Merge pull request #19624 from cdelafuente-r7/fix/mod/ms_icpr

Fix a crash when generating CSRs with OpenSSL 3.4.0

documentation/modules/auxiliary/server/relay/esc8.md

@@ -10,7 +10,7 @@ on a given template.
     * See https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/overview.html#setting-up-a-esc8-vulnerable-host
 2. Start `msfconsole`
 2. Do: `use auxiliary/server/relay/esc8`
-3. Set the `RANDOMIZE_TARGETS` option to the AD CS Web Enrollment server
+3. Set the `RELAY_TARGETS` option to the AD CS Web Enrollment server
 4. Run the module and wait for a request to be relayed
 
 ## Options

lib/msf/core/exploit/remote/ms_icpr.rb

@@ -5,7 +5,8 @@
 #
 # -*- coding: binary -*-
 
-require 'windows_error/h_result'
+require 'windows_error'
+require 'rex/proto/x509/request'
 
 module Msf
 
@@ -255,48 +256,40 @@ def do_request_cert(icpr, opts)
   # @param [Array<String>] application_policies OIDs to add as application policies.
   # @return [OpenSSL::X509::Request] The request object.
   def build_csr(cn:, private_key:, dns: nil, msext_sid: nil, msext_upn: nil, algorithm: 'SHA256', application_policies: [])
-    request = OpenSSL::X509::Request.new
-    request.version = 1
-    request.subject = OpenSSL::X509::Name.new([
-      ['CN', cn, OpenSSL::ASN1::UTF8STRING]
-    ])
-    request.public_key = private_key.public_key
-
-    extensions = []
-
-    subject_alt_names = []
-    subject_alt_names << "DNS:#{dns}" if dns
-    subject_alt_names << "otherName:#{OID_NT_PRINCIPAL_NAME};UTF8:#{msext_upn}" if msext_upn
-    unless subject_alt_names.empty?
-      extensions << OpenSSL::X509::ExtensionFactory.new.create_extension('subjectAltName', subject_alt_names.join(','), false)
-    end
-
-    if msext_sid
-      ntds_ca_security_ext = Rex::Proto::CryptoAsn1::NtdsCaSecurityExt.new(OtherName: {
-        type_id: OID_NTDS_OBJECTSID,
-        value: msext_sid
-      })
-      extensions << OpenSSL::X509::Extension.new(OID_NTDS_CA_SECURITY_EXT, ntds_ca_security_ext.to_der, false)
-    end
+    Rex::Proto::X509::Request.create_csr(private_key, cn, algorithm) do |request|
+      extensions = []
+
+      subject_alt_names = []
+      subject_alt_names << "DNS:#{dns}" if dns
+      subject_alt_names << "otherName:#{OID_NT_PRINCIPAL_NAME};UTF8:#{msext_upn}" if msext_upn
+      unless subject_alt_names.empty?
+        extensions << OpenSSL::X509::ExtensionFactory.new.create_extension('subjectAltName', subject_alt_names.join(','), false)
+      end
 
-    unless application_policies.blank?
-      application_cert_policies = Rex::Proto::CryptoAsn1::X509::CertificatePolicies.new(
-        certificatePolicies: application_policies.map { |policy_oid| Rex::Proto::CryptoAsn1::X509::PolicyInformation.new(policyIdentifier: policy_oid) }
-      )
-      extensions << OpenSSL::X509::Extension.new(OID_APPLICATION_CERT_POLICIES, application_cert_policies.to_der, false)
-    end
+      if msext_sid
+        ntds_ca_security_ext = Rex::Proto::CryptoAsn1::NtdsCaSecurityExt.new(OtherName: {
+          type_id: OID_NTDS_OBJECTSID,
+          value: msext_sid
+        })
+        extensions << OpenSSL::X509::Extension.new(OID_NTDS_CA_SECURITY_EXT, ntds_ca_security_ext.to_der, false)
+      end
 
