Hello everyone,
I'm having trouble with the #get_key_security_descriptor method, I'm not able to fetch the information properly for a given registry key.
The issue seems to be the way that server's response is being read/parsed.
3.4.2 :003 > byte_stream
=> "\x01\x00\x04\x94\x8C\x00\x00\x00\x9C\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00x\x00\x05\x00\x00\x00\x00\x02\x18\x00\x19\x00\x02\x00\x01\x02\x00\x00\x00\x00\x00\x05 \x00\x00\x00!\x02\x00\x00\x00\x02\x18\x00?\x00\x0F\x00\x01\x02\x00\x00\x00\x00\x00\x05 \x00\x00\x00 \x02\x00\x00\x00\n\x14\x00?\x00\x0F\x00\x01\x01\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x02\x18\x00\x19\x00\x02\x00\x01\x02\x00\x00\x00\x00\x00\x0F\x02\x00\x00\x00\x01\x00\x00\x00\x00\x02\x14\x00?\x00\x0F\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x01\x02\x00\x00\x00\x00\x00\x05 \x00\x00\x00 \x02\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00"
3.4.2 :008 > RubySMB::Field::SecurityDescriptor.read(byte_stream)
=>
{revision: 1,
sbz1: 0,
control:
{dacl_computed_inheritance: 0, sacl_computed_inheritance: 0, dacl_auto_inherited: 0, sacl_auto_inherited: 0, dacl_protected: 0, sacl_protected: 1, rm_control_valid: 0, self_relative: 0, owner_defaulted: 1, group_defaulted: 0, dacl_present: 0, dacl_defaulted: 1, sacl_present: 0, sacl_defaulted: 1, server_security: 0, dacl_trusted: 0},
offset_owner: 140,
offset_group: 156,
offset_sacl: 0,
offset_dacl: 20,
owner_sid: "",
group_sid: "",
sacl: "",
dacl: ""}Above you can see that things like offsets are set, but there's no information about the DACLs (including DACL_PRESENT is false)
PS: Using the same user I can authenticate to the target machine and see the registry key permissions, but when it comes the usage of WinReg (DCE/RPC) this response appears to be malformed. (It doesn't seem a server-side issue)
PS2: The same happens for querying security descriptor info for files, I get a response.buffer which is a bytestream and when I read it using SecurityDescriptor field, it returns me a broken structure similar to the above one.
Hello everyone,
I'm having trouble with the #get_key_security_descriptor method, I'm not able to fetch the information properly for a given registry key.
The issue seems to be the way that server's response is being read/parsed.
Above you can see that things like offsets are set, but there's no information about the DACLs (including DACL_PRESENT is false)
PS: Using the same user I can authenticate to the target machine and see the registry key permissions, but when it comes the usage of WinReg (DCE/RPC) this response appears to be malformed. (It doesn't seem a server-side issue)
PS2: The same happens for querying security descriptor info for files, I get a
response.bufferwhich is a bytestream and when I read it using SecurityDescriptor field, it returns me a broken structure similar to the above one.