[internal] using NDR type serialization for Kerberos PAC instead of dirty home-made
This commit is contained in:
Benjamin DELPY
parent
741d3f33fb
commit
dc78942618
|
|
@ -14,6 +14,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "inc", "inc", "{282B4B77-BFF
|
|||
inc\DbgHelp.h = inc\DbgHelp.h
|
||||
inc\DsGetDC.h = inc\DsGetDC.h
|
||||
inc\globals.h = inc\globals.h
|
||||
inc\Midles.h = inc\Midles.h
|
||||
inc\NTSecPKG.h = inc\NTSecPKG.h
|
||||
inc\PshPack8.h = inc\PshPack8.h
|
||||
inc\schannel.h = inc\schannel.h
|
||||
|
|
|
|||
|
|
@ -111,6 +111,7 @@
|
|||
<ClCompile Include="..\modules\kull_m_rpc_drsr.c" />
|
||||
<ClCompile Include="..\modules\kull_m_rpc_ms-bkrp_c.c" />
|
||||
<ClCompile Include="..\modules\kull_m_rpc_ms-drsr_c.c" />
|
||||
<ClCompile Include="..\modules\kull_m_rpc_ms-pac.c" />
|
||||
<ClCompile Include="..\modules\kull_m_service.c" />
|
||||
<ClCompile Include="..\modules\kull_m_string.c" />
|
||||
<ClCompile Include="..\modules\kull_m_token.c" />
|
||||
|
|
@ -193,6 +194,7 @@
|
|||
<ClInclude Include="..\modules\kull_m_rpc_ms-drsr.h" />
|
||||
<ClInclude Include="..\modules\kull_m_rpc_ms-dtyp.h" />
|
||||
<ClInclude Include="..\modules\kull_m_rpc_ms-bkrp.h" />
|
||||
<ClInclude Include="..\modules\kull_m_rpc_ms-pac.h" />
|
||||
<ClInclude Include="..\modules\kull_m_samlib.h" />
|
||||
<ClInclude Include="..\modules\kull_m_service.h" />
|
||||
<ClInclude Include="..\modules\kull_m_string.h" />
|
||||
|
|
|
|||
|
|
@ -212,6 +212,9 @@
|
|||
<ClCompile Include="modules\kuhl_m_iis.c">
|
||||
<Filter>local modules</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\modules\kull_m_rpc_ms-pac.c">
|
||||
<Filter>common modules</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="mimikatz.h" />
|
||||
|
|
@ -449,6 +452,9 @@
|
|||
<ClInclude Include="modules\kuhl_m_iis.h">
|
||||
<Filter>local modules</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="..\modules\kull_m_rpc_ms-pac.h">
|
||||
<Filter>common modules</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Filter Include="local modules">
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
BOOL kuhl_m_pac_validationInfo_to_PAC(PKERB_VALIDATION_INFO validationInfo, DWORD SignatureType, PPACTYPE * pacType, DWORD * pacLength)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
PRPCE_KERB_VALIDATION_INFO pLogonInfo = NULL;
|
||||
PVOID pLogonInfo = NULL;
|
||||
DWORD szLogonInfo = 0, szLogonInfoAligned = 0;
|
||||
PPAC_CLIENT_INFO pClientInfo = NULL;
|
||||
DWORD szClientInfo = 0, szClientInfoAligned = 0;
|
||||
|
|
@ -65,7 +65,7 @@ BOOL kuhl_m_pac_validationInfo_to_PAC(PKERB_VALIDATION_INFO validationInfo, DWOR
|
|||
(*pacType)->Buffers[3].ulType = PACINFO_TYPE_CHECKSUM_KDC;
|
||||
(*pacType)->Buffers[3].Offset = (*pacType)->Buffers[2].Offset + szSignatureAligned;
|
||||
RtlCopyMemory((PBYTE) *pacType + (*pacType)->Buffers[3].Offset, &signature, FIELD_OFFSET(PAC_SIGNATURE_DATA, Signature));
|
||||
|
||||
|
||||
status = TRUE;
|
||||
}
|
||||
}
|
||||
|
|
@ -123,198 +123,35 @@ NTSTATUS kuhl_m_pac_signature(PPACTYPE pacType, DWORD pacLenght, DWORD Signature
|
|||
