adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

Add additional clarity to some segments of the module

Browse Source
This commit is contained in:
Grant Willcox
2023-05-08 16:43:26 -05:00
parent cdab415ffb
commit bc25907d1e
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb
+6 -2
View File
@@ -78,11 +78,15 @@ class MetasploitModule < Msf::Auxiliary
# To decode the ObjectType we need to do another query to CN=Configuration,DC=daforest,DC=com
# and look at either schemaIDGUID or rightsGUID fields to see if they match this value.
if (object_type = ace_body[:object_type]) && !(object_type == CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT || object_type == CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT)
# If an object type was specified, only process the rest if it is one of these two
# If an object type was specified, only process the rest if it is one of these two (note that objects with no
# object types will be processed to make sure we can detect vulnerable templates post exploiting ESC4).
next
end
next if (ace_body.access_mask.protocol & CONTROL_ACCESS) == 0
# Skip entry if it is not related to an extended access control right, where extended access control right is
# described as ADS_RIGHT_DS_CONTROL_ACCESS in the ObjectType field of ACCESS_ALLOWED_OBJECT_ACE. This is
# detailed further at https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_allowed_object_ace
next unless (ace_body.access_mask.protocol & CONTROL_ACCESS) == CONTROL_ACCESS
if ace_type_name.match(/ALLOWED/)
allowed_sids << ace_body[:sid].to_s