-    unless extensions.empty?
-      request.add_attribute(OpenSSL::X509::Attribute.new(
-        'extReq',
-        OpenSSL::ASN1::Set.new(
-          [OpenSSL::ASN1::Sequence.new(extensions)]
+      unless application_policies.blank?
+        application_cert_policies = Rex::Proto::CryptoAsn1::X509::CertificatePolicies.new(
+          certificatePolicies: application_policies.map { |policy_oid| Rex::Proto::CryptoAsn1::X509::PolicyInformation.new(policyIdentifier: policy_oid) }
         )
-      ))
-    end
+        extensions << OpenSSL::X509::Extension.new(OID_APPLICATION_CERT_POLICIES, application_cert_policies.to_der, false)
+      end
 
-    request.sign(private_key, OpenSSL::Digest.new(algorithm))
-    request
+      unless extensions.empty?
+        request.add_attribute(OpenSSL::X509::Attribute.new(
+          'extReq',
+          OpenSSL::ASN1::Set.new(
+            [OpenSSL::ASN1::Sequence.new(extensions)]
+          )
+        ))
+      end
+    end
   end
 
   # Make a certificate request on behalf of another user.

lib/msf/core/exploit/remote/smb/relay_server.rb

@@ -21,11 +21,11 @@ def initialize(info = {})
       end
 
       def smb_logger
-        if datastore['VERBOSE']
-          log_device = Msf::Exploit::Remote::SMB::LogAdapter::LogDevice::Module.new(self)
-        else
-          Msf::Exploit::Remote::SMB::LogAdapter::LogDevice::Framework.new(framework)
-        end
+        log_device = if datastore['VERBOSE']
+                       Msf::Exploit::Remote::SMB::LogAdapter::LogDevice::Module.new(self)
+                     else
+                       Msf::Exploit::Remote::SMB::LogAdapter::LogDevice::Framework.new(framework)
+                     end
 
         Msf::Exploit::Remote::SMB::LogAdapter::Logger.new(self, log_device)
       end

lib/rex/proto/x509/request.rb

@@ -0,0 +1,18 @@
+module Rex::Proto::X509
+
+  class Request
+    def self.create_csr(private_key, cn, algorithm = 'SHA256')
+      request = OpenSSL::X509::Request.new
+      request.subject = OpenSSL::X509::Name.new([
+        ['CN', cn, OpenSSL::ASN1::UTF8STRING]
+      ])
+      request.public_key = private_key.public_key
+
+      yield request if block_given?
+
+      request.sign(private_key, OpenSSL::Digest.new(algorithm))
+      request
+    end
+  end
+
+end

modules/auxiliary/server/relay/esc8.rb

@@ -128,13 +128,7 @@ def on_relay_success(relay_connection:, relay_identity:)
 
   def create_csr(private_key, cert_template)
     vprint_status('Generating CSR...')
-    request = OpenSSL::X509::Request.new
-    request.version = 1
-    request.subject = OpenSSL::X509::Name.new([
-      ['CN', cert_template, OpenSSL::ASN1::UTF8STRING]
-    ])
-    request.public_key = private_key.public_key
-    request.sign(private_key, OpenSSL::Digest.new('SHA256'))
+    request = Rex::Proto::X509::Request.create_csr(private_key, cert_template)
     vprint_status('CSR Generated')
     request
   end

