Add an ESC15 template

Author: zeroSteiner

data/auxiliary/admin/ldap/ad_cs_cert_template/esc15_template.yaml

@@ -0,0 +1,32 @@
+---
+# Creates a template that will be vulnerable to ESC15 (subject name supplied in
+# the request and schema version is 1). Fields are based on the SubCA template.
+# For field descriptions, see:
+# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: -1
+pKICriticalExtensions:
+- 2.5.29.19
+- 2.5.29.15
+pKIExtendedKeyUsage:
+# Server Authentication OID (alter the EKUs via ESC15)
+- 1.3.6.1.5.5.7.3.1
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+msPKI-Certificate-Name-Flag: 1
+msPKI-Minimal-Key-Size: 2048
+msPKI-Template-Schema-Version: 1

modules/auxiliary/admin/ldap/ad_cs_cert_template.rb

@@ -26,7 +26,6 @@ class MetasploitModule < Msf::Auxiliary
     'displayName',
     'instanceType',
     'revision',
-    'msPKI-Template-Schema-Version',
     'msPKI-Template-Minor-Revision',
   ].freeze