Giters

sensepost / ruler

A tool to abuse Exchange services

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

sigsegv while dumping GAL

phonexicum opened this issue · comments

commented

Command

./ruler-exch --domain XX --username XXXX --email XXXX@YYY.ZZZ -k --verbose check

works okey:

...
[*] Got Context, Doing ROPLogin                                                                                                                                                                                   
[*] And we are authenticated                                                                                                                                                                                      
[*] Openning the Inbox
[+] Looks like we are good to go!
[*] And disconnecting from server

The command for dumping GAL:

./ruler-exch --domain XX --username XXXX -k --email XXXX@YYY.ZZZ --verbose abk dump --output ~/exch-dump.txt

break with sigsegv:

[*] Got Context, Doing ROPLogin
[*] And we are authenticated
[*] Openning the Inbox
[*] Let's Dump the addressbook
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0x77247e]

goroutine 1 [running]:
main.abkDump(0xc0000f0b00, 0x0, 0x0)
        /home/mr.smith/_tools_/ruler-exch/ruler.go:644 +0x1ce
main.main.func10(0xc0000f0b00, 0xc000089100, 0xc0000f0b00)
        /home/mr.smith/_tools_/ruler-exch/ruler.go:1517 +0x13d
github.com/urfave/cli.HandleAction(0x7c6be0, 0x862830, 0xc0000f0b00, 0x0, 0xc000097320)
        /home/mr.smith/.golang/src/github.com/urfave/cli/app.go:502 +0xbe
github.com/urfave/cli.Command.Run(0x846322, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x859974, 0x32, 0x0, ...)
        /home/mr.smith/.golang/src/github.com/urfave/cli/command.go:165 +0x459
github.com/urfave/cli.(*App).RunAsSubcommand(0xc000120380, 0xc0000f0840, 0x0, 0x0)
        /home/mr.smith/.golang/src/github.com/urfave/cli/app.go:383 +0x827
github.com/urfave/cli.Command.startApp(0x845f1b, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x854a6b, 0x25, 0x0, ...)
        /home/mr.smith/.golang/src/github.com/urfave/cli/command.go:377 +0x808
github.com/urfave/cli.Command.Run(0x845f1b, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x854a6b, 0x25, 0x0, ...)
        /home/mr.smith/.golang/src/github.com/urfave/cli/command.go:103 +0x80f
github.com/urfave/cli.(*App).Run(0xc0001201c0, 0xc00008a270, 0xd, 0xd, 0x0, 0x0)
        /home/mr.smith/.golang/src/github.com/urfave/cli/app.go:259 +0x6bb
main.main()
        /home/mr.smith/_tools_/ruler-exch/ruler.go:1774 +0x2fb2
commented

hi @phonexicum

Thanks for the report. Looks like there is an error being returned from the method but not being handled. The next line then tries to parse a non-existing field.

I've added an error check which should report what went wrong. This is in the branch fix-abk-segv: f126b9e

commented

Hello,
I tried to track down the source of the problem and figured out, that it is because of check headers.Get("X-ResponseCode") != "0" in function readResponse which fails.

I added some debug output and found out that the ruler generates a POST request at URL https://mail.XXX.YYY/mapi/nspi/?MailboxId=xxxxxxxx-...-xxxxxxxxxxxxx@XXX.YYY which is sent with headers:

Identity: [mr.smith@XXX.YYY]
X-Requestid: [{xxx-xxx}:6]
X-Clientinfo: [{yyy-yyy}]
X-Clientapplication: [Outlook/15.0.4815.1002]
Authorization: [Basic BASE64-AUTH]
Content-Type: [application/mapi-http]
X-Requesttype: [QueryRows]

and data as a body: 00000000ff0000000000000000000000000000000000000000ff000000e404000009040000090800000000000064000000ff020000001f0001301f00fe3900000000 (bytes in hex)

The answer is 200 and contains next headers:

Cache-Control: [no-cache, no-store]
Pragma: [no-cache]
Server: [Microsoft-IIS/8.5]
X-Frame-Options: [SAMEORIGIN]
X-Aspnet-Version: [4.0.30319]
Strict-Transport-Security: [max-age=157680000]
Content-Type: [text/html; charset=utf-8]
Expires: [-1]
Request-Id: [xxx-xxx]
X-Powered-By: [ASP.NET]
Date: [Sat, 22 Jun 2019 18:21:29 GMT]
Content-Length: [57165]

(obviously this headers fails check for X-ResponseCode header in the code)
The body is an HTML OWA web page, stating the next information (the fragment of big html page):

<div class="signInExpl">Please enable cookies for this Web site.<br><br>Cookies are currently disabled by your browser. Outlook requires that cookies be enabled. <br><br>For information about how to enable cookies, see the Help for your Web browser.<br><br><br></div>

To what I know, I am dealing with this exchange version:

WA-MinimumSupportedOWSVersion: V2_6
X-OWA-OWSVersion: V2017_08_18
X-OWA-Version: 15.1.1713.6

Your tool is awesome and dumping GAL via outlook is a useful step during penetration testing.
I am not really understand the source of the problem and why OWA answers to me with HTML page instead of expected data. I tried to provide debug information I found helpful, hoping it would help you to understand why the situation happens.