search

Dec0ne / KrbRelayUp

KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
1.54k stars 205 forks source link

COMException during relay #9

Open marlin771 opened 2 years ago

marlin771 commented 2 years ago

Hello!

Unable to complete relay (sensitive data removed)

Exception thrown at 0x00007FFBB21D8BED (clr.dll) in KrbRelayUp.exe: 0xC0000005: Access violation reading location 0x0000000000000010.

KrbRelayUp - Relaying you to SYSTEM

[+] Computer account "eval299$" added with password "P@ssf3st!123"
[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
System.Runtime.InteropServices.COMException (0x800706C0): A remote procedure call (RPC) protocol error occurred.
A remote procedure call (RPC) protocol error occurred.
 at KrbRelayUp.Relay.Ole32.CoGetInstanceFromIStorage(COSERVERINFO pServerInfo, Guid& pclsid, Object pUnkOuter, CLSCTX dwClsCtx, IStorage pstg, UInt32 cmq, MULTI_QI[] rgmqResults)
at KrbRelayUp.Relay.Relay.Run(String aDomain, String aDomainController, String aComputerSid, String aPort) in C:\root\KrbRelayUp-main\KrbRelayUp-main\KrbRelayUp\Relay\Relay.cs:line 183

Further debugging via Visual Studio:

Exception thrown at 0x00007FFBB21D8BED (clr.dll) in KrbRelayUp.exe: 0xC0000005: Access violation reading location 0x0000000000000010.
vysecurity commented 2 years ago

Having same problem too.

tothi commented 2 years ago

also have a config where this issue came up. the same happens if using the original KrbRelay (to LDAP) before getting a successful LDAP relay. perhaps a mitigation setting other than ldap signature enforcement / channel binding?

Dec0ne commented 2 years ago

Does it work after logout->login? Or if you use: Rubeus.exe asktgt /user:lowprivuser /password:something /ptt Just checking something, let me know..

vysecurity commented 2 years ago

I actually run it using Execute Assembly

On Tue, 10 May 2022 at 12:53, Mor Davidovich @.***> wrote:

Does it work after logout->login? Or if you use: Rubeus.exe asktgt /user:lowprivuser /password:something /ptt Just checking something, let me know..

— Reply to this email directly, view it on GitHub https://github.com/Dec0ne/KrbRelayUp/issues/9#issuecomment-1121930812, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA3N7UU7A6FBFQRRVZKIZZTVJHTVTANCNFSM5VCIHFZQ . You are receiving this because you commented.Message ID: @.***>

dstyvsky commented 2 years ago

asktgt works normally for me and I am having the same error stated above with krbrelayup

dev-2null commented 2 years ago

I'm getting the same error in corp env, the COM server does not return apRep1 back to the client. In wireshark the Auth Info Kerberos SSP is missing in the "bind_ack" packet.

konghv commented 1 year ago

I get same problem. Did anyone resolve this issue ?