return status;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_pac_marshall_unicodestring(PUNICODE_STRING pString, PMARSHALL_UNICODE_STRING pMarshall, RPCEID id, PVOID * current, DWORD * size)
|
||||
BOOL kuhl_m_pac_validationInfo_to_LOGON_INFO(PKERB_VALIDATION_INFO validationInfo, PVOID *rpceValidationInfo, DWORD *rpceValidationInfoLength)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
PVOID newbuffer;
|
||||
DWORD modulo, actualsize = sizeof(MARSHALLED_UNICODE_STRING) + pString->Length;
|
||||
RPC_STATUS rpcStatus;
|
||||
KULL_M_RPC_FCNSTRUCT UserState;
|
||||
handle_t pHandle;
|
||||
|
||||
if(modulo = actualsize % 4)
|
||||
actualsize += 4 - modulo;
|
||||
|
||||
if(newbuffer = LocalAlloc(LPTR, *size + actualsize))
|
||||
rpcStatus = MesEncodeIncrementalHandleCreate(&UserState, ReadFcn, WriteFcn, &pHandle);
|
||||
if(NT_SUCCESS(rpcStatus))
|
||||
{
|
||||
pMarshall->Length = pString->Length;
|
||||
pMarshall->MaximumLength = pString->MaximumLength;
|
||||
pMarshall->ElementId = id;
|
||||
|
||||
RtlCopyMemory(newbuffer, *current, *size);
|
||||
((PMARSHALLED_UNICODE_STRING) ((PBYTE) newbuffer + *size))->ReservedElements = pString->MaximumLength / sizeof(wchar_t);
|
||||
((PMARSHALLED_UNICODE_STRING) ((PBYTE) newbuffer + *size))->Elements = pString->Length / sizeof(wchar_t);
|
||||
RtlCopyMemory((PBYTE) newbuffer + *size + sizeof(MARSHALLED_UNICODE_STRING), pString->Buffer, pString->Length);
|
||||
|
||||
LocalFree(*current);
|
||||
*current = newbuffer;
|
||||
*size += actualsize;
|
||||
|
||||
status = TRUE;
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_pac_marshall_groups(PGROUP_MEMBERSHIP pGroups, DWORD nbGroups, PVOID * current, DWORD * size)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
PVOID newbuffer;
|
||||
DWORD i, actualsize = sizeof(ULONG32) + nbGroups * sizeof(GROUP_MEMBERSHIP);
|
||||
|
||||
if(newbuffer = LocalAlloc(LPTR, *size + actualsize))
|
||||
{
|
||||
RtlCopyMemory(newbuffer, *current, *size);
|
||||
(*(PULONG32) ((PBYTE) newbuffer + *size)) = nbGroups;
|
||||
for(i = 0 ; i < nbGroups; i++)
|
||||
((PGROUP_MEMBERSHIP) ((PBYTE) newbuffer + *size + sizeof(ULONG32)))[i] = pGroups[i];
|
||||
|
||||
LocalFree(*current);
|
||||
*current = newbuffer;
|
||||
*size += actualsize;
|
||||
|
||||
status = TRUE;
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_pac_marshall_sid(PISID pSid, PVOID * current, DWORD * size)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
PVOID newbuffer;
|
||||
DWORD sidSize, actualsize;
|
||||
sidSize = GetLengthSid(pSid);
|
||||
actualsize = sizeof(ULONG32) + sidSize;
|
||||
if(newbuffer = LocalAlloc(LPTR, *size + actualsize))
|
||||
{
|
||||
RtlCopyMemory(newbuffer, *current, *size);
|
||||
(*(PULONG32) ((PBYTE) newbuffer + *size)) = pSid->SubAuthorityCount;
|
||||
RtlCopyMemory((PBYTE) newbuffer + *size + sizeof(ULONG32), pSid, sidSize);
|
||||
|
||||
LocalFree(*current);
|
||||
*current = newbuffer;
|
||||
*size += actualsize;
|
||||
|
||||
status = TRUE;
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_pac_marshall_extrasids(PKERB_VALIDATION_INFO validationInfo, RPCEID base, PVOID * current, DWORD * size)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
