Module: Msf::Exploit::Remote::MsIcpr

# File 'lib/msf/core/exploit/remote/ms_icpr.rb', line 80

def connect_icpr(tree)
  vprint_status('Connecting to ICertPassage (ICPR) Remote Protocol')
  icpr = tree.open_file(filename: 'cert', write: true, read: true)

  vprint_status('Binding to \\cert...')
  icpr.bind(
    endpoint: RubySMB::Dcerpc::Icpr,
    auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
    auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
  )
  vprint_good('Bound to \\cert')

  report_icertpassage_service

  icpr
end

.do_request_cert(icpr, opts, csr, attributes) ⇒ `Object`

# File 'lib/msf/core/exploit/remote/ms_icpr.rb', line 97

def do_request_cert(icpr, opts, csr, attributes)
  response = icpr.cert_server_request(
    attributes: attributes,
    authority: datastore['CA'],
    csr: csr
  )
  case response[:status]
  when :issued
    print_good('The requested certificate was issued.')
  when :submitted
    print_warning('The requested certificate was submitted for review.')
  else
    print_error('There was an error while requesting the certificate.')
    print_error(response[:disposition_message].strip.to_s) unless response[:disposition_message].blank?
    hresult = ::WindowsError::HResult.find_by_retval(response[:disposition]).first

    if hresult
      print_error('Error details:')
      print_error("  Source:  #{hresult.facility}") if hresult.facility
      print_error("  HRESULT: #{hresult}")
    end

    case hresult
    when ::WindowsError::HResult::CERTSRV_E_ENROLL_DENIED
      raise MsIcprAuthorizationError.new(hresult.description)
    when ::WindowsError::HResult::CERTSRV_E_TEMPLATE_DENIED
      raise MsIcprAuthorizationError.new(hresult.description)
    when ::WindowsError::HResult::CERTSRV_E_UNSUPPORTED_CERT_TYPE
      raise MsIcprNotFoundError.new(hresult.description)
    else
      raise MsIcprUnknownError.new(hresult.description)
    end
  end

  response[:certificate]
end

.report_icertpassage_service ⇒ `Object`

# File 'lib/msf/core/exploit/remote/ms_icpr.rb', line 134

def report_icertpassage_service
  report_service({
    name: 'icertpassage',
    resource: { dcerpc: { pipe: 'cert' } },
    host: simple.peerhost,
    port: simple.peerport,
    proto: 'tcp',
    parents: report_dcerpc_service
   })
end

Instance Method Details

#icpr_request_certificate(opts = {}) ⇒ `Object`

# File 'lib/msf/core/exploit/remote/ms_icpr.rb', line 41

def icpr_request_certificate(opts = {})
  tree = opts[:tree] || connect_ipc

  begin
    icpr = connect_icpr(tree)
  rescue RubySMB::Error::UnexpectedStatusCode => e
    if e.status_code == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND
      # STATUS_OBJECT_NAME_NOT_FOUND will be the status if Active Directory Certificate Service (AD CS) is not installed on the target
      raise MsIcprNotFoundError, 'Connection failed (AD CS was not found).'
    end

    elog(e.message, error: e)
    raise MsIcprUnexpectedReplyError, "Connection failed (unexpected status: #{e.status_name})"
  end

  opts = opts.dup # Don't alter the caller's instance
  # Calls to this come from different places with different imports  and different opts hash values, so we need this
  # here to make sure all the data we need is populated
  opts[:username] = opts.fetch(:username) { datastore['SMBUser'] }
  opts[:domain] = opts.fetch(:domain) { simple.client.default_domain }
  opts[:service] = report_icertpassage_service

  with_adcs_certificate_request(opts) do |csr, attributes|
    do_request_cert(icpr, opts, csr, attributes)
  end

rescue RubySMB::Dcerpc::Error::FaultError => e
  elog(e.message, error: e)
  raise MsIcprUnexpectedReplyError, "Operation failed (DCERPC fault: #{e.status_name})"
rescue RubySMB::Dcerpc::Error::DcerpcError => e
  elog(e.message, error: e)
  raise MsIcprUnexpectedReplyError, e.message
rescue RubySMB::Error::RubySMBError => e
  elog(e.message, error: e)
  raise MsIcprUnknownError, e.message
end

#initialize(info = {}) ⇒ `Object`

# File 'lib/msf/core/exploit/remote/ms_icpr.rb', line 31

def initialize(info = {})
  super

  register_options([
    OptString.new('CA', [ true, 'The target certificate authority' ]),
    Opt::RPORT(445)
  ], Msf::Exploit::Remote::MsIcpr)

end

Module: Msf::Exploit::Remote::MsIcpr

Defined Under Namespace

Constant Summary collapse

Constants included from DCERPC

Constants included from DCERPC_LSA

Constants included from DCERPC_MGMT

Constants included from SMB::Client

Instance Attribute Summary

Attributes included from DCERPC

Attributes included from Tcp

Attributes included from SMB::Client

Class Method Summary collapse

Instance Method Summary collapse

Methods included from LDAP::ActiveDirectory::AdCsOpts

Methods included from CertRequest

Methods included from DCERPC

Methods included from DCERPC_LSA

Methods included from DCERPC_MGMT

Methods included from DCERPC_EPM

Methods included from Tcp

Methods included from SMB::Client::Ipc

Methods included from Auxiliary::Report

Methods included from Metasploit::Framework::Require

Methods included from Kerberos::ServiceAuthenticator::Options

Methods included from Kerberos::Ticket::Storage

Methods included from SMB::Client

Class Method Details

.connect_icpr(tree) ⇒ Object

.do_request_cert(icpr, opts, csr, attributes) ⇒ Object

.report_icertpassage_service ⇒ Object

Instance Method Details

#icpr_request_certificate(opts = {}) ⇒ Object

#initialize(info = {}) ⇒ Object

.connect_icpr(tree) ⇒ `Object`

.do_request_cert(icpr, opts, csr, attributes) ⇒ `Object`

.report_icertpassage_service ⇒ `Object`

#icpr_request_certificate(opts = {}) ⇒ `Object`

#initialize(info = {}) ⇒ `Object`