Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sigsegv while dumping GAL #98

Open
phonexicum opened this issue Jun 21, 2019 · 2 comments
Open

sigsegv while dumping GAL #98

phonexicum opened this issue Jun 21, 2019 · 2 comments

Comments

@phonexicum
Copy link

Command

./ruler-exch --domain XX --username XXXX --email [email protected] -k --verbose check

works okey:

...
[*] Got Context, Doing ROPLogin                                                                                                                                                                                   
[*] And we are authenticated                                                                                                                                                                                      
[*] Openning the Inbox
[+] Looks like we are good to go!
[*] And disconnecting from server

The command for dumping GAL:

./ruler-exch --domain XX --username XXXX -k --email [email protected] --verbose abk dump --output ~/exch-dump.txt

break with sigsegv:

[*] Got Context, Doing ROPLogin
[*] And we are authenticated
[*] Openning the Inbox
[*] Let's Dump the addressbook
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0x77247e]

goroutine 1 [running]:
main.abkDump(0xc0000f0b00, 0x0, 0x0)
        /home/mr.smith/_tools_/ruler-exch/ruler.go:644 +0x1ce
main.main.func10(0xc0000f0b00, 0xc000089100, 0xc0000f0b00)
        /home/mr.smith/_tools_/ruler-exch/ruler.go:1517 +0x13d
github.com/urfave/cli.HandleAction(0x7c6be0, 0x862830, 0xc0000f0b00, 0x0, 0xc000097320)
        /home/mr.smith/.golang/src/github.com/urfave/cli/app.go:502 +0xbe
github.com/urfave/cli.Command.Run(0x846322, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x859974, 0x32, 0x0, ...)
        /home/mr.smith/.golang/src/github.com/urfave/cli/command.go:165 +0x459
github.com/urfave/cli.(*App).RunAsSubcommand(0xc000120380, 0xc0000f0840, 0x0, 0x0)
        /home/mr.smith/.golang/src/github.com/urfave/cli/app.go:383 +0x827
github.com/urfave/cli.Command.startApp(0x845f1b, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x854a6b, 0x25, 0x0, ...)
        /home/mr.smith/.golang/src/github.com/urfave/cli/command.go:377 +0x808
github.com/urfave/cli.Command.Run(0x845f1b, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x854a6b, 0x25, 0x0, ...)
        /home/mr.smith/.golang/src/github.com/urfave/cli/command.go:103 +0x80f
github.com/urfave/cli.(*App).Run(0xc0001201c0, 0xc00008a270, 0xd, 0xd, 0x0, 0x0)
        /home/mr.smith/.golang/src/github.com/urfave/cli/app.go:259 +0x6bb
main.main()
        /home/mr.smith/_tools_/ruler-exch/ruler.go:1774 +0x2fb2
staaldraad added a commit that referenced this issue Jun 21, 2019
@staaldraad
Catch error when parsing address book rows. This should fix the segfa…
f126b9e 
…ult reported in #98
@staaldraad
Copy link
Collaborator

hi @phonexicum

Thanks for the report. Looks like there is an error being returned from the method but not being handled. The next line then tries to parse a non-existing field.

I've added an error check which should report what went wrong. This is in the branch fix-abk-segv: f126b9e

@phonexicum
Copy link
Author

Hello,
I tried to track down the source of the problem and figured out, that it is because of check headers.Get("X-ResponseCode") != "0" in function readResponse which fails.

I added some debug output and found out that the ruler generates a POST request at URL https://mail.XXX.YYY/mapi/nspi/[email protected] which is sent with headers:

Identity: [[email protected]]
X-Requestid: [{xxx-xxx}:6]
X-Clientinfo: [{yyy-yyy}]
X-Clientapplication: [Outlook/15.0.4815.1002]
Authorization: [Basic BASE64-AUTH]
Content-Type: [application/mapi-http]
X-Requesttype: [QueryRows]

and data as a body: 00000000ff0000000000000000000000000000000000000000ff000000e404000009040000090800000000000064000000ff020000001f0001301f00fe3900000000 (bytes in hex)

The answer is 200 and contains next headers:

Cache-Control: [no-cache, no-store]
Pragma: [no-cache]
Server: [Microsoft-IIS/8.5]
X-Frame-Options: [SAMEORIGIN]
X-Aspnet-Version: [4.0.30319]
Strict-Transport-Security: [max-age=157680000]
Content-Type: [text/html; charset=utf-8]
Expires: [-1]
Request-Id: [xxx-xxx]
X-Powered-By: [ASP.NET]
Date: [Sat, 22 Jun 2019 18:21:29 GMT]
Content-Length: [57165]

(obviously this headers fails check for X-ResponseCode header in the code)
The body is an HTML OWA web page, stating the next information (the fragment of big html page):

<div class="signInExpl">Please enable cookies for this Web site.<br><br>Cookies are currently disabled by your browser. Outlook requires that cookies be enabled. <br><br>For information about how to enable cookies, see the Help for your Web browser.<br><br><br></div>

To what I know, I am dealing with this exchange version:

WA-MinimumSupportedOWSVersion: V2_6
X-OWA-OWSVersion: V2017_08_18
X-OWA-Version: 15.1.1713.6

Your tool is awesome and dumping GAL via outlook is a useful step during penetration testing.
I am not really understand the source of the problem and why OWA answers to me with HTML page instead of expected data. I tried to provide debug information I found helpful, hoping it would help you to understand why the situation happens.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@staaldraad @phonexicum