fortra
TStool.py with low priv user on DC crashes
Configuration
impacket version: v0.13.0.dev0 Python version: python 3.10.12 Target OS: Windows Server 2019 domain controler
Debug Output With Command String
tstool.py WHITEFLAG/lowuser:"Defte@WF"@dc.whiteflag.local tasklist
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[-] unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)
[-] Error unpacking field 'ActualCount | <L=len(Data) | b'''
[-] unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)
[-] Error unpacking field 'pSid | <class 'impacket.dcerpc.v5.tsts.SID'> | b'''
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/EGG-INFO/scripts/tstool.py", line 658, in <module>
tsHandler.run(remoteName, options.target_ip)
File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/EGG-INFO/scripts/tstool.py", line 85, in run
getattr(self,'do_'+self.__action)()
File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/EGG-INFO/scripts/tstool.py", line 309, in do_tasklist
r = legacy.hRpcWinStationGetAllProcesses(handle)
File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/tsts.py", line 3585, in hRpcWinStationGetAllProcesses
procInfo.fromString(data)
File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 1164, in fromString
offset += self.unpack(fieldName, fieldTypeOrClass, data, offset)
File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 304, in unpack
return self.fields[fieldName].fromString(data, offset)
File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 1164, in fromString
offset += self.unpack(fieldName, fieldTypeOrClass, data, offset)
File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 309, in unpack
return self.unpack(fieldName, two[0], data, offset)
File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 321, in unpack
self.fields[fieldName] = unpack_from(fieldTypeOrClass, data, offset)[0]
struct.error: unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)
[-] unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)
This bug only occurs when using the tool as a low priv user against a DC. Otherwise it works perfectly.
Could you explain more about low priv user please? I tested with a normal domain user and that's working
Hey! So I took a look at the user "lowuser" who is a standard domain user. The only difference it has, is that he is member of the "Remote Desktop user" group which crashes impacket:
So if you add a user to the remote desktop group, you should get the same stack trace I got :)
Let me know if I can help further!!