spec/lib/msf/core/exploit/remote/ms_icpr_spec.rb

@@ -90,19 +90,19 @@
   let(:x509_csr) do
     OpenSSL::X509::Request.new(<<~REQUEST)
       -----BEGIN CERTIFICATE REQUEST-----
-      MIICVzCCAT8CAQEwEjEQMA4GA1UEAwwHYWxpZGRsZTCCASIwDQYJKoZIhvcNAQEB
+      MIICVzCCAT8CAQAwEjEQMA4GA1UEAwwHYWxpZGRsZTCCASIwDQYJKoZIhvcNAQEB
       BQADggEPADCCAQoCggEBAOM9IWt1689iwxky54DCtKqnJhssaW9dED2PbHsP+BRV
       kjs7TWPoKkxZne9vGS0v/r1jdVEjZYa7+8tpogm2a12PIlIwItl5t+Doqm87U7tT
       mAApjDKTT69vwo3KlTNhP9v7IhyubKIWOfgjDBTYEOT51YusnWtuDSWXUY7rCinU
       DMx7SBvvIydHgvirQTZNp3yECQvquGbAlmBuqfUDh7LL7hcF4iDfpIOMhkF3fgIT
       uqC3+9/iZ+l4q3dUmYQi2GdfkAQzznR83qdvBWAli3POljosQahTc3GJ1GEHMbuL
       BCbk+gdzoEM3K2fAGxIVarYWWWaTuxLqNn4gHvB0HecCAwEAAaAAMA0GCSqGSIb3
-      DQEBCwUAA4IBAQBDi5bcG7sRB5rZFM7xdcM2xMVPMLW4nXaOovnDll3w439zOGdv
-      oesl2VxdJD0K1VcjDbS40/usV9+Pt3BJmJjePS/Mj8pBk+GpW2HiZ7VAhvxTb9rx
-      AiZjNMAzmgl3y4w4gaxV/CuNvKyfdBxGFvqEWqcDfESlttkwDm1ufVgx6T2SGrgc
-      91W+/dmaSC+DCm8VCREzzJkD3APE5GRQCLUHiZOTJHEG6s3Gb25SOSVXIpEhWSEA
-      k5gUxxekO0L6th8aGqwGMtHqKU6AG1PfjgqRb/7dfv+0SoV1CXb7xUuPpDVW5i1F
-      pVvzc/YjfJ1N/B30y1zAKopstzerGN0fyIdg
+      DQEBCwUAA4IBAQAyU7goEqpmHfulRkaMAtna+7mpVdUsuGXidsP2AFyDmiBOUtR/
+      gQoXeTwWQ62vKSmD0+gSnxDbokq4T8hif/cR8WZ1jZQXE0JR9FPI/qGs/6D5e56S
+      b7W3buC6UuON58pJmtrX7PtNUGg0FOn6jGB1jwEHtc+4sel24j7VMfzt3nuY/KTD
+      abGLQioi9iaVEbJ6pKmBaHGcEswFiqGBGWI1zrSVIYyNy67SK3/P3RWyHHNJeS2a
+      x7RMqHkWOXXjxqbM68i6tCL+2NstTzXI6mQkXWkOXU8d39wn/MqLyPdY0ZM7Lv/y
+      i506vK8iofDDYoHxz8YwaPU1DOCfu+T83nPg
       -----END CERTIFICATE REQUEST-----
     REQUEST
   end
@@ -113,7 +113,7 @@
       "\x62\x30\x82\x0b\x5e\x02\x01\x03\x31\x0d\x30\x0b\x06\x09\x60\x86\x48\x01" \
       "\x65\x03\x04\x02\x01\x30\x82\x02\x6c\x06\x07\x2b\x06\x01\x05\x02\x03\x01" \
       "\xa0\x82\x02\x5f\x04\x82\x02\x5b\x30\x82\x02\x57\x30\x82\x01\x3f\x02\x01" \
-      "\x01\x30\x12\x31\x10\x30\x0e\x06\x03\x55\x04\x03\x0c\x07\x61\x6c\x69\x64" \
+      "\x00\x30\x12\x31\x10\x30\x0e\x06\x03\x55\x04\x03\x0c\x07\x61\x6c\x69\x64" \
       "\x64\x6c\x65\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01" \
