Land #3600 - GPP Junk Padding Fix
sinn3r
commit
7044dabea1
|
|
@ -129,14 +129,40 @@ class GPP
|
||||||
# Decrypts passwords using Microsoft's published key:
|
# Decrypts passwords using Microsoft's published key:
|
||||||
# http://msdn.microsoft.com/en-us/library/cc422924.aspx
|
# http://msdn.microsoft.com/en-us/library/cc422924.aspx
|
||||||
def self.decrypt(encrypted_data)
|
def self.decrypt(encrypted_data)
|
||||||
unless encrypted_data
|
password = ""
|
||||||
return ""
|
return password unless encrypted_data
|
||||||
end
|
|
||||||
|
|
||||||
password = ""
|
password = ""
|
||||||
padding = "=" * (4 - (encrypted_data.length % 4))
|
retries = 0
|
||||||
epassword = "#{encrypted_data}#{padding}"
|
original_data = encrypted_data.dup
|
||||||
decoded = Rex::Text.decode_base64(epassword)
|
|
||||||
|
begin
|
||||||
|
mod = encrypted_data.length % 4
|
||||||
|
|
||||||
|
# PowerSploit code strips the last character, unsure why...
|
||||||
|
case mod
|
||||||
|
when 1
|
||||||
|
encrypted_data = encrypted_data[0..-2]
|
||||||
|
when 2, 3
|
||||||
|
padding = '=' * (4 - mod)
|
||||||
|
encrypted_data = "#{encrypted_data}#{padding}"
|
||||||
|
end
|
||||||
|
|
||||||
|
# Strict base64 decoding used here
|
||||||
|
decoded = encrypted_data.unpack('m0').first
|
||||||
|
rescue ::ArgumentError => e
|
||||||
|
# Appears to be some junk UTF-8 Padding appended at times in
|
||||||
|
# Win2k8 (not in Win2k8R2)
|
||||||
|
# Lets try stripping junk and see if we can decrypt
|
||||||
|
if retries < 8
|
||||||
|
retries += 1
|
||||||
|
original_data = original_data[0..-2]
|
||||||
|
encrypted_data = original_data
|
||||||
|
retry
|
||||||
|
else
|
||||||
|
return password
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
|
key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
|
||||||
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
|
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
|
# encoding: binary
|
||||||
require 'rex/parser/group_policy_preferences'
|
require 'rex/parser/group_policy_preferences'
|
||||||
|
|
||||||
xml_group = '
|
xml_group = '
|
||||||
|
|
@ -76,6 +77,13 @@ xml_ms = '
|
||||||
</Groups>
|
</Groups>
|
||||||
'
|
'
|
||||||
|
|
||||||
|
# Win2k8 appears to append some junk padding in some cases
|
||||||
|
cpassword_win2k8 = []
|
||||||
|
# Win2k8R2 - EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wEMON8tIIslS6707RU1F7Bh
|
||||||
|
cpassword_win2k8 << ['EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wEMON8tIIslS6707RU1F7BhTµkp', 'N3v3rGunnaG!veYo']
|
||||||
|
cpassword_win2k8 << ['EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wGSwOI7Be//GJdxd5YYXUQHTµkp', 'N3v3rGunnaG!veYou']
|
||||||
|
# Win2k8R2 - EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wFSuDccBEp/4l5EuKnwF0WS
|
||||||
|
cpassword_win2k8 << ['EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wFSuDccBEp/4l5EuKnwF0WS»YÂVAA', 'N3v3rGunnaG!veYouUp']
|
||||||
cpassword_normal = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw"
|
cpassword_normal = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw"
|
||||||
cpassword_bad = "blah"
|
cpassword_bad = "blah"
|
||||||
|
|
||||||
|
|
@ -100,6 +108,13 @@ describe Rex::Parser::GPP do
|
||||||
result.should eq("")
|
result.should eq("")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'Decrypts a cpassword containing junk padding' do
|
||||||
|
cpassword_win2k8.each do |encrypted, expected|
|
||||||
|
result = GPP.decrypt(encrypted)
|
||||||
|
result.should eq(expected)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
##
|
##
|
||||||
# Parse
|
# Parse
|
||||||
##
|
##
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue