Fix Kerberoast BOF crash on wildcard filters and output truncation#6
Open
chryzsh wants to merge 2 commits intooutflanknl:mainfrom
Open
Fix Kerberoast BOF crash on wildcard filters and output truncation#6chryzsh wants to merge 2 commits intooutflanknl:mainfrom
chryzsh wants to merge 2 commits intooutflanknl:mainfrom
Conversation
- Reset bResult/bRoast flags each loop iteration to prevent stale state from causing NULL pointer dereference when a user without SPNs follows one with SPNs (root cause of beacon crash on svc_* filters) - Add NULL guard in BeaconOutputStreamW to prevent dereferencing released stream pointer - Replace BeaconPrintf with BeaconOutput for stream flush to avoid internal format buffer size limits that caused output truncation - Fix bitwise OR to logical OR in LargeInteger attribute comparison Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BeaconOutput sends raw bytes which breaks with UTF-16 wide-char data (embedded null bytes kill output). Instead, keep BeaconPrintf but flush the stream in 4096-char chunks to stay within its internal format buffer limits. Also bump allocation to cbSize + sizeof(WCHAR) to safely null-terminate the last chunk boundary. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Disclaimer
Summary
The Kerberoast BOF crashes the beacon when using wildcard filters that match multiple accounts (e.g.
kerberoast roast svc_*against ~28 results). Even when it didn't crash, output was silently truncated for large result sets.Root Cause
Crash — stale loop state (primary bug): The
bResultandbRoastflags were only initialized once before the row iteration loop. When iterating LDAP results, if a user with SPNs was followed by a user without SPNs,bRoastremainedTRUEfrom the previous iteration. This caused the code to attempt Kerberoasting a user whose SPN data was never populated, leading to a NULL pointer dereference and beacon crash.Crash — NULL stream dereference:
BeaconOutputStreamW()could be called after the stream was already released, dereferencing a dangling/invalid pointer. A guard was added to bail out iflpStreamis NULL or an invalid sentinel value.Output truncation:
BeaconPrintfhas an internal format buffer size limit. When the accumulated IStream content exceeded this limit (common with many tickets), output was silently truncated. This was not immediately obvious because the BOF appeared to succeed.Changes
Reset
bResult/bRoastat the top of each row iteration (Kerberoast.c:304-305) — prevents stale state from a previous row from triggering Kerberoast logic on a user with no SPN data.Add NULL/sentinel guard in
BeaconOutputStreamW()(Kerberoast.c:54-56) — prevents dereference of released or invalid stream pointers.Chunk the stream flush through
BeaconPrintfin 4096-char blocks (Kerberoast.c:66-80) — works around the internal format buffer limit that caused truncation, while keepingBeaconPrintf(which handles wide-char%lscorrectly, unlikeBeaconOutputwhich chokes on embedded null bytes in UTF-16).Fix allocation size:
cbSize + sizeof(WCHAR)instead ofcbSize + 1(Kerberoast.c:60) — ensures proper space for a wide-char null terminator rather than a single byte.Fix bitwise OR
|to logical OR||(Kerberoast.c:397) — in theaccountExpiresattribute comparison. The bitwise OR worked by accident but was a latent bug.Test Plan
kerberoast roast svc_*against a domain with ~28 matching service accounts — previously crashed the beacon, now returns all tickets successfully with no truncationkerberoast liststill works correctlykerberoast roast(single target) still works/excludeAES)🤖 Generated with Claude Code