PVOID newbuffer;
|
||||
PBYTE ptr;
|
||||
DWORD i, actualsize = sizeof(DWORD) + validationInfo->SidCount * (sizeof(RPCEID) + sizeof(DWORD));
|
||||
|
||||
if(newbuffer = LocalAlloc(LPTR, *size + actualsize))
|
||||
{
|
||||
RtlCopyMemory(newbuffer, *current, *size);
|
||||
ptr = (PBYTE) newbuffer + *size;
|
||||
*(PDWORD) ptr = validationInfo->SidCount;
|
||||
|
||||
for(
|
||||
i = 0, base += 4, ptr += sizeof(DWORD);
|
||||
i < validationInfo->SidCount;
|
||||
i++, base += 4, ptr += sizeof(RPCEID) + sizeof(DWORD)
|
||||
)
|
||||
*rpceValidationInfoLength = (DWORD) PKERB_VALIDATION_INFO_AlignSize(pHandle, &validationInfo);
|
||||
if(*rpceValidationInfo = LocalAlloc(LPTR, *rpceValidationInfoLength))
|
||||
{
|
||||
*(RPCEID *) ptr = base;
|
||||
*(PDWORD) (ptr + sizeof(RPCEID)) = validationInfo->ExtraSids[i].Attributes;
|
||||
rpcStatus = MesIncrementalHandleReset(pHandle, NULL, NULL, NULL, NULL, MES_ENCODE);
|
||||
if(NT_SUCCESS(rpcStatus))
|
||||
{
|
||||
UserState.addr = *rpceValidationInfo;
|
||||
UserState.size = *rpceValidationInfoLength;
|
||||
PKERB_VALIDATION_INFO_Encode(pHandle, &validationInfo);
|
||||
status = TRUE;
|
||||
}
|
||||
else PRINT_ERROR(L"MesIncrementalHandleReset: %08x\n", rpcStatus);
|
||||
|
||||
if(!status)
|
||||
*rpceValidationInfo = LocalFree(*rpceValidationInfo);
|
||||
}
|
||||
LocalFree(*current);
|
||||
*current = newbuffer;
|
||||
*size += actualsize;
|
||||
|
||||
status = TRUE;
|
||||
for(i = 0; (i < validationInfo->SidCount) && status; i++)
|
||||
status = kuhl_m_pac_marshall_sid(validationInfo->ExtraSids[i].Sid, current, size);
|
||||
MesHandleFree(pHandle);
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_pac_validationInfo_to_LOGON_INFO(PKERB_VALIDATION_INFO validationInfo, PRPCE_KERB_VALIDATION_INFO * rpceValidationInfo, DWORD *rpceValidationInfoLength)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
RPCE_KERB_VALIDATION_INFO rpce;
|
||||
PVOID buffer = NULL;
|
||||
DWORD szBuffer = 0;
|
||||
|
||||
rpce.typeHeader.Version = 0x01;
|
||||
rpce.typeHeader.Endianness = 0x10;
|
||||
rpce.typeHeader.CommonHeaderLength = 8;
|
||||
rpce.typeHeader.Filler = 0xcccccccc;
|
||||
rpce.privateHeader.Filler = 0x00000000;
|
||||
|
||||
rpce.RootElementId = PACINFO_ID_KERB_VALINFO;
|
||||
|
||||
rpce.infos.LogonTime = validationInfo->LogonTime;
|
||||
rpce.infos.LogoffTime = validationInfo->LogoffTime;
|
||||
rpce.infos.KickOffTime = validationInfo->KickOffTime;
|
||||
rpce.infos.PasswordLastSet = validationInfo->PasswordLastSet;
|
||||
rpce.infos.PasswordCanChange = validationInfo->PasswordCanChange;
|
||||
rpce.infos.PasswordMustChange = validationInfo->PasswordMustChange;
|
||||
|
||||
kuhl_m_pac_marshall_unicodestring(&validationInfo->EffectiveName, &rpce.infos.EffectiveName, PACINFO_ID_KERB_EFFECTIVENAME, &buffer, &szBuffer);
|
||||
kuhl_m_pac_marshall_unicodestring(&validationInfo->FullName, &rpce.infos.FullName, PACINFO_ID_KERB_FULLNAME, &buffer, &szBuffer);
|
||||
kuhl_m_pac_marshall_unicodestring(&validationInfo->LogonScript, &rpce.infos.LogonScript, PACINFO_ID_KERB_LOGONSCRIPT, &buffer, &szBuffer);
