8000 Setting ClearNewPassword field as a general fixed array · fortra/impacket@b867b21 · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Commit b867b21

Browse files
asolinoasolino
committed
Setting ClearNewPassword field as a general fixed array
- So you can encrypt the NL_TRUST_PASSWORD struct yourself and put the result in there. - Related to #951
1 parent 64ce465 commit b867b21

File tree

2 files changed

+21
-7
lines changed

2 files changed

+21
-7
lines changed

impacket/dcerpc/v5/nrpc.py

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -337,6 +337,13 @@ class PNETLOGON_WORKSTATION_INFO(NDRPOINTER):
337337
)
338338

339339
# 2.2.1.3.7 NL_TRUST_PASSWORD
340+
class NL_TRUST_PASSWORD_FIXED_ARRAY(NDRUniFixedArray):
341+
def getDataLen(self, data, offset=0):
342+
return 512+4
343+
344+
def getAlignment(self):
345+
return 1
346+
340347
class WCHAR_ARRAY(NDRUniFixedArray):
341348
def getDataLen(self, data, offset=0):
342349
return 512
@@ -2098,7 +2105,8 @@ class NetrServerPasswordSet2(NDRCALL):
20982105
('SecureChannelType',NETLOGON_SECURE_CHANNEL_TYPE),
20992106
('ComputerName',WSTR),
21002107
('Authenticator',NETLOGON_AUTHENTICATOR),
2101-
('ClearNewPassword',NL_TRUST_PASSWORD),
2108+
#('ClearNewPassword',NL_TRUST_PASSWORD),
2109+
('ClearNewPassword',NL_TRUST_PASSWORD_FIXED_ARRAY),
21022110
)
21032111

21042112
class NetrServerPasswordSet2Response(NDRCALL):
@@ -2786,14 +2794,14 @@ def hNetrServerTrustPasswordsGet(dce, trustedDcName, accountName, secureChannelT
27862794
request['Authenticator'] = authenticator
27872795
return dce.request(request)
27882796

2789-
def hNetrServerPasswordSet2(dce, primaryName, accountName, secureChannelType, computerName, authenticator, clearNewPassword):
2797+
def hNetrServerPasswordSet2(dce, primaryName, accountName, secureChannelType, computerName, authenticator, clearNewPasswordBlob):
27902798
request = NetrServerPasswordSet2()
27912799
request['PrimaryName'] = checkNullString(primaryName)
27922800
request['AccountName'] = checkNullString(accountName)
27932801
request['SecureChannelType'] = secureChannelType
27942802
request['ComputerName'] = checkNullString(computerName)
27952803
request['Authenticator'] = authenticator
2796-
request['ClearNewPassword'] = clearNewPassword
2804+
request['ClearNewPassword'] = clearNewPasswordBlob
27972805
return dce.request(request)
27982806

27992807
def hNetrLogonGetDomainInfo(dce, serverName, computerName, authenticator, returnAuthenticator=0, level=1):

tests/SMB_RPC/test_nrpc.py

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -520,11 +520,17 @@ def test_NetrServerPasswordSet2(self):
520520
request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel
521521
request['ComputerName'] = self.serverName + '\x00'
522522
request['Authenticator'] = self.update_authenticator()
523-
request['ClearNewPassword'] = nrpc.NL_TRUST_PASSWORD()
524-
request['ClearNewPassword']['Buffer'] = b'\x00' *512
525-
request['ClearNewPassword']['Length'] = 0x8
523+
cnp = nrpc.NL_TRUST_PASSWORD()
524+
cnp['Buffer'] = b'\x00'*512
525+
cnp['Length'] = 0x8
526+
527+
request['ClearNewPassword'] = cnp.getData()
528+
#request['ClearNewPassword'] = nrpc.NL_TRUST_PASSWORD()
529+
#request['ClearNewPassword']['Buffer'] = b'\x00' *512
530+
#request['ClearNewPassword']['Length'] = 0x8
526531

527532
try:
533+
request.dump()
528534
resp = dce.request(request)
529535
resp.dump()
530536
except Exception as e:
@@ -541,7 +547,7 @@ def test_hNetrServerPasswordSet2(self):
541547
try:
542548
resp = nrpc.hNetrServerPasswordSet2(dce, NULL, self.machineUser,
543549
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
544-
self.serverName, self.update_authenticator(), cnp)
550+
self.serverName, self.update_authenticator(), cnp.getData())
545551
resp.dump()
546552
except Exception as e:
547553
if str(e).find('STATUS_ACCESS_DENIED') < 0:

0 commit comments

Comments
 (0)
0