Initial implementation of #adds_sd_grants_permissions?

zeroSteiner · zeroSteiner · commit be40c05a9f86 · 2025-06-11T17:20:06.000-04:00
diff --git a/lib/msf/core/exploit/remote/ldap/active_directory.rb b/lib/msf/core/exploit/remote/ldap/active_directory.rb
@@ -9,6 +9,11 @@ module ActiveDirectory
       include Msf::Exploit::Remote::LDAP
 
       LDAP_CAP_ACTIVE_DIRECTORY_OID = '1.2.840.113556.1.4.800'.freeze
+      LDAP_SERVER_SD_FLAGS_OID = '1.2.840.113556.1.4.801'.freeze
+      OWNER_SECURITY_INFORMATION = 0x1
+      GROUP_SECURITY_INFORMATION = 0x2
+      DACL_SECURITY_INFORMATION = 0x4
+      SACL_SECURITY_INFORMATION = 0x8
 
       # Query the remote server via the provided LDAP connection to determine if it's an Active Directory LDAP server.
       # More specifically, this ensures that it reports active directory capabilities and the whoami extension.
@@ -30,6 +35,25 @@ def is_active_directory?(ldap)
         true
       end
 
+      def adds_build_ldap_sd_control
+        # Set the value of LDAP_SERVER_SD_FLAGS_OID flag so everything but
+        # the SACL flag is set, as we need administrative privileges to retrieve
+        # the SACL from the ntSecurityDescriptor attribute on Windows AD LDAP servers.
+        #
+        # Note that without specifying the LDAP_SERVER_SD_FLAGS_OID control in this manner,
+        # the LDAP searchRequest will default to trying to grab all possible attributes of
+        # the ntSecurityDescriptor attribute, hence resulting in an attempt to retrieve the
+        # SACL even if the user is not an administrative user.
+        #
+        # Now one may think that we would just get the rest of the data without the SACL field,
+        # however in reality LDAP will cause that attribute to just be blanked out if a part of it
+        # cannot be retrieved, so we just will get nothing for the ntSecurityDescriptor attribute
+        # in these cases if the user doesn't have permissions to read the SACL.
+        all_but_sacl_flag = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION
+        control_values = [all_but_sacl_flag].map(&:to_ber).to_ber_sequence.to_s.to_ber
+        [LDAP_SERVER_SD_FLAGS_OID.to_ber, true.to_ber, control_values].to_ber_sequence
+      end
+
       def adds_query_group_members(ldap, group_dn, base_dn: nil, inherited: true, object_class: nil)
         return enum_for(:adds_query_group_members, ldap, group_dn, base_dn: base_dn, inherited: inherited, object_class: object_class) unless block_given?
         results = 0
@@ -50,6 +74,7 @@ def adds_query_group_members(ldap, group_dn, base_dn: nil, inherited: true, obje
 
         ldap.search(
           base: base_dn || ldap.base_dn,
+          controls: [adds_build_ldap_sd_control],
           filter: "(&#{filters.map { "(#{_1})" }.join})",
           return_result: false # make sure we're streaming because this could be a lot of data
         ) do |ldap_entry|
@@ -85,6 +110,7 @@ def adds_query_member_groups(ldap, member_dn, base_dn: nil, inherited: true)
 
         ldap.search(
           base: base_dn || ldap.base_dn,
+          controls: [adds_build_ldap_sd_control],
           filter: "(&#{filters.map { "(#{_1})" }.join})",
           return_result: false
         ) do |ldap_entry|
@@ -104,26 +130,86 @@ def adds_get_object_by_dn(ldap, object_dn)
         object = @ldap_objects.find { |o| o[:dN]&.first == object_dn }
         return object if object
 
-        object = ldap.search(base: object_dn, scope: Net::LDAP::SearchScope_BaseObject)&.first
+        object = ldap.search(base: object_dn, controls: [adds_build_ldap_sd_control], scope: Net::LDAP::SearchScope_BaseObject)&.first
         validate_query_result!(ldap.get_operation_result.table)
 
         @ldap_objects << object if object
         object
       end
 
+      def adds_get_object_by_samaccountname(ldap, object_samaccountname)
+        @ldap_objects ||= []
+        object = @ldap_objects.find { |o| o[:sAMAccountName]&.first == object_samaccountname }
+        return object if object
+
+        filter = "(sAMAccountName=#{ldap_escape_filter(object_samaccountname)})"
+        object = ldap.search(base: ldap.base_dn, controls: [adds_build_ldap_sd_control], filter: filter)&.first
+        validate_query_result!(ldap.get_operation_result.table, filter)
+
+        @ldap_objects << object if object
+        object
+      end
+
       def adds_get_object_by_sid(ldap, object_sid)
         @ldap_objects ||= []
         object_sid = Rex::Proto::MsDtyp::MsDtypSid.new(object_sid)
         object = @ldap_objects.find { |o| o[:objectSid]&.first == object_sid.to_binary_s }
         return object if object
 
         filter = "(objectSID=#{ldap_escape_filter(object_sid.to_s)})"
-        object = ldap.search(base: ldap.base_dn, filter: filter)&.first
+        object = ldap.search(base: ldap.base_dn, controls: [adds_build_ldap_sd_control], filter: filter)&.first
         validate_query_result!(ldap.get_operation_result.table, filter)
 
         @ldap_objects << object if object
         object
       end
+
+      def adds_get_current_user(ldap)
+        our_domain, _, our_username = ldap.ldapwhoami.to_s.delete_prefix('u:').partition('\\')
+        # todo: this is probably going to have issues if our user is from a domain that the target server is not the
+        # authority of
+        adds_get_object_by_samaccountname(ldap, our_username)
+      end
+
+      def adds_sd_grants_permissions?(ldap, security_descriptor, matcher, test_sid: nil)
+        unless test_sid
+          current_user = adds_get_current_user(ldap)
+          test_sid = Rex::Proto::MsDtyp::MsDtypSid.read(current_user[:objectSid].first)
+        end
+
+        # todo: process special SIDs, e.g. SELF, Everyone
+
+        test_member_sids = nil
+        security_descriptor.dacl.aces.each do |ace|
+          # only processing simple allow and deny types right now
+          if ace.header.ace_type == Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_ALLOWED_ACE_TYPE
+            eval_result = true
+          elsif ace.header.ace_type == Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_DENIED_ACE_TYPE
+            eval_result = false
+          else
+            next # skip ACEs that are neither allow or deny
+          end
+
+          next unless matcher.call(ace)
+
+          return eval_result if ace.body.sid == test_sid
+
+          ldap_object = adds_get_object_by_sid(ldap, ace.body.sid)
+          next unless ldap_object && ldap_object[:objectClass].include?('group')
+
+          member_sids = adds_query_group_members(ldap, ldap_object[:dN].first, inherited: false).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
+          return eval_result if member_sids.include?(test_sid)
+
+          if test_member_sids.nil?
+            test_obj = adds_get_object_by_sid(ldap, test_sid)
+            test_member_sids = adds_query_member_groups(ldap, test_obj[:dN].first, inherited: true).map { |member| Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first) }
+          end
+
+          return eval_result if member_sids.any? { |member_sid| test_member_sids.include?(member_sid) }
+        end
+
+        false
+      end
     end
   end
 end