|
||||
kuhl_m_pac_marshall_unicodestring(&validationInfo->ProfilePath, &rpce.infos.ProfilePath, PACINFO_ID_KERB_PROFILEPATH, &buffer, &szBuffer);
|
||||
kuhl_m_pac_marshall_unicodestring(&validationInfo->HomeDirectory, &rpce.infos.HomeDirectory, PACINFO_ID_KERB_HOMEDIRECTORY, &buffer, &szBuffer);
|
||||
kuhl_m_pac_marshall_unicodestring(&validationInfo->HomeDirectoryDrive, &rpce.infos.HomeDirectoryDrive, PACINFO_ID_KERB_HOMEDIRECTORYDRIVE, &buffer, &szBuffer);
|
||||
|
||||
rpce.infos.LogonCount = validationInfo->LogonCount;
|
||||
rpce.infos.BadPasswordCount = validationInfo->BadPasswordCount;
|
||||
|
||||
rpce.infos.UserId = validationInfo->UserId;
|
||||
rpce.infos.PrimaryGroupId = validationInfo->PrimaryGroupId;
|
||||
|
||||
rpce.infos.GroupCount = validationInfo->GroupCount;
|
||||
rpce.infos.GroupIds = PACINFO_ID_KERB_GROUPIDS;
|
||||
kuhl_m_pac_marshall_groups(validationInfo->GroupIds, validationInfo->GroupCount, &buffer, &szBuffer);
|
||||
|
||||
rpce.infos.UserFlags = validationInfo->UserFlags;
|
||||
RtlCopyMemory(rpce.infos.UserSessionKey.data, validationInfo->UserSessionKey.data, 16);
|
||||
|
||||
kuhl_m_pac_marshall_unicodestring(&validationInfo->LogonServer, &rpce.infos.LogonServer, PACINFO_ID_KERB_LOGONSERVER, &buffer, &szBuffer);
|
||||
kuhl_m_pac_marshall_unicodestring(&validationInfo->LogonDomainName, &rpce.infos.LogonDomainName, PACINFO_ID_KERB_LOGONDOMAINNAME, &buffer, &szBuffer);
|
||||
|
||||
rpce.infos.LogonDomainId = PACINFO_ID_KERB_LOGONDOMAINID;
|
||||
kuhl_m_pac_marshall_sid(validationInfo->LogonDomainId, &buffer, &szBuffer);
|
||||
|
||||
rpce.infos.Reserved1[0] = validationInfo->Reserved1[0];
|
||||
rpce.infos.Reserved1[1] = validationInfo->Reserved1[1];
|
||||
|
||||
rpce.infos.UserAccountControl = validationInfo->UserAccountControl;
|
||||
rpce.infos.SubAuthStatus = validationInfo->SubAuthStatus;
|
||||
|
||||
rpce.infos.LastSuccessfulILogon = validationInfo->LastSuccessfulILogon;
|
||||
rpce.infos.LastFailedILogon = validationInfo->LastFailedILogon;
|
||||
rpce.infos.FailedILogonCount = validationInfo->FailedILogonCount;
|
||||
|
||||
rpce.infos.Reserved3 = validationInfo->Reserved3;
|
||||
|
||||
if(validationInfo->SidCount && validationInfo->ExtraSids)
|
||||
{
|
||||
rpce.infos.SidCount = validationInfo->SidCount;
|
||||
rpce.infos.ExtraSids = PACINFO_ID_KERB_EXTRASIDS;
|
||||
kuhl_m_pac_marshall_extrasids(validationInfo, PACINFO_ID_KERB_EXTRASIDS, &buffer, &szBuffer);
|
||||
}
|
||||
else
|
||||
{
|
||||
rpce.infos.SidCount = 0;
|
||||
rpce.infos.ExtraSids = 0;
|
||||
}
|
||||
rpce.infos.ResourceGroupDomainSid = 0; //lazy
|
||||
rpce.infos.ResourceGroupCount = 0; //validationInfo->ResourceGroupCount;
|
||||
rpce.infos.ResourceGroupIds = 0; // lazy
|
||||
|
||||
rpce.privateHeader.ObjectBufferLength = sizeof(MARSHALL_KERB_VALIDATION_INFO) + sizeof(ULONG) + szBuffer;
|
||||
*rpceValidationInfoLength = sizeof(RPCE_KERB_VALIDATION_INFO) + szBuffer;
|
||||
if(*rpceValidationInfo = (PRPCE_KERB_VALIDATION_INFO) LocalAlloc(LPTR, *rpceValidationInfoLength))
|
||||
{
|
||||
RtlCopyMemory(*rpceValidationInfo, &rpce, sizeof(RPCE_KERB_VALIDATION_INFO));
