adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

Merge pull request #19572 from cdelafuente-r7/fix/mod/ldap/ad_cs_cert_template

Browse Source 
Fix UPDATE certificate templates with `admin/ldap/ad_cs_cert_template`
This commit is contained in:
Spencer McIntyre
2024-10-22 15:03:31 -04:00
committed by GitHub
parent 9c0efc67fb ae213813b5
commit 05a149dadc
5 changed files with 11 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/auxiliary/admin/ldap/ad_cs_cert_template/esc15_template.yaml
-1
View File
@@ -29,4 +29,3 @@ msPKI-Private-Key-Flag: 0x10
# CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
msPKI-Certificate-Name-Flag: 1
msPKI-Minimal-Key-Size: 2048
msPKI-Template-Schema-Version: 1
documentation/modules/auxiliary/admin/dcerpc/icpr_cert.md
+2 -2
View File
@@ -3,9 +3,9 @@ Request certificates via MS-ICPR (Active Directory Certificate Services). Depend
template's configuration the resulting certificate can be used for various operations such as authentication.
PFX certificate files that are saved are encrypted with a blank password.
This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13.
This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.
## Module usage
## Module usage
1. From msfconsole
2. Do: `use auxiliary/admin/dcerpc/icpr_cert`
documentation/modules/auxiliary/admin/ldap/ad_cs_cert_template.md
+1 -1
View File
@@ -5,7 +5,7 @@ This module can read, write, update, and delete AD CS certificate templates from
The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be
restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data
file to be specified to define the attributes. Template data files are provided to create a template that is
vulnerable to ESC1, ESC2, and ESC3.
vulnerable to ESC1, ESC2, ESC3 and ESC15.
This module is capable of exploiting ESC4.
modules/auxiliary/admin/dcerpc/icpr_cert.rb
+1 -1
View File
@@ -22,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary
template's configuration the resulting certificate can be used for various operations such as authentication.
PFX certificate files that are saved are encrypted with a blank password.
This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13.
This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.
},
'License' => MSF_LICENSE,
'Author' => [
modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
+7 -1
View File
@@ -26,6 +26,7 @@ class MetasploitModule < Msf::Auxiliary
'displayName',
'instanceType',
'revision',
'msPKI-Template-Schema-Version',
'msPKI-Template-Minor-Revision',
].freeze
@@ -48,7 +49,7 @@ class MetasploitModule < Msf::Auxiliary
The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be
restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data
file to be specified to define the attributes. Template data files are provided to create a template that is
vulnerable to ESC1, ESC2, and ESC3.
vulnerable to ESC1, ESC2, ESC3 and ESC15.
This module is capable of exploiting ESC4.
},
@@ -428,6 +429,11 @@ class MetasploitModule < Msf::Auxiliary
print_status(" msPKI-RA-Signature: 0x#{pki_flag.to_s(16).rjust(8, '0')}")
end
pki_flag = obj['mkpki-template-schema-version']&.first
if pki_flag.present?
print_status(" msPKI-Template-Schema-Version: #{pki_flag}")
end
if obj['mspki-certificate-policy'].present?
if obj['mspki-certificate-policy'].length == 1
if (oid_name = get_pki_oid_displayname(obj['mspki-certificate-policy'].first)).present?