       "\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00" \
       "\xe3\x3d\x21\x6b\x75\xeb\xcf\x62\xc3\x19\x32\xe7\x80\xc2\xb4\xaa\xa7\x26" \
@@ -131,21 +131,21 @@
       "\x71\x89\xd4\x61\x07\x31\xbb\x8b\x04\x26\xe4\xfa\x07\x73\xa0\x43\x37\x2b" \
       "\x67\xc0\x1b\x12\x15\x6a\xb6\x16\x59\x66\x93\xbb\x12\xea\x36\x7e\x20\x1e" \
       "\xf0\x74\x1d\xe7\x02\x03\x01\x00\x01\xa0\x00\x30\x0d\x06\x09\x2a\x86\x48" \
-      "\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x43\x8b\x96\xdc\x1b" \
-      "\xbb\x11\x07\x9a\xd9\x14\xce\xf1\x75\xc3\x36\xc4\xc5\x4f\x30\xb5\xb8\x9d" \
-      "\x76\x8e\xa2\xf9\xc3\x96\x5d\xf0\xe3\x7f\x73\x38\x67\x6f\xa1\xeb\x25\xd9" \
-      "\x5c\x5d\x24\x3d\x0a\xd5\x57\x23\x0d\xb4\xb8\xd3\xfb\xac\x57\xdf\x8f\xb7" \
-      "\x70\x49\x98\x98\xde\x3d\x2f\xcc\x8f\xca\x41\x93\xe1\xa9\x5b\x61\xe2\x67" \
-      "\xb5\x40\x86\xfc\x53\x6f\xda\xf1\x02\x26\x63\x34\xc0\x33\x9a\x09\x77\xcb" \
-      "\x8c\x38\x81\xac\x55\xfc\x2b\x8d\xbc\xac\x9f\x74\x1c\x46\x16\xfa\x84\x5a" \
-      "\xa7\x03\x7c\x44\xa5\xb6\xd9\x30\x0e\x6d\x6e\x7d\x58\x31\xe9\x3d\x92\x1a" \
-      "\xb8\x1c\xf7\x55\xbe\xfd\xd9\x9a\x48\x2f\x83\x0a\x6f\x15\x09\x11\x33\xcc" \
-      "\x99\x03\xdc\x03\xc4\xe4\x64\x50\x08\xb5\x07\x89\x93\x93\x24\x71\x06\xea" \
-      "\xcd\xc6\x6f\x6e\x52\x39\x25\x57\x22\x91\x21\x59\x21\x00\x93\x98\x14\xc7" \
-      "\x17\xa4\x3b\x42\xfa\xb6\x1f\x1a\x1a\xac\x06\x32\xd1\xea\x29\x4e\x80\x1b" \
-      "\x53\xdf\x8e\x0a\x91\x6f\xfe\xdd\x7e\xff\xb4\x4a\x85\x75\x09\x76\xfb\xc5" \
-      "\x4b\x8f\xa4\x35\x56\xe6\x2d\x45\xa5\x5b\xf3\x73\xf6\x23\x7c\x9d\x4d\xfc" \
-      "\x1d\xf4\xcb\x5c\xc0\x2a\x8a\x6c\xb7\x37\xab\x18\xdd\x1f\xc8\x87\x60\xa0" \
+      "\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x32\x53\xb8\x28\x12" \
+      "\xaa\x66\x1d\xfb\xa5\x46\x46\x8c\x02\xd9\xda\xfb\xb9\xa9\x55\xd5\x2c\xb8" \
+      "\x65\xe2\x76\xc3\xf6\x00\x5c\x83\x9a\x20\x4e\x52\xd4\x7f\x81\x0a\x17\x79" \
+      "\x3c\x16\x43\xad\xaf\x29\x29\x83\xd3\xe8\x12\x9f\x10\xdb\xa2\x4a\xb8\x4f" \
+      "\xc8\x62\x7f\xf7\x11\xf1\x66\x75\x8d\x94\x17\x13\x42\x51\xf4\x53\xc8\xfe" \
