Setting ClearNewPassword field as a general fixed array

- So you can encrypt the NL_TRUST_PASSWORD struct yourself and put the result in there. - Related to #951
fortra · Sep 14, 2020 · b867b21 · b867b21
1 parent 64ce465
commit b867b21
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 7 deletions.
diff --git a/impacket/dcerpc/v5/nrpc.py b/impacket/dcerpc/v5/nrpc.py
@@ -337,6 +337,13 @@ class PNETLOGON_WORKSTATION_INFO(NDRPOINTER):
     )
 
 # 2.2.1.3.7 NL_TRUST_PASSWORD
+class NL_TRUST_PASSWORD_FIXED_ARRAY(NDRUniFixedArray):
+    def getDataLen(self, data, offset=0):
+        return 512+4
+
+    def getAlignment(self):
+        return 1
+
 class WCHAR_ARRAY(NDRUniFixedArray):
     def getDataLen(self, data, offset=0):
         return 512
@@ -2098,7 +2105,8 @@ class NetrServerPasswordSet2(NDRCALL):
        ('SecureChannelType',NETLOGON_SECURE_CHANNEL_TYPE),
        ('ComputerName',WSTR),
        ('Authenticator',NETLOGON_AUTHENTICATOR),
-       ('ClearNewPassword',NL_TRUST_PASSWORD),
+       #('ClearNewPassword',NL_TRUST_PASSWORD),
+       ('ClearNewPassword',NL_TRUST_PASSWORD_FIXED_ARRAY),
     )
 
 class NetrServerPasswordSet2Response(NDRCALL):
@@ -2786,14 +2794,14 @@ def hNetrServerTrustPasswordsGet(dce, trustedDcName, accountName, secureChannelT
     request['Authenticator'] = authenticator
     return dce.request(request)
 
-def hNetrServerPasswordSet2(dce, primaryName, accountName, secureChannelType, computerName, authenticator, clearNewPassword):
+def hNetrServerPasswordSet2(dce, primaryName, accountName, secureChannelType, computerName, authenticator, clearNewPasswordBlob):
     request = NetrServerPasswordSet2()
     request['PrimaryName'] = checkNullString(primaryName)
     request['AccountName'] = checkNullString(accountName)
     request['SecureChannelType'] = secureChannelType
     request['ComputerName'] = checkNullString(computerName)
     request['Authenticator'] = authenticator
-    request['ClearNewPassword'] = clearNewPassword
+    request['ClearNewPassword'] = clearNewPasswordBlob
     return dce.request(request)
 
 def hNetrLogonGetDomainInfo(dce, serverName, computerName, authenticator, returnAuthenticator=0, level=1):

diff --git a/tests/SMB_RPC/test_nrpc.py b/tests/SMB_RPC/test_nrpc.py
@@ -520,11 +520,17 @@ def test_NetrServerPasswordSet2(self):
         request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel
         request['ComputerName'] = self.serverName + '\x00'
         request['Authenticator'] = self.update_authenticator()
-        request['ClearNewPassword'] = nrpc.NL_TRUST_PASSWORD()
-        request['ClearNewPassword']['Buffer'] = b'\x00' *512
-        request['ClearNewPassword']['Length'] = 0x8
+        cnp = nrpc.NL_TRUST_PASSWORD()
+        cnp['Buffer'] = b'\x00'*512
+        cnp['Length'] = 0x8
+
+        request['ClearNewPassword'] = cnp.getData()
+        #request['ClearNewPassword'] = nrpc.NL_TRUST_PASSWORD()
+        #request['ClearNewPassword']['Buffer'] = b'\x00' *512
+        #request['ClearNewPassword']['Length'] = 0x8
 
         try:
+            request.dump()
             resp = dce.request(request)
             resp.dump()
         except Exception as e:
@@ -541,7 +547,7 @@ def test_hNetrServerPasswordSet2(self):
         try:
             resp = nrpc.hNetrServerPasswordSet2(dce, NULL, self.machineUser,
                                                  nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
-                                                 self.serverName, self.update_authenticator(), cnp)
+                                                 self.serverName, self.update_authenticator(), cnp.getData())
             resp.dump()
         except Exception as e:
             if str(e).find('STATUS_ACCESS_DENIED') < 0: