sigsegv while dumping GAL
phonexicum opened this issue · comments
Command
./ruler-exch --domain XX --username XXXX --email XXXX@YYY.ZZZ -k --verbose check
works okey:
...
[*] Got Context, Doing ROPLogin
[*] And we are authenticated
[*] Openning the Inbox
[+] Looks like we are good to go!
[*] And disconnecting from server
The command for dumping GAL:
./ruler-exch --domain XX --username XXXX -k --email XXXX@YYY.ZZZ --verbose abk dump --output ~/exch-dump.txt
break with sigsegv:
[*] Got Context, Doing ROPLogin
[*] And we are authenticated
[*] Openning the Inbox
[*] Let's Dump the addressbook
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0x77247e]
goroutine 1 [running]:
main.abkDump(0xc0000f0b00, 0x0, 0x0)
/home/mr.smith/_tools_/ruler-exch/ruler.go:644 +0x1ce
main.main.func10(0xc0000f0b00, 0xc000089100, 0xc0000f0b00)
/home/mr.smith/_tools_/ruler-exch/ruler.go:1517 +0x13d
github.com/urfave/cli.HandleAction(0x7c6be0, 0x862830, 0xc0000f0b00, 0x0, 0xc000097320)
/home/mr.smith/.golang/src/github.com/urfave/cli/app.go:502 +0xbe
github.com/urfave/cli.Command.Run(0x846322, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x859974, 0x32, 0x0, ...)
/home/mr.smith/.golang/src/github.com/urfave/cli/command.go:165 +0x459
github.com/urfave/cli.(*App).RunAsSubcommand(0xc000120380, 0xc0000f0840, 0x0, 0x0)
/home/mr.smith/.golang/src/github.com/urfave/cli/app.go:383 +0x827
github.com/urfave/cli.Command.startApp(0x845f1b, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x854a6b, 0x25, 0x0, ...)
/home/mr.smith/.golang/src/github.com/urfave/cli/command.go:377 +0x808
github.com/urfave/cli.Command.Run(0x845f1b, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x854a6b, 0x25, 0x0, ...)
/home/mr.smith/.golang/src/github.com/urfave/cli/command.go:103 +0x80f
github.com/urfave/cli.(*App).Run(0xc0001201c0, 0xc00008a270, 0xd, 0xd, 0x0, 0x0)
/home/mr.smith/.golang/src/github.com/urfave/cli/app.go:259 +0x6bb
main.main()
/home/mr.smith/_tools_/ruler-exch/ruler.go:1774 +0x2fb2
hi @phonexicum
Thanks for the report. Looks like there is an error being returned from the method but not being handled. The next line then tries to parse a non-existing field.
I've added an error check which should report what went wrong. This is in the branch fix-abk-segv: f126b9e
Hello,
I tried to track down the source of the problem and figured out, that it is because of check headers.Get("X-ResponseCode") != "0"
in function readResponse
which fails.
I added some debug output and found out that the ruler generates a POST request at URL https://mail.XXX.YYY/mapi/nspi/?MailboxId=xxxxxxxx-...-xxxxxxxxxxxxx@XXX.YYY
which is sent with headers:
Identity: [mr.smith@XXX.YYY]
X-Requestid: [{xxx-xxx}:6]
X-Clientinfo: [{yyy-yyy}]
X-Clientapplication: [Outlook/15.0.4815.1002]
Authorization: [Basic BASE64-AUTH]
Content-Type: [application/mapi-http]
X-Requesttype: [QueryRows]
and data as a body: 00000000ff0000000000000000000000000000000000000000ff000000e404000009040000090800000000000064000000ff020000001f0001301f00fe3900000000
(bytes in hex)
The answer is 200 and contains next headers:
Cache-Control: [no-cache, no-store]
Pragma: [no-cache]
Server: [Microsoft-IIS/8.5]
X-Frame-Options: [SAMEORIGIN]
X-Aspnet-Version: [4.0.30319]
Strict-Transport-Security: [max-age=157680000]
Content-Type: [text/html; charset=utf-8]
Expires: [-1]
Request-Id: [xxx-xxx]
X-Powered-By: [ASP.NET]
Date: [Sat, 22 Jun 2019 18:21:29 GMT]
Content-Length: [57165]
(obviously this headers fails check for X-ResponseCode
header in the code)
The body is an HTML OWA web page, stating the next information (the fragment of big html page):
<div class="signInExpl">Please enable cookies for this Web site.<br><br>Cookies are currently disabled by your browser. Outlook requires that cookies be enabled. <br><br>For information about how to enable cookies, see the Help for your Web browser.<br><br><br></div>
To what I know, I am dealing with this exchange version:
WA-MinimumSupportedOWSVersion: V2_6
X-OWA-OWSVersion: V2017_08_18
X-OWA-Version: 15.1.1713.6
Your tool is awesome and dumping GAL via outlook is a useful step during penetration testing.
I am not really understand the source of the problem and why OWA answers to me with HTML page instead of expected data. I tried to provide debug information I found helpful, hoping it would help you to understand why the situation happens.