+      "\xa1\xac\xff\xa0\xf9\x7b\x9e\x92\x6f\xb5\xb7\x6e\xe0\xba\x52\xe3\x8d\xe7" \
+      "\xca\x49\x9a\xda\xd7\xec\xfb\x4d\x50\x68\x34\x14\xe9\xfa\x8c\x60\x75\x8f" \
+      "\x01\x07\xb5\xcf\xb8\xb1\xe9\x76\xe2\x3e\xd5\x31\xfc\xed\xde\x7b\x98\xfc" \
+      "\xa4\xc3\x69\xb1\x8b\x42\x2a\x22\xf6\x26\x95\x11\xb2\x7a\xa4\xa9\x81\x68" \
+      "\x71\x9c\x12\xcc\x05\x8a\xa1\x81\x19\x62\x35\xce\xb4\x95\x21\x8c\x8d\xcb" \
+      "\xae\xd2\x2b\x7f\xcf\xdd\x15\xb2\x1c\x73\x49\x79\x2d\x9a\xc7\xb4\x4c\xa8" \
+      "\x79\x16\x39\x75\xe3\xc6\xa6\xcc\xeb\xc8\xba\xb4\x22\xfe\xd8\xdb\x2d\x4f" \
+      "\x35\xc8\xea\x64\x24\x5d\x69\x0e\x5d\x4f\x1d\xdf\xdc\x27\xfc\xca\x8b\xc8" \
+      "\xf7\x58\xd1\x93\x3b\x2e\xff\xf2\x8b\x9d\x3a\xbc\xaf\x22\xa1\xf0\xc3\x62" \
+      "\x81\xf1\xcf\xc6\x30\x68\xf5\x35\x0c\xe0\x9f\xbb\xe4\xfc\xde\x73\xe0\xa0" \
       "\x82\x06\xcc\x30\x82\x06\xc8\x30\x82\x05\xb0\xa0\x03\x02\x01\x02\x02\x13" \
       "\x10\x00\x00\x00\x43\x92\xab\x33\x25\xbd\xb1\xc3\x32\x00\x00\x00\x00\x00" \
       "\x43\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0b\x05\x00\x30\x46" \
@@ -255,23 +255,23 @@
       "\x6d\x00\x65\x1e\x20\x00\x4d\x00\x53\x00\x46\x00\x4c\x00\x41\x00\x42\x00" \
       "\x5c\x00\x73\x00\x6d\x00\x63\x00\x69\x00\x6e\x00\x74\x00\x79\x00\x72\x00" \
       "\x65\x30\x2f\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x09\x04\x31\x22\x04\x20" \
-      "\xef\xf1\x08\x75\x09\x03\xad\x18\x44\x47\x2e\x2c\xbd\x14\x15\x3f\xd1\xe3" \
-      "\x3e\xee\x28\x0f\x42\x8d\xe4\x4b\xc6\x08\xc3\x95\x71\xa3\x30\x0b\x06\x09" \
-      "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0b\x04\x82\x01\x00\x46\x06\xd6\x18\x92" \
-      "\x5b\xb3\x89\xa4\x19\x44\x55\x1f\xcf\x55\x2e\xb7\xfe\x28\xf4\x6f\xfd\x97" \
-      "\xd2\x01\xac\xcd\x15\x8d\x1a\x8f\xac\x26\x5c\xa3\xd3\x7d\xb0\xc3\x36\x47" \
-      "\xff\x4d\x5a\x98\x4f\x17\x43\x70\x60\xf1\x69\x44\xfa\x27\x61\x71\x2a\xe5" \
-      "\xa8\x8a\x98\x0d\x34\x4d\x22\x23\x10\xde\x43\x60\xf5\x3f\x7b\x3a\x72\xe4" \
-      "\xf7\x69\x29\xe0\xaa\x9e\xff\x28\x18\x8c\x61\xb2\xe1\x41\x7a\x69\x92\x47" \
-      "\xac\x2e\xe7\x92\x26\xd8\x54\x91\xae\x54\xaa\x8e\xc0\x06\x0d\x4b\x51\xfe" \
