Updates from code review

2024-10-22 14:41:02 +02:00
parent 43f13c7e90
commit ae213813b5
8 changed files with 11 additions and 9 deletions
@@ -29,4 +29,3 @@ msPKI-Private-Key-Flag: 0x10
 # CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
 msPKI-Certificate-Name-Flag: 1
 msPKI-Minimal-Key-Size: 2048
-msPKI-Template-Schema-Version: 1
@@ -25,4 +25,3 @@ msPKI-Private-Key-Flag: 0x10
 # CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
 msPKI-Certificate-Name-Flag: 1
 msPKI-Minimal-Key-Size: 2048
-msPKI-Template-Schema-Version: 2
@@ -28,4 +28,3 @@ msPKI-Private-Key-Flag: 0x10
 # CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
 msPKI-Certificate-Name-Flag: 0x82000000
 msPKI-Minimal-Key-Size: 2048
-msPKI-Template-Schema-Version: 2
@@ -28,4 +28,3 @@ msPKI-Private-Key-Flag: 0x10
 # CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
 msPKI-Certificate-Name-Flag: 0x82000000
 msPKI-Minimal-Key-Size: 2048
-msPKI-Template-Schema-Version: 2
@@ -3,9 +3,9 @@ Request certificates via MS-ICPR (Active Directory Certificate Services). Depend
 template's configuration the resulting certificate can be used for various operations such as authentication.
 PFX certificate files that are saved are encrypted with a blank password.

-This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13.
+This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.

-## Module usage 
+## Module usage

 1. From msfconsole
 2. Do: `use auxiliary/admin/dcerpc/icpr_cert`
@@ -5,7 +5,7 @@ This module can read, write, update, and delete AD CS certificate templates from
 The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be
 restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data
 file to be specified to define the attributes. Template data files are provided to create a template that is
-vulnerable to ESC1, ESC2, and ESC3.
+vulnerable to ESC1, ESC2, ESC3 and ESC15.

 This module is capable of exploiting ESC4.

@@ -22,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary
          template's configuration the resulting certificate can be used for various operations such as authentication.
          PFX certificate files that are saved are encrypted with a blank password.

-          This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13.
+          This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.
        },
        'License' => MSF_LICENSE,
        'Author' => [
@@ -26,6 +26,7 @@ class MetasploitModule < Msf::Auxiliary
    'displayName',
    'instanceType',
    'revision',
+    'msPKI-Template-Schema-Version',
    'msPKI-Template-Minor-Revision',
  ].freeze

@@ -48,7 +49,7 @@ class MetasploitModule < Msf::Auxiliary
          The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be
          restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data
          file to be specified to define the attributes. Template data files are provided to create a template that is
-          vulnerable to ESC1, ESC2, and ESC3.
+          vulnerable to ESC1, ESC2, ESC3 and ESC15.

          This module is capable of exploiting ESC4.
        },
@@ -428,6 +429,11 @@ class MetasploitModule < Msf::Auxiliary
      print_status("  msPKI-RA-Signature: 0x#{pki_flag.to_s(16).rjust(8, '0')}")
    end

+    pki_flag = obj['mkpki-template-schema-version']&.first
+    if pki_flag.present?
+      print_status("  msPKI-Template-Schema-Version: #{pki_flag}")
+    end
+
    if obj['mspki-certificate-policy'].present?
      if obj['mspki-certificate-policy'].length == 1
        if (oid_name = get_pki_oid_displayname(obj['mspki-certificate-policy'].first)).present?