|
||||
RtlCopyMemory((PBYTE) *rpceValidationInfo + sizeof(RPCE_KERB_VALIDATION_INFO), buffer, szBuffer);
|
||||
status = TRUE;
|
||||
}
|
||||
if(buffer)
|
||||
LocalFree(buffer);
|
||||
|
||||
else PRINT_ERROR(L"MesEncodeIncrementalHandleCreate: %08x\n", rpcStatus);
|
||||
return status;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
#include "../modules/kull_m_file.h"
|
||||
#include "../modules/kull_m_crypto_system.h"
|
||||
#include "../modules/kull_m_rpce.h"
|
||||
#include "../modules/kull_m_samlib.h"
|
||||
#include "../modules/kull_m_rpc_ms-pac.h"
|
||||
|
||||
#define KERB_NON_KERB_SALT 16
|
||||
#define KERB_NON_KERB_CKSUM_SALT 17
|
||||
|
|
@ -18,69 +18,6 @@
|
|||
#define PACINFO_TYPE_CHECKSUM_KDC 0x00000007
|
||||
#define PACINFO_TYPE_CNAME_TINFO 0x0000000a
|
||||
|
||||
#define PACINFO_ID_KERB_VALINFO 0x00020000
|
||||
#define PACINFO_ID_KERB_EFFECTIVENAME 0x00020004
|
||||
#define PACINFO_ID_KERB_FULLNAME 0x00020008
|
||||
#define PACINFO_ID_KERB_LOGONSCRIPT 0x0002000c
|
||||
#define PACINFO_ID_KERB_PROFILEPATH 0x00020010
|
||||
#define PACINFO_ID_KERB_HOMEDIRECTORY 0x00020014
|
||||
#define PACINFO_ID_KERB_HOMEDIRECTORYDRIVE 0x00020018
|
||||
#define PACINFO_ID_KERB_GROUPIDS 0x0002001c
|
||||
#define PACINFO_ID_KERB_LOGONSERVER 0x00020020
|
||||
#define PACINFO_ID_KERB_LOGONDOMAINNAME 0x00020024
|
||||
#define PACINFO_ID_KERB_LOGONDOMAINID 0x00020028
|
||||
#define PACINFO_ID_KERB_EXTRASIDS 0x0002002c
|
||||
#define PACINFO_ID_KERB_EXTRASID 0x00020030
|
||||
#define PACINFO_ID_KERB_RESGROUPDOMAINSID 0x00020034
|
||||
#define PACINFO_ID_KERB_RESGROUPIDS 0x00020038
|
||||
|
||||
typedef struct _USER_SESSION_KEY {
|
||||
UCHAR data[16];
|
||||
} USER_SESSION_KEY;
|
||||
|
||||
typedef struct _KERB_SID_AND_ATTRIBUTES {
|
||||
PISID Sid;
|
||||
DWORD Attributes;
|
||||
} KERB_SID_AND_ATTRIBUTES, *PKERB_SID_AND_ATTRIBUTES;
|
||||
|
||||
typedef struct _KERB_VALIDATION_INFO {
|
||||
FILETIME LogonTime;
|
||||
FILETIME LogoffTime;
|
||||
FILETIME KickOffTime;
|
||||
FILETIME PasswordLastSet;
|
||||
FILETIME PasswordCanChange;
|
||||
FILETIME PasswordMustChange;
|
||||
LSA_UNICODE_STRING EffectiveName;
|
||||
LSA_UNICODE_STRING FullName;
|
||||
LSA_UNICODE_STRING LogonScript;
|
||||
LSA_UNICODE_STRING ProfilePath;
|
||||
LSA_UNICODE_STRING HomeDirectory;
|
||||
LSA_UNICODE_STRING HomeDirectoryDrive;
|
||||
USHORT LogonCount;
|
||||
USHORT BadPasswordCount;
|
||||
DWORD UserId;
|
||||
DWORD PrimaryGroupId;
|
||||
DWORD GroupCount;
|
||||
PGROUP_MEMBERSHIP GroupIds;
|
||||
ULONG UserFlags;
|
||||
USER_SESSION_KEY UserSessionKey;
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
LSA_UNICODE_STRING LogonDomainName;
|
||||
PISID LogonDomainId;
|
||||
ULONG Reserved1[2];
|
||||
ULONG UserAccountControl;
|
||||
ULONG SubAuthStatus;
|
||||
FILETIME LastSuccessfulILogon;
|
||||
FILETIME LastFailedILogon;
|
||||
ULONG FailedILogonCount;
|
||||
ULONG Reserved3;
|
||||
ULONG SidCount;
|
||||
PKERB_SID_AND_ATTRIBUTES ExtraSids;
|
||||
PISID ResourceGroupDomainSid;
|
||||
ULONG ResourceGroupCount;
|
||||
PGROUP_MEMBERSHIP ResourceGroupIds;
|
||||