-      "\xbe\x92\x40\x07\x11\x6e\x2b\xe0\xb8\xc0\xab\xfe\x52\x90\x3a\x28\xec\xa9" \
-      "\xb1\x9a\xf2\xce\x43\x04\xf8\xea\x14\x2d\x54\xe4\x21\x23\x2e\x2a\xf0\x13" \
-      "\xcd\xd7\x3c\xf5\xba\x76\x3c\x1a\xf4\x7c\xc7\x22\x34\xff\x84\x79\xb0\x32" \
-      "\xe9\x04\xb7\x22\x92\x3f\x3a\x3d\x12\x47\xce\xe3\x9e\x4f\xd4\x5b\x83\xd9" \
-      "\xc1\x20\x20\x04\x22\xed\xb5\x59\x43\x1c\xa9\xab\x0f\xb1\xb0\x9f\x05\x1c" \
-      "\x88\x88\x98\xb9\x97\x53\x1e\xa4\xe3\xfd\x58\x92\x09\xe7\xcc\x83\xbf\x5f" \
-      "\xc2\xb3\x08\x33\x96\x41\x75\x46\x35\x55\x0a\x34\x2e\xd8\x0b\x76\x2f\xf2" \
-      "\xba\xf0\x21\x25\xc3\x73\x52\x5b\x8b\x51\xe8\x03\xb3\x78\x70\xc5\xf5"
+      "\x3f\x40\x73\xc1\x9c\x54\xeb\xbd\x4d\x4f\xab\x27\xfb\x8b\x65\x1a\x2c\x51" \
+      "\x24\xf9\x97\x05\x91\x04\xaa\xf7\xbc\x6d\xfd\x07\x4d\x70\x30\x0b\x06\x09" \
+      "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0b\x04\x82\x01\x00\x78\x74\xf7\xee\xef" \
+      "\x89\x2f\x02\x77\xb9\xde\x87\x07\x3a\x58\x1d\x2d\xc0\xb0\x55\x33\x40\xf1" \
+      "\x6f\xb6\x28\xd6\x44\xf1\xfa\x4f\xf6\x99\xe1\xdc\xb2\x2e\x49\x5b\x36\xa7" \
+      "\xee\x6f\x82\x67\x27\x43\xd5\x99\x57\xc2\x83\x09\x29\xd2\xb3\x86\x9e\x6f" \
+      "\x75\x78\xdb\xe3\xeb\x33\x65\xce\x7c\xd4\x8f\x65\x73\xa7\x82\xe4\x5e\x50" \
+      "\xd3\xe8\x76\xd2\x43\x96\xeb\xe5\x3a\xd1\x03\x2e\xa0\x61\xd7\xf2\x6b\x9e" \
+      "\x0b\x24\x11\x2a\x25\x4d\x68\x5e\x86\x9c\x9b\xe4\xaa\x6c\x5c\x5c\xfe\x54" \
+      "\x26\x85\xd8\xcc\x0f\xdd\x69\x0f\xf6\xc3\x0b\x7c\xca\x23\xeb\x99\x8c\xc1" \
+      "\x69\x80\x69\xd2\x14\x1b\x1b\x99\xde\x25\x59\x12\x8d\xb4\xc0\x01\x56\x32" \
+      "\x91\x76\x8f\x8b\xd4\x29\x2f\x74\x3e\xca\xe0\xd1\xe8\x68\xde\x9d\x1e\x15" \
+      "\xd9\x07\x41\x82\x14\x2a\xe9\x5c\x03\x81\x80\x04\xf1\x5b\xa5\xea\x21\x72" \
+      "\x9d\x98\xa0\x23\x46\x25\xb7\x68\x7d\xc2\x58\x80\xfb\x1c\xbb\x76\xba\x76" \
+      "\x3a\xba\x1c\xd8\x0f\xbf\x21\x36\xce\x03\x94\x8c\x13\xbd\xc7\x87\x42\x06" \
+      "\x1c\x2b\xc8\x53\xd1\xa7\xba\xea\xfa\xbc\xba\x8e\xd8\x6f\x1c\x34\x28\x8b" \
+      "\x87\x0d\xbf\x30\x87\xc1\x6e\xcc\x15\xb5\xd7\x2d\xe4\xe6\xa6\xaa\xe6"
     )
   end