ruler
ruler copied to clipboard
sensepost
This is an amazing tool, but I found a little bug in your code!
The bug happens when your mother tongue is not English.
When I send the mapi.RopQueryRowsRequest request to the Exchange server with property tags mapi.PidTagDisplayName and mapi.PidTagFolderID.
setColumns.PropertyTags = make([]mapi.PropertyTag, 2)
setColumns.PropertyTags[0] = mapi.PidTagDisplayName
setColumns.PropertyTags[1] = mapi.PidTagFolderID
The response looks like this.
The response data itself looks correct with folderID and folderName, but when ruler tries to read these tags with mapi.UnmarshalRops, bug happens.
If the language setting of the current user is not English, the end of the folderName will be 0x00 0x00, bug if the language setting of the current user is English, the end of the folderName will be 0x00 0x00 0x00.
So the code should be like this, otherwise a NULL byte will be eaten.
//ReadUnicodeString read and return a unicode string
func ReadUnicodeString(pos int, buff []byte) ([]byte, int) {
//stupid hack as using bufio and ReadString(byte) would terminate too early
//would terminate on 0x00 instead of 0x0000
index := bytes.Index(buff[pos:], []byte{0x00, 0x00})
if buff[pos+index+2] == 0x00 {
index++ //unicode string end with 0x00 0x00 0x00
}
if index == -1 {
return nil, 0
}
str := buff[pos : pos+index]
return []byte(str), pos + index + 2
}
Also, When I send the mapi.RopQueryRowsRequest request to the Exchange Server 2016. I found that there is only one flag in the response.
So the code in the function (queryRows *RopQueryRowsResponse) Unmarshal(resp []byte, properties []PropertyTag) (int, error) should be like this
flag, pos = utils.ReadByte(pos, resp)
for k := 0; k < int(queryRows.RowCount); k++ {
trow := PropertyRow{}
//check if has flag (is flaggedpropertyrow)
for _, property := range properties {
if flag == 0x01 {
trow.Flag, pos = utils.ReadByte(pos, resp)
}
if trow.Flag != 0x00 {
[...]
} else if property.PropertyType == PtypString {
trow.ValueArray, pos = utils.ReadUnicodeString(pos, resp)
rows[k] = append(rows[k], trow)
} else if property.PropertyType == PtypBinary {
Thanks for trying it out and the kind words @l0kihardt!
It seems like the ReadUnicodeString bug might be playing a role in this bug report as well: https://github.com/sensepost/ruler/issues/121#issuecomment-633351036
I'll have a look at these asap, but your suggestions make sense 😃
Thanks again 🙏
Reading through this it looks like the flag bug was likely because of the ReadUnicodeString bug
} else if property.PropertyType == PtypString {
trow.ValueArray, pos = utils.ReadUnicodeString(pos, resp)
rows[k] = append(rows[k], trow)
- if len(trow.ValueArray) > 0 { //empty string means no extra null byte.
- pos++
- }
The flag needs to be set in the loop as it should be part of the PropertyRow (page 70): https://interoperability.blob.core.windows.net/files/MS-OXCDATA/%5BMS-OXCDATA%5D-080627.pdf I worked off of the RopQueryRows Response documented here: https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcrops/45a36946-5db6-4342-9403-80958fbe537c
Yeah, I think you are correct. I found that the response of the form display request has different formats...
Some of the delimiters are 0x00 0x00 0x00 0x00, and others are 0x00 0x00 0x00 0x01
But as the picture I uploaded before shows, there is only two NULL byte as the delimiters.
Then if you use the same parse program, there will be some bug.