Bad record decoding in ese.py

avonar / impacket

Automatically exported from code.google.com/p/impacket

Other

0 stars 0 forks source link

Bad record decoding in ese.py #48

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

Hi,

In the __tagToRecord method defined in ese.py line 962, record's columns are 
decoded using an encoding retrieved with 
"StringCodePages[columnRecord['CodePage']]" line 960.

However, the "StringCodePages" dict does not properly convert internal code 
page to a "intelligible" Python encoding when the code page is 1252:

# Code pages
CODEPAGE_UNICODE = 1200
CODEPAGE_ASCII   = 20127
CODEPAGE_WESTERN = 1252

StringCodePages = { 
    CODEPAGE_UNICODE : 'utf-16le', 
    CODEPAGE_ASCII   : 'ascii',
    CODEPAGE_WESTERN : 'ascii',
}

Code page 1252 must be converted to "cp1252" instead of "ascii":

    CODEPAGE_WESTERN : 'cp1252'

Otherwise, you will sometimes experiment some decoding issues like this one:

UnicodeDecodeError: 'ascii' codec can't decode byte 0xac in position 0: ordinal 
not in range(128)

Original issue reported on code.google.com by renaud.d...@synacktiv.com on 26 Aug 2014 at 4:32

GoogleCodeExporter commented 9 years ago

Hey Renaud:

So you dare to get deeper into __tagToRecord.. hats off man! ;)

I have no problem changing the CODEPAGE_WESTERN but, do you have a repro step?

thanks!
beto

Original comment by bet...@gmail.com on 26 Aug 2014 at 4:42

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Yeah, on second thought, I'm probably a crazy one.... :)

Actually, it's pretty hard to reproduce. I pinpointed the issue during a 
security audit while extracting hashes from a NTDS.dit and I can't send it to 
you for some reasons :)). 

However, this kind of record columns (encoded using cp1252) seems to appear in 
pretty old active directory and seems to be a legacy stuff (but maybe I'm 
wrong...)

Original comment by renaud.d...@synacktiv.com on 26 Aug 2014 at 5:26

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

You definitely are :P..

Oh come on. cannot you give me those hashes?.. those ain't the passwords! :P

All right.. just committed the change in ese.py.. thanks man!.. 

I'm assuming you were using ese.py through secretsdump.py correct?... Hope it's 
working well there..

BTW.. if you haven't ... check the wmiexec.py script.. might be useful for you 
pentests.

Original comment by bet...@gmail.com on 26 Aug 2014 at 5:39

Changed state: Fixed
Added labels: ****
Removed labels: ****