From 5084e9d80311fb4d89c451df9c2827744d04a23d Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Thu, 16 Jul 2015 01:19:48 +0200 Subject: [PATCH] Thanks to @dfirfpi new samples, some cool adaptations! --- .../modules/dpapi/packages/kuhl_m_dpapi_creds.c | 6 ++++-- modules/kull_m_cred.c | 17 ++++++++++++++--- modules/kull_m_cred.h | 1 - 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_creds.c b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_creds.c index 16efb82..e004581 100644 --- a/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_creds.c +++ b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_creds.c @@ -77,7 +77,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[]) if(attribute = vaultCredential->attributes[i]) { kprintf(L" > Attribute %u : ", attribute->id); - if(attribute->id < 100) + if(attribute->id && (attribute->id < 100)) { if(len = (attribute->attributeElement.simpleAttribute.size >= 1) ? (attribute->attributeElement.simpleAttribute.size - 1) : 0) { @@ -91,6 +91,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[]) { kull_m_string_wprintf_hex(buffer, len, 0); } + else PRINT_ERROR_AUTO(L"CryptDecrypt"); CryptDestroyKey(hKey); LocalFree(buffer); } @@ -110,7 +111,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[]) if(CryptDecrypt(hKey, 0, TRUE, 0, (PBYTE) buffer, &len)) { kprintf(L"\n"); - if(attribute->id == 100) + if(!attribute->id || (attribute->id == 100)) { if(clear = kull_m_cred_vault_clear_create(buffer)) { @@ -121,6 +122,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[]) else kull_m_string_wprintf_hex(buffer, len, 1 | (16 << 16)); kprintf(L"\n"); } + else PRINT_ERROR_AUTO(L"CryptDecrypt"); CryptDestroyKey(hKey); LocalFree(buffer); } diff --git a/modules/kull_m_cred.c b/modules/kull_m_cred.c index d5c51e9..af7504a 100644 --- a/modules/kull_m_cred.c +++ b/modules/kull_m_cred.c @@ -329,7 +329,7 @@ PKULL_M_CRED_VAULT_CREDENTIAL kull_m_cred_vault_credential_create(PVOID data/*, kull_m_string_ptr_replace(&credential->attributesMap, credential->dwAttributesMapSize); credential->__cbElements = credential->dwAttributesMapSize / sizeof(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_MAP); - if(credential->attributes = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE * ) LocalAlloc(LPTR, credential->__cbElements * sizeof(PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE))) + if(credential->attributes = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE * ) LocalAlloc(LPTR, (credential->__cbElements + ((credential->unk0 < 4) ? 1 : 0)) * sizeof(PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE))) { for(i = 0; i < credential->__cbElements; i++) { @@ -351,6 +351,17 @@ PKULL_M_CRED_VAULT_CREDENTIAL kull_m_cred_vault_credential_create(PVOID data/*, } } } + + if(attribute && credential->unk0 < 4) + { + if(credential->attributes[i] = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE) LocalAlloc(LPTR, sizeof(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE))) + { + RtlCopyMemory(&credential->attributes[i]->attributeElement.complexAttribute.size, (PBYTE) attribute + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE, attributeElement) + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_SIMPLE, attributeData) + attribute->attributeElement.simpleAttribute.size + sizeof(USHORT), FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, attributeData) - FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, size)); + credential->attributes[i]->attributeElement.complexAttribute.attributeData = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_DATA) ((PBYTE) attribute + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE, attributeElement) + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_SIMPLE, attributeData) + attribute->attributeElement.simpleAttribute.size + sizeof(USHORT) + (FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, attributeData) - FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, size))); + kull_m_string_ptr_replace(&credential->attributes[i]->attributeElement.complexAttribute.attributeData, credential->attributes[i]->attributeElement.complexAttribute.size); + credential->__cbElements++; + } + } } } return credential; @@ -372,7 +383,7 @@ void kull_m_cred_vault_credential_delete(PKULL_M_CRED_VAULT_CREDENTIAL credentia { if(credential->attributes[i]) { - if(credential->attributes[i]->id < 100) + if(credential->attributes[i]->id && (credential->attributes[i]->id < 100)) { if(credential->attributes[i]->attributeElement.simpleAttribute.attributeData) LocalFree(credential->attributes[i]->attributeElement.simpleAttribute.attributeData); @@ -419,7 +430,7 @@ void kull_m_cred_vault_credential_attribute_descr(DWORD level, PKULL_M_CRED_VAUL { kprintf(L"%*s" L" id : %08x - %u\n", level << 1, L"", attribute->id, attribute->id); kprintf(L"%*s" L" unk0/1/2: %08x/%08x/%08x\n", level << 1, L"", attribute->unk0, attribute->unk1, attribute->unk2); - if(attribute->id < 100) + if(attribute->id && (attribute->id < 100)) { if((attribute->attributeElement.simpleAttribute.size >= 1) && attribute->attributeElement.simpleAttribute.attributeData) { diff --git a/modules/kull_m_cred.h b/modules/kull_m_cred.h index cbf5724..d8925f5 100644 --- a/modules/kull_m_cred.h +++ b/modules/kull_m_cred.h @@ -128,7 +128,6 @@ typedef struct _KULL_M_CRED_VAULT_CREDENTIAL { DWORD __cbElements; PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE *attributes; - } KULL_M_CRED_VAULT_CREDENTIAL, *PKULL_M_CRED_VAULT_CREDENTIAL; typedef struct _KULL_M_CRED_VAULT_CLEAR_ENTRY {