} KERB_VALIDATION_INFO, *PKERB_VALIDATION_INFO;
|
||||
|
||||
typedef struct _PAC_INFO_BUFFER {
|
||||
ULONG ulType;
|
||||
ULONG cbBufferSize;
|
||||
|
|
@ -100,67 +37,6 @@ typedef struct _PAC_SIGNATURE_DATA {
|
|||
//USHORT RODCIdentifier;
|
||||
//USHORT Reserverd;
|
||||
} PAC_SIGNATURE_DATA, *PPAC_SIGNATURE_DATA;
|
||||
|
||||
typedef struct _MARSHALLED_UNICODE_STRING {
|
||||
ULONG64 ReservedElements;
|
||||
ULONG32 Elements;
|
||||
} MARSHALLED_UNICODE_STRING, *PMARSHALLED_UNICODE_STRING;
|
||||
|
||||
typedef struct _MARSHALL_UNICODE_STRING {
|
||||
USHORT Length;
|
||||
USHORT MaximumLength;
|
||||
RPCEID ElementId;
|
||||
} MARSHALL_UNICODE_STRING, *PMARSHALL_UNICODE_STRING;
|
||||
|
||||
typedef struct _MARSHALL_KERB_VALIDATION_INFO {
|
||||
FILETIME LogonTime;
|
||||
FILETIME LogoffTime;
|
||||
FILETIME KickOffTime;
|
||||
FILETIME PasswordLastSet;
|
||||
FILETIME PasswordCanChange;
|
||||
FILETIME PasswordMustChange;
|
||||
MARSHALL_UNICODE_STRING EffectiveName;
|
||||
MARSHALL_UNICODE_STRING FullName;
|
||||
MARSHALL_UNICODE_STRING LogonScript;
|
||||
MARSHALL_UNICODE_STRING ProfilePath;
|
||||
MARSHALL_UNICODE_STRING HomeDirectory;
|
||||
MARSHALL_UNICODE_STRING HomeDirectoryDrive;
|
||||
USHORT LogonCount;
|
||||
USHORT BadPasswordCount;
|
||||
ULONG UserId;
|
||||
ULONG PrimaryGroupId;
|
||||
ULONG GroupCount;
|
||||
RPCEID GroupIds;
|
||||
ULONG UserFlags;
|
||||
USER_SESSION_KEY UserSessionKey;
|
||||
MARSHALL_UNICODE_STRING LogonServer;
|
||||
MARSHALL_UNICODE_STRING LogonDomainName;
|
||||
RPCEID LogonDomainId;
|
||||
ULONG Reserved1[2];
|
||||
ULONG UserAccountControl;
|
||||
ULONG SubAuthStatus;
|
||||
FILETIME LastSuccessfulILogon;
|
||||
FILETIME LastFailedILogon;
|
||||
ULONG FailedILogonCount;
|
||||
ULONG Reserved3;
|
||||
ULONG SidCount;
|
||||
RPCEID ExtraSids;
|
||||
RPCEID ResourceGroupDomainSid;
|
||||
ULONG ResourceGroupCount;
|
||||
RPCEID ResourceGroupIds;
|
||||
} MARSHALL_KERB_VALIDATION_INFO, *PMARSHALL_KERB_VALIDATION_INFO;
|
||||
|
||||
typedef struct _RPCE_KERB_VALIDATION_INFO {
|
||||
RPCE_COMMON_TYPE_HEADER typeHeader;
|
||||
RPCE_PRIVATE_HEADER privateHeader;
|
||||
RPCEID RootElementId;
|
||||
MARSHALL_KERB_VALIDATION_INFO infos;
|
||||
} RPCE_KERB_VALIDATION_INFO, *PRPCE_KERB_VALIDATION_INFO;
|
||||
|
||||
typedef struct _RPCE_KERB_EXTRA_SID {
|
||||
RPCEID ExtraSid;
|
||||
DWORD Attributes;
|
||||
} RPCE_KERB_EXTRA_SID, *PRPCE_KERB_EXTRA_SID;
|
||||
#pragma pack(pop)
|
||||
|
||||
typedef struct _PAC_CLIENT_INFO {
|
||||
|
|
@ -169,9 +45,9 @@ typedef struct _PAC_CLIENT_INFO {
|
|||
WCHAR Name[ANYSIZE_ARRAY];
|
||||
} PAC_CLIENT_INFO, *PPAC_CLIENT_INFO;
|
||||
|
||||
BOOL kuhl_m_pac_validationInfo_to_PAC(PKERB_VALIDATION_INFO validationInfo, DWORD SignatureType, PPACTYPE * pacType, DWORD * pacLength);
|
||||
BOOL kuhl_m_pac_validationInfo_to_LOGON_INFO(PKERB_VALIDATION_INFO validationInfo, PRPCE_KERB_VALIDATION_INFO * rpceValidationInfo, DWORD * rpceValidationInfoLength);
|
||||
BOOL kuhl_m_pac_validationInfo_to_CNAME_TINFO(PKERB_VALIDATION_INFO validationInfo, PPAC_CLIENT_INFO * pacClientInfo, DWORD * pacClientInfoLength);
|
||||
