Rubeus
Rubeus copied to clipboard
GhostPack
Unhandled Exception: Asn1.AsnException: integer overflow (positive)
Interesting issue ...
[*] Sending S4U2self request
[*] Connecting to 172.16.177.130:88
[*] Sent 1452 bytes
[*] Received 1432 bytes
[+] S4U2self success!
[*] Building S4U2proxy request for service: 'CIFS/WEB01'
[*] Sending S4U2proxy request
[*] Connecting to 172.16.177.130:88
[*] Sent 2487 bytes
[*] Received 120 bytes
Unhandled Exception: Asn1.AsnException: integer overflow (positive)
at Asn1.AsnElt.GetInteger()
at Rubeus.KRB_ERROR..ctor(AsnElt body)
at Rubeus.S4U.Execute(KRB_CRED kirbi, String targetUser, String targetSPN, Boolean ptt, String domainController, String altService)
at Rubeus.Commands.S4u.Execute(Dictionary`2 arguments)
at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
at Rubeus.Program.Main(String[] args)
It happens when I choose "Use kerberos only", the other options works.
Okay, reproduced on another AD environment. Just need an invalid /msdsspn parameter to trigger the overflow issue.
This seems to be similar to https://github.com/GhostPack/Rubeus/issues/19 - it looks like some value in KRB_ERROR is being miscast, but without being able to recreate I don't know the best way to trace which value it is. Will continue testing.
I tried to recreate this scenario but wasn't able to- if I have "Use Kerberos only" as the account's delegation option, I get a [X] KRB-ERROR (13) : KDC_ERR_BADOPTION error, but if I use a /msdsspn that doesn't exist, I get a [X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN error and no unhandled exception.
To use "any authentication protocol" and over come the [X] KRB-ERROR (13) : KDC_ERR_BADOPTION error, I recompiled Rubeus with the RBCD flag to false.
line 94 in S4U.cs PA_DATA pac_options = new PA_DATA(false, false, false, false);
(It make sense to use the RBCD flag when msDS-AllowedToActOnBehalfOfOtherIdentity property is set on a target computer object)
