Skip to content

TStool.py with low priv user on DC crashes #1816

Closed
#2155
Closed
TStool.py with low priv user on DC crashes#1816
#2155
Assignees
alexisbalbachan
Labels
bugUnexpected problem or unintended behaviormediumMedium priority item
@Dfte

Description

@Dfte
Dfte
opened on Sep 23, 2024

Configuration

impacket version: v0.13.0.dev0
Python version: python 3.10.12
Target OS: Windows Server 2019 domain controler

Debug Output With Command String

tstool.py WHITEFLAG/lowuser:"Defte@WF"@dc.whiteflag.local tasklist

Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies 

[-] unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)
[-] Error unpacking field 'ActualCount | <L=len(Data) | b'''
[-] unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)
[-] Error unpacking field 'pSid | <class 'impacket.dcerpc.v5.tsts.SID'> | b'''
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/EGG-INFO/scripts/tstool.py", line 658, in <module>
    tsHandler.run(remoteName, options.target_ip)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/EGG-INFO/scripts/tstool.py", line 85, in run
    getattr(self,'do_'+self.__action)()
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/EGG-INFO/scripts/tstool.py", line 309, in do_tasklist
    r = legacy.hRpcWinStationGetAllProcesses(handle)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/tsts.py", line 3585, in hRpcWinStationGetAllProcesses
    procInfo.fromString(data)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 1164, in fromString
    offset += self.unpack(fieldName, fieldTypeOrClass, data, offset)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 304, in unpack
    return self.fields[fieldName].fromString(data, offset)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 1164, in fromString
    offset += self.unpack(fieldName, fieldTypeOrClass, data, offset)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 309, in unpack
    return self.unpack(fieldName, two[0], data, offset)
  File "/usr/local/lib/python3.10/dist-packages/impacket-0.13.0.dev0+20240916.171021.65b774de-py3.10.egg/impacket/dcerpc/v5/ndr.py", line 321, in unpack
    self.fields[fieldName] = unpack_from(fieldTypeOrClass, data, offset)[0]
struct.error: unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)
[-] unpack_from requires a buffer of at least 385176 bytes for unpacking 4 bytes at offset 385172 (actual buffer size is 15472)

This bug only occurs when using the tool as a low priv user against a DC. Otherwise it works perfectly.

Metadata

Metadata

Assignees

Labels

bugUnexpected problem or unintended behaviormediumMedium priority item

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions