Christophe De La Fuente
3d22fbcad9
- Move all the logic from `modules/auxiliary/admin/dcerpc/icpr_cert.rb` to `lib/msf/core/exploit/remote/ms_icpr.rb` library - Move all the logic from `modules/auxiliary/admin/dcerpc/samr_computer.rb` to `lib/msf/core/exploit/remote/ms_samr.rb` library - Add `modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb` module - Update the SMB client to disable SSL by default - Add documentation - Kerbero client: pass `options` as argument to `send_request_as` - `calculate_shared_key` returns an EncryptionKey instead of the raw key - Update `pkinit_login` module to make it compatible - Add support to `additional_tickets` when requesting tickets - Add support to PAC CredentialInfo structures - Add impersonation to escalate privileges - Add ACTIONS - Use elevated TGS to delete the computer account - Update and add specs
84 lines
2.7 KiB
Ruby
84 lines
2.7 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'ruby_smb/dcerpc/client'
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
include Msf::Exploit::Remote::SMB::Client::Authenticated
|
|
include Msf::Exploit::Remote::DCERPC
|
|
include Msf::Auxiliary::Report
|
|
include Msf::Exploit::Remote::MsSamr
|
|
|
|
def initialize(info = {})
|
|
super(
|
|
update_info(
|
|
info,
|
|
'Name' => 'SAMR Computer Management',
|
|
'Description' => %q{
|
|
Add, lookup and delete computer accounts via MS-SAMR. By default
|
|
standard active directory users can add up to 10 new computers to the
|
|
domain. Administrative privileges however are required to delete the
|
|
created accounts.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [
|
|
'JaGoTu', # @jagotu Original Impacket code
|
|
'Spencer McIntyre',
|
|
],
|
|
'References' => [
|
|
['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py'],
|
|
],
|
|
'Notes' => {
|
|
'Reliability' => [],
|
|
'Stability' => [],
|
|
'SideEffects' => [ IOC_IN_LOGS ]
|
|
},
|
|
'Actions' => [
|
|
[ 'ADD_COMPUTER', { 'Description' => 'Add a computer account' } ],
|
|
[ 'DELETE_COMPUTER', { 'Description' => 'Delete a computer account' } ],
|
|
[ 'LOOKUP_COMPUTER', { 'Description' => 'Lookup a computer account' } ]
|
|
],
|
|
'DefaultAction' => 'ADD_COMPUTER'
|
|
)
|
|
)
|
|
|
|
register_options([
|
|
OptString.new('COMPUTER_PASSWORD', [ false, 'The password for the new computer' ], conditions: %w[ACTION == ADD_COMPUTER]),
|
|
Opt::RPORT(445)
|
|
])
|
|
end
|
|
|
|
def run
|
|
send("action_#{action.name.downcase}")
|
|
rescue MsSamrConnectionError => e
|
|
fail_with(Failure::Unreachable, e.message)
|
|
rescue MsSamrAuthenticationError => e
|
|
fail_with(Failure::NoAccess, e.message)
|
|
rescue MsSamrNotFoundError => e
|
|
fail_with(Failure::NotFound, e.message)
|
|
rescue MsSamrBadConfigError => e
|
|
fail_with(Failure::BadConfig, e.message)
|
|
rescue MsSamrUnexpectedReplyError => e
|
|
fail_with(Failure::UnexpectedReply, e.message)
|
|
rescue MsSamrUnknownError => e
|
|
fail_with(Failure::Unknown, e.message)
|
|
end
|
|
|
|
def action_add_computer
|
|
add_computer
|
|
end
|
|
|
|
def action_delete_computer
|
|
fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?
|
|
delete_computer
|
|
end
|
|
|
|
def action_lookup_computer
|
|
fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?
|
|
lookup_computer
|
|
end
|
|
|
|
end
|