BOOL kuhl_m_pac_validationInfo_to_PAC(PKERB_VALIDATION_INFO validationInfo, DWORD SignatureType, PPACTYPE *pacType, DWORD *pacLength);
|
||||
BOOL kuhl_m_pac_validationInfo_to_LOGON_INFO(PKERB_VALIDATION_INFO validationInfo, PVOID *rpceValidationInfo, DWORD *rpceValidationInfoLength);
|
||||
BOOL kuhl_m_pac_validationInfo_to_CNAME_TINFO(PKERB_VALIDATION_INFO validationInfo, PPAC_CLIENT_INFO *pacClientInfo, DWORD *pacClientInfoLength);
|
||||
NTSTATUS kuhl_m_pac_signature(PPACTYPE pacType, DWORD pacLenght, DWORD SignatureType, LPCVOID key, DWORD keySize);
|
||||
|
||||
#ifdef KERBEROS_TOOLS
|
||||
|
|
|
|||
|
|
@ -1332,9 +1332,14 @@ NTSTATUS kuhl_m_lsadump_trust(int argc, wchar_t * argv[])
|
|||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModule;
|
||||
KULL_M_MEMORY_ADDRESS aPatternMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aPatchMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory;
|
||||
LPCWSTR szSystem = NULL;
|
||||
UNICODE_STRING uSystem;
|
||||
|
||||
static BOOL isPatching = FALSE;
|
||||
|
||||
if(kull_m_string_args_byName(argc, argv, L"system", &szSystem, NULL))
|
||||
RtlInitUnicodeString(&uSystem, szSystem);
|
||||
|
||||
if(!isPatching && kull_m_string_args_byName(argc, argv, L"patch", NULL, NULL))
|
||||
{
|
||||
if(currentReference = kull_m_patch_getGenericFromBuild(QueryInfoTrustedDomainReferences, ARRAYSIZE(QueryInfoTrustedDomainReferences), MIMIKATZ_NT_BUILD_NUMBER))
|
||||
|
|
@ -1359,7 +1364,7 @@ NTSTATUS kuhl_m_lsadump_trust(int argc, wchar_t * argv[])
|
|||
}
|
||||
else
|
||||
{
|
||||
if(NT_SUCCESS(LsaOpenPolicy(NULL, &oaLsa, POLICY_VIEW_LOCAL_INFORMATION, &hLSA)))
|
||||
if(NT_SUCCESS(LsaOpenPolicy(szSystem ? &uSystem : NULL, &oaLsa, POLICY_VIEW_LOCAL_INFORMATION, &hLSA)))
|
||||
{
|
||||
status = LsaQueryInformationPolicy(hLSA, PolicyDnsDomainInformation, (PVOID *) &pDomainInfo);
|
||||
if(NT_SUCCESS(status))
|
||||
|
|
|
|||
|
|
@ -414,14 +414,6 @@ typedef enum _NETLOGON_SECURE_CHANNEL_TYPE{
|
|||
CdcServerSecureChannel = 7
|
||||
} NETLOGON_SECURE_CHANNEL_TYPE;
|
||||
|
||||
typedef struct _CYPHER_BLOCK {
|
||||
CHAR data[8];
|
||||
} CYPHER_BLOCK, *PCYPHER_BLOCK;
|
||||
|
||||
typedef struct _NT_OWF_PASSWORD {
|
||||
CYPHER_BLOCK data[2];
|
||||
} NT_OWF_PASSWORD, *PNT_OWF_PASSWORD, ENCRYPTED_NT_OWF_PASSWORD, *PENCRYPTED_NT_OWF_PASSWORD;
|
||||
|
||||
#define SECRET_SET_VALUE 0x00000001L
|
||||
#define SECRET_QUERY_VALUE 0x00000002L
|
||||
|
||||
|
|
|
|||
|
|
@ -72,4 +72,21 @@ void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes)
|
|||
void __RPC_USER midl_user_free(void __RPC_FAR * p)
|
||||
{
|
||||
free(p);
|
||||
}
|
||||
|
||||
void __RPC_USER ReadFcn(void *State, char **pBuffer, unsigned int *pSize)
|
||||
{
|
||||
*pBuffer = (char *) ((PKULL_M_RPC_FCNSTRUCT) State)->addr;
|
||||
((PKULL_M_RPC_FCNSTRUCT) State)->addr = *pBuffer + *pSize;
|
||||
((PKULL_M_RPC_FCNSTRUCT) State)->size -= *pSize;
|
||||
}
|
||||
|
||||
void __RPC_USER WriteFcn(void *State, char *Buffer, unsigned int Size)
|
||||
{
|
||||
;
|
||||
}
|
||||
|
||||
void __RPC_USER AllocFcn (void *State, char **pBuffer, unsigned int *pSize)
|
||||
{
|
||||
; // ???
