Fix bug in writing UpnDnsInfo structure, and include in sapphire PAC
This commit is contained in:
parent
24490cbe1e
commit
9d873cb7ac
|
@ -59,6 +59,7 @@ module Msf
|
|||
ticket_checksum = opts[:ticket_checksum] || nil
|
||||
is_golden = opts.fetch(:is_golden) { true }
|
||||
base_vi = opts.fetch(:base_verification_info) { Rex::Proto::Kerberos::Pac::Krb5ValidationInfo.new }
|
||||
upn_dns_info_pac_element = opts[:upn_dns_info_pac_element]
|
||||
|
||||
validation_info = Rex::Proto::Kerberos::Pac::Krb5ValidationInfo.new(
|
||||
logon_time: auth_time,
|
||||
|
@ -118,6 +119,10 @@ module Msf
|
|||
client_info
|
||||
]
|
||||
|
||||
unless upn_dns_info_pac_element.nil?
|
||||
pac_elements.append(upn_dns_info_pac_element)
|
||||
end
|
||||
|
||||
if is_golden
|
||||
# These PAC elements are required for golden tickets in post-October 2022 systems
|
||||
pac_elements.append(
|
||||
|
|
|
@ -157,6 +157,8 @@ module Msf
|
|||
opts[:extra_sids].append(sid.sid.to_s)
|
||||
end
|
||||
end
|
||||
when Rex::Proto::Kerberos::Pac::Krb5PacElementType::USER_PRINCIPAL_NAME_AND_DNS_INFORMATION
|
||||
opts[:upn_dns_info_pac_element] = element
|
||||
when Rex::Proto::Kerberos::Pac::Krb5PacElementType::TICKET_CHECKSUM
|
||||
# We want to be stealthy and match whatever the KDC is doing, so we should do it too
|
||||
opts[:create_ticket_checksum] = true
|
||||
|
|
|
@ -743,6 +743,15 @@ module Rex::Proto::Kerberos::Pac
|
|||
ms_dtyp_sid
|
||||
end
|
||||
|
||||
def do_num_bytes
|
||||
if has_s_flag?
|
||||
result = sid_offset + sid_length
|
||||
else
|
||||
result = dns_domain_name_offset + dns_domain_name_length
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
# def initialize_instance(*args)
|
||||
# super
|
||||
# set_offsets!
|
||||
|
|
|
@ -88,6 +88,18 @@ RSpec.describe Rex::Proto::Kerberos::Pac::Krb5Pac do
|
|||
)
|
||||
end
|
||||
|
||||
let(:upn_dns_info) do
|
||||
element = Rex::Proto::Kerberos::Pac::Krb5UpnDnsInfo.new(
|
||||
upn: 'juan@demo.local',
|
||||
dns_domain_name: 'DEMO.LOCAL',
|
||||
flags: 3,
|
||||
sam_name: 'juan',
|
||||
sid: 'S-1-5-21-1755879683-3641577184-3486455962-1038'
|
||||
)
|
||||
element.set_offsets!
|
||||
element
|
||||
end
|
||||
|
||||
let(:pac_elements) do
|
||||
[
|
||||
logon_info,
|
||||
|
@ -97,6 +109,16 @@ RSpec.describe Rex::Proto::Kerberos::Pac::Krb5Pac do
|
|||
]
|
||||
end
|
||||
|
||||
let(:pac_elements_with_upn) do
|
||||
[
|
||||
logon_info,
|
||||
client_info,
|
||||
upn_dns_info,
|
||||
server_checksum,
|
||||
priv_srv_checksum
|
||||
]
|
||||
end
|
||||
|
||||
|
||||
describe '#assign' do
|
||||
it 'creates a valid pac structure' do
|
||||
|
@ -112,6 +134,17 @@ RSpec.describe Rex::Proto::Kerberos::Pac::Krb5Pac do
|
|||
end
|
||||
end
|
||||
|
||||
describe '#write' do
|
||||
it 'writes then reads back to its original state' do
|
||||
pac.assign(pac_elements: pac_elements_with_upn)
|
||||
pac.sign!
|
||||
data = pac.to_binary_s
|
||||
print("data is #{data.inspect}\n")
|
||||
result = Rex::Proto::Kerberos::Pac::Krb5Pac.read(data)
|
||||
expect(result).to eq(pac)
|
||||
end
|
||||
end
|
||||
|
||||
describe '#read' do
|
||||
it 'correctly parses the binary data' do
|
||||
pac = described_class.read(sample)
|
||||
|
|
Loading…
Reference in New Issue