Closed zeroSteiner closed 1 year ago
Thanks @zeroSteiner for fixing this. I could not replicate the issue using the MSF icpr_cert
module but these changes look good to me. I tested with both icpr_cert
and windows_secrets_dump
modules and verify they're still working normally. I'll go ahead and land it.
This makes two changes.
The first fixes an error where when encryption is used, only the first fragment of a fragmented response would be decrypted. This means the rest of the data would be corrupt which leads to weird parsing errors. Those weird parsing errors are what I was debugging and I originally thought the issue was in the BinData definitions, so while digging into that I added tracing to all of the direct IO read operations in
dcerpc/ndr.rb
which is the second change. Now if the user enables bindata read tracing to do what I was doing, they'll get additional information like what the ref ID, and max_count files are being set to.The tracing output was pretty helpful because it made it obvious that the size field was incorrect, it just wasn't BinData's fault in my case.
Example Tracing Output