Skip to content

Add Exploit Support for ESC9, ESC10 & ESC16 #20189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

Add Exploit Support for ESC9, ESC10 & ESC16 #20189

wants to merge 24 commits into from

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented May 15, 2025
edited
Loading

This adds support to exploit ESC9, ESC10 and ESC16

ESC9, ESC10 and ESC16 scenario 1 can all be exploited using the new module esc_update_ldap_object. This new module focuses on exploiting ESC techniques that involve connecting to the domain controller via LDAP to update the specific attributes of a user prior to requesting a certificate on their behalf. We chose to keep this LDAP updating functionality separate from the existing icpr_cert module and so it got it's own module

Also new in this PR is a module ldap_update_attribute (which surprise gets called by esc_update_ldap_object). This new module provides 4 actions to create, read, update and delete LDAP object attributes.

ESC16 scenario 2 is pretty much when the CA has globally disabled security protections to allow ESC6 to be exploited again. This does not require LDAP objects to be updated and so can be exploited using the icpr_cert module.

This also updates the Attacking-AD-CS-ESC-Vulnerabilities.md which should be referenced for all verification steps.

@jheysel-r7 jheysel-r7 force-pushed the feat/mod/esc9-esc10-exploit branch from 139306f to 0e8329c Compare May 15, 2025 07:17
@jheysel-r7 jheysel-r7 force-pushed the feat/mod/esc9-esc10-exploit branch from ee4a98e to 50fe418 Compare May 15, 2025 07:20
@jheysel-r7 jheysel-r7 linked an issue May 21, 2025 that may be closed by this pull request
Add Support for ESC9 & ESC10 #20219
Open
@jheysel-r7 jheysel-r7 marked this pull request as ready for review May 27, 2025 17:16
@smcintyre-r7 smcintyre-r7 self-assigned this May 27, 2025
@smcintyre-r7 smcintyre-r7 added module docs rn-modules release notes for new or majorly enhanced modules labels May 27, 2025
@smcintyre-r7 smcintyre-r7 moved this from Todo to In Progress in Metasploit Kanban May 27, 2025
smcintyre-r7
smcintyre-r7 requested changes May 27, 2025
View reviewed changes
docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md Outdated

If the AD CS server is configured to allow "weak certificate mappings" when a user is requesting a certificate, the
server will check the `userPrincipalName` or the `dNSHostName` of the requesting identity and then issue a certificate
based on that value. Therefore if we can update user2's UPN to Administrator and then request a certificate on
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd quote the username here for consistency with others.

Suggested change
based on that value. Therefore if we can update user2's UPN to Administrator and then request a certificate on
based on that value. Therefore if we can update user2's UPN to "Administrator" and then request a certificate on

@github-project-automation github-project-automation bot moved this from In Progress to Waiting on Contributor in Metasploit Kanban May 27, 2025
smcintyre-r7
smcintyre-r7 reviewed May 27, 2025
View reviewed changes
docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The top of this doc has a list of all the ESC flaws that Metasploit supports and a flow chart. ESC9 and ESC10 should be added to that chart and the full list of ESC vulnerabilities with links to their exploit sections.

jheysel-r7
jheysel-r7 commented May 28, 2025
View reviewed changes
Copy link
Contributor Author

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the detailed review. I believe I've addressed all the comments.

I haven't updated the module output in the scenarios listed in Attacking-AD-CS-ESC-Vulnerabilities.md just yet - incase the output changes.

@smcintyre-r7 smcintyre-r7 moved this from Waiting on Contributor to In Progress in Metasploit Kanban May 30, 2025
smcintyre-r7
smcintyre-r7 requested changes May 30, 2025
View reviewed changes
@github-project-automation github-project-automation bot moved this from In Progress to Waiting on Contributor in Metasploit Kanban May 30, 2025
@jheysel-r7 jheysel-r7 changed the title Add Support for ESC9 & ESC10 Add Exploit Support for ESC9, ESC10 & ESC16 Jun 5, 2025
@jheysel-r7 jheysel-r7 force-pushed the feat/mod/esc9-esc10-exploit branch from 3a5d01f to b7b7d7d Compare June 9, 2025 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Status: Waiting on Contributor
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Support for ESC9 & ESC10
2 participants
@jheysel-r7 @smcintyre-r7