
       object_guid = Rex::Proto::MsDtyp::MsDtypGuid.read(obj['objectguid'].first)
       print_status("  objectGUID:           #{object_guid}")
     end
-    if obj['ntsecuritydescriptor'].first.present?
+
+    if obj[:nTSecurityDescriptor].first.present?
+      domain_info = adds_get_domain_info(@ldap)
+      fail_with(Failure::Unknown, 'Failed to obtain the domain SID.') unless domain_info
+
       begin
-        sd = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(obj['ntsecuritydescriptor'].first)
-        sddl_text = sd.to_sddl_text(domain_sid: get_domain_sid)
+        sd = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(obj[:nTSecurityDescriptor].first)
+        sddl_text = sd.to_sddl_text(domain_sid: domain_info[:sid])
       rescue StandardError => e
         elog('failed to parse a binary security descriptor to SDDL', error: e)
       else
         print_status("  nTSecurityDescriptor: #{sddl_text}")
+        permissions = [ 'READ' ] # if we have the object, we can assume we have read permissions
+        permissions << 'WRITE' if adds_obj_grants_permissions?(@ldap, obj, SecurityDescriptorMatcher::Allow.new(:WP))
+        permissions << 'ENROLL' if adds_obj_grants_permissions?(@ldap, obj, SecurityDescriptorMatcher::Allow.certificate_enrollment)
+        permissions << 'AUTOENROLL' if adds_obj_grants_permissions?(@ldap, obj, SecurityDescriptorMatcher::Allow.certificate_autoenrollment)
+        whoami = adds_get_current_user(@ldap)
+        print_status("    * Permissions applied for #{whoami[:userPrincipalName].first}: #{permissions.join(', ')}")
       end
     end
 
@@ -375,7 +358,7 @@ def action_read
         CT_FLAG_EXPORTABLE_KEY
       ].each do |flag_name|
         if pki_flag & Rex::Proto::MsCrtd.const_get(flag_name) != 0
-          print_status("     * #{flag_name}")
+          print_status("    * #{flag_name}")
         end
       end
     end
@@ -554,7 +537,7 @@ def action_update
       return true
     end
 
-    @ldap.modify(dn: obj['dn'].first, operations: operations, controls: [ms_security_descriptor_control(DACL_SECURITY_INFORMATION)])
+    @ldap.modify(dn: obj.dn, operations: operations, controls: [adds_build_ldap_sd_control(owner: false, group: false)])
     validate_query_result!(@ldap.get_operation_result.table)
     true
   end