diff --git a/examples/badsuccessor.py b/examples/badsuccessor.py index 7feff0190b..d0ec0b8269 100644 --- a/examples/badsuccessor.py +++ b/examples/badsuccessor.py @@ -32,7 +32,7 @@ from impacket.examples import logger from impacket.examples.utils import parse_identity, parse_target, init_ldap_session from impacket.ldap import ldaptypes - +import uuid #needed for proper GUID conversion class BADSUCCESSOR: def __init__(self, username, password, domain, lmhash, nthash, cmdLineOptions): @@ -281,8 +281,12 @@ def search_ous(self, ldapConnection): dacl = sd['Dacl'] if dacl and hasattr(dacl, 'aces') and dacl.aces: for ace in dacl.aces: - # Only process ALLOW ACEs - if ace['AceType'] != ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE: + #Fix 1, Ensure we parse and process standard ACE and Object Specific ACE + allowed_types = [ + ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE, + ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE + ] + if ace['AceType'] not in allowed_types: continue # Check if ACE has relevant rights @@ -290,11 +294,13 @@ def search_ous(self, ldapConnection): has_relevant_right = any(mask & right_value for right_value in relevant_rights.values()) if not has_relevant_right: continue + #Fix two: The guid conversion was wrong and one actually reads the bytes correctly and converts them to real GUIDs for processing later + ace_data = ace['Ace'] + object_type = ace_data['ObjectType'] if ace['AceType'] == ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE else None - # Check object type (must match relevant object types) - object_type = getattr(ace['Ace'], 'ObjectType', None) if object_type: - object_guid = str(object_type).lower() + object_guid = str(uuid.UUID(bytes_le=object_type)).lower() + logging.debug(object_guid) if object_guid not in relevant_object_types: continue