|
||||
}
|
||||
|
|
@ -16,14 +16,23 @@
|
|||
#error this stub requires an updated version of <rpcndr.h>
|
||||
#endif // __RPCNDR_H_VERSION__
|
||||
|
||||
#include "midles.h"
|
||||
#include <string.h>
|
||||
#include "kull_m_rpc_ms-dtyp.h"
|
||||
|
||||
BOOL kull_m_rpc_createBinding(LPCWSTR ProtSeq, LPCWSTR NetworkAddr, LPCWSTR Endpoint, LPCWSTR Service, DWORD ImpersonationType, RPC_BINDING_HANDLE *hBinding, void (RPC_ENTRY * RpcSecurityCallback)(void *));
|
||||
BOOL kull_m_rpc_deleteBinding(RPC_BINDING_HANDLE *hBinding);
|
||||
|
||||
typedef struct _KULL_M_RPC_FCNSTRUCT {
|
||||
PVOID addr;
|
||||
size_t size;
|
||||
} KULL_M_RPC_FCNSTRUCT, *PKULL_M_RPC_FCNSTRUCT;
|
||||
|
||||
void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes);
|
||||
void __RPC_USER midl_user_free(void __RPC_FAR * p);
|
||||
void __RPC_USER ReadFcn(void *State, char **pBuffer, unsigned int *pSize);
|
||||
void __RPC_USER WriteFcn(void *State, char *Buffer, unsigned int Size);
|
||||
void __RPC_USER AllocFcn (void *State, char **pBuffer, unsigned int *pSize);
|
||||
|
||||
#define RPC_EXCEPTION (RpcExceptionCode() != STATUS_ACCESS_VIOLATION) && \
|
||||
(RpcExceptionCode() != STATUS_DATATYPE_MISALIGNMENT) && \
|
||||
|
|
|
|||
|
|
@ -1871,11 +1871,11 @@ typedef struct _ms2Ddrsr_MIDL_PROC_FORMAT_STRING
|
|||
|
||||
extern const ms2Ddrsr_MIDL_TYPE_FORMAT_STRING ms2Ddrsr__MIDL_TypeFormatString;
|
||||
extern const ms2Ddrsr_MIDL_PROC_FORMAT_STRING ms2Ddrsr__MIDL_ProcFormatString;
|
||||
static const RPC_CLIENT_INTERFACE drsuapi___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xe3514235, 0x4b06, 0x11d1, {0xab, 0x04, 0x00, 0xc0, 0x4f, 0xc2, 0xdc, 0xd2}}, {4,0}}, {{0x8A885D04, 0x1CEB, 0x11C9, {0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000000};
|
||||
static const RPC_CLIENT_INTERFACE drsuapi___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xe3514235, 0x4b06, 0x11d1, {0xab, 0x04, 0x00, 0xc0, 0x4f, 0xc2, 0xdc, 0xd2}}, {4, 0}}, {{0x8A885D04, 0x1CEB, 0x11C9, {0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000000};
|
||||
static RPC_BINDING_HANDLE drsuapi__MIDL_AutoBindHandle;
|
||||
static const MIDL_STUB_DESC drsuapi_StubDesc = {(void *) &drsuapi___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &drsuapi__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Ddrsr__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
|
||||
|
||||
#pragma optimize("", off )
|
||||
#pragma optimize("", off)
|
||||
ULONG IDL_DRSBind(handle_t rpc_handle, UUID *puuidClientDsa, DRS_EXTENSIONS *pextClient, DRS_EXTENSIONS **ppextServer, DRS_HANDLE *phDrs)
|
||||
{
|
||||
return NdrClientCall2((PMIDL_STUB_DESC) &drsuapi_StubDesc, (PFORMAT_STRING) &ms2Ddrsr__MIDL_ProcFormatString.Format[0], (unsigned char *) &rpc_handle).Simple;
|
||||
|
|
@ -1900,7 +1900,7 @@ ULONG IDL_DRSDomainControllerInfo(DRS_HANDLE hDrs, DWORD dwInVersion, DRS_MSG_DC
|
|||
{
|
||||
return NdrClientCall2((PMIDL_STUB_DESC) &drsuapi_StubDesc, (PFORMAT_STRING) &ms2Ddrsr__MIDL_ProcFormatString.Format[232], (unsigned char *) &hDrs).Simple;
|
||||
}
|
||||
#pragma optimize("", on )
|
||||
#pragma optimize("", on)
|
||||
|
||||
#if !defined(__RPC_WIN32__)
|
||||
#error Invalid build platform for this stub.
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@
|
|||
*/
|
||||
#pragma once
|
||||
#include "globals.h"
|
||||
#include "kull_m_rpc.h"
|
||||
|
||||
typedef struct _RPCE_COMMON_TYPE_HEADER {
|
||||
UCHAR Version;
|
||||
|
|
|
|||
Loading…
Reference in New Issue