search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.59k stars 3.59k forks source link

TStool.py with low priv user on DC crashes #1816

Open Dfte opened 2 months ago

Dfte commented 2 months ago

Configuration

impacket version: v0.13.0.dev0 Python version: python 3.10.12 Target OS: Windows Server 2019 domain controler

Debug Output With Command String

tstool.py WHITEFLAG/lowuser:"Defte@WF"@dc.whiteflag.local tasklist

Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies 

[-] unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)
[-] Error unpacking field 'ActualCount | <L=len(Data) | b'''
[-] unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)
[-] Error unpacking field 'pSid | <class 'impacket.dcerpc.v5.tsts.SID'> | b'''
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/EGG-INFO/scripts/tstool.py", line 658, in <module>
    tsHandler.run(remoteName, options.target_ip)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/EGG-INFO/scripts/tstool.py", line 85, in run
    getattr(self,'do_'+self.__action)()
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/EGG-INFO/scripts/tstool.py", line 309, in do_tasklist
    r = legacy.hRpcWinStationGetAllProcesses(handle)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/tsts.py", line 3585, in hRpcWinStationGetAllProcesses
    procInfo.fromString(data)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 1164, in fromString
    offset += self.unpack(fieldName, fieldTypeOrClass, data, offset)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 304, in unpack
    return self.fields[fieldName].fromString(data, offset)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 1164, in fromString
    offset += self.unpack(fieldName, fieldTypeOrClass, data, offset)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 309, in unpack
    return self.unpack(fieldName, two[0], data, offset)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 321, in unpack
    self.fields[fieldName] = unpack_from(fieldTypeOrClass, data, offset)[0]
struct.error: unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)
[-] unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)

This bug only occurs when using the tool as a low priv user against a DC. Otherwise it works perfectly.

NtAlexio2 commented 2 months ago

Could you explain more about low priv user please? I tested with a normal domain user and that's working

Dfte commented 2 months ago

Hey! So I took a look at the user "lowuser" who is a standard domain user. The only difference it has, is that he is member of the "Remote Desktop user" group which crashes impacket:

image

So if you add a user to the remote desktop group, you should get the same stack trace I got :)

Let me know if I can help further!!