Allow toggling the SACL in queries

zeroSteiner · zeroSteiner · commit 4507a9f501c4 · 2025-11-26T16:13:51.000-05:00
diff --git a/lib/msf/core/exploit/remote/ldap/queries.rb b/lib/msf/core/exploit/remote/ldap/queries.rb
@@ -81,7 +81,7 @@ def perform_ldap_query(ldap, filter, attributes, base, schema_dn, scope: nil)
         results
       end
 
-      def perform_ldap_query_streaming(ldap, filter, attributes, base, schema_dn, scope: nil)
+      def perform_ldap_query_streaming(ldap, filter, attributes, base, schema_dn, scope: nil, controls: nil)
         if attributes.nil? || schema_dn.nil?
           attribute_properties = {}
         else
@@ -96,7 +96,7 @@ def perform_ldap_query_streaming(ldap, filter, attributes, base, schema_dn, scop
 
         scope ||= Net::LDAP::SearchScope_WholeSubtree
         result_count = 0
-        ldap.search(base: base, filter: filter, attributes: attributes, scope: scope, return_result: false) do |result|
+        ldap.search(base: base, filter: filter, attributes: attributes, scope: scope, controls: controls, return_result: false) do |result|
           result_count += 1
           yield result, attribute_properties if block_given?
         end
diff --git a/modules/auxiliary/gather/ldap_query.rb b/modules/auxiliary/gather/ldap_query.rb
@@ -6,6 +6,7 @@
 class MetasploitModule < Msf::Auxiliary
 
   include Msf::Exploit::Remote::LDAP
+  include Msf::Exploit::Remote::LDAP::ActiveDirectory
   include Msf::Exploit::Remote::LDAP::Queries
   include Msf::OptionalSession::LDAP
   require 'json'
@@ -66,6 +67,10 @@ def initialize(info = {})
       OptString.new('QUERY_FILTER', [false, 'Filter to send to the target LDAP server to perform the query'], conditions: %w[ACTION == RUN_SINGLE_QUERY]),
       OptString.new('QUERY_ATTRIBUTES', [false, 'Comma separated list of attributes to retrieve from the server'], conditions: %w[ACTION == RUN_SINGLE_QUERY])
     ])
+
+    register_advanced_options([
+      OptBool.new('LDAP::QuerySacl', [true, 'Query the SACL field from security descriptors (requires privileges)', true])
+    ])
   end
 
   def initialize_actions
@@ -185,7 +190,13 @@ def run
         fail_with(Failure::BadConfig, "Could not compile the filter #{filter_string}. Error was #{e}")
       end
 
-      result_count = perform_ldap_query_streaming(ldap, filter, attributes, query_base, schema_dn) do |result, attribute_properties|
+      controls = []
+      unless datastore['LDAP::QuerySacl']
+        # omit the control entirely if querying the SACL because that's the default behavior
+        controls = [adds_build_ldap_sd_control(sacl: false)]
+      end
+
+      result_count = perform_ldap_query_streaming(ldap, filter, attributes, query_base, schema_dn, controls: controls) do |result, attribute_properties|
         show_output(normalize_entry(result, attribute_properties), datastore['OUTPUT_FORMAT'])
       end
 
