Add Updates to LDAP ESC Vulnerable Cert Finder

docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md

@@ -1580,7 +1580,7 @@ msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhost=172.16.199.200 cert_f
 [*] Auxiliary module execution completed
 ```
 
-#### ESC16 Scenario 2
+## ESC16 Scenario 2
 If domain controllers are in Full Enforcement mode (`StrongCertificateBindingEnforcement` == 2), ESC16 alone would normally
 prevent authentication using certificates that lack the required SID extension. However, if the CA is also vulnerable
 to ESC6, which is defined as: `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is set under it's `EditFlags` registry key, located here:

lib/msf/core/exploit/remote/ms_icpr.rb

@@ -420,14 +420,39 @@ def build_on_behalf_of(csr:, on_behalf_of:, cert:, key:, algorithm: 'SHA256')
   # @param [OpenSSL::X509::Certificate] cert
   # @return [Array<Rex::Proto::CryptoAsn1::ObjectId>] The policy OIDs if any were found.
   def get_cert_policy_oids(cert)
-    ext = cert.extensions.find { |e| e.oid == 'ms-app-policies' }
-    return [] unless ext
+    all_oids = []
 
-    cert_policies = Rex::Proto::CryptoAsn1::X509::CertificatePolicies.parse(ext.value_der)
-    cert_policies.value.map do |policy_info|
-      oid_string = policy_info[:policyIdentifier].value
-      Rex::Proto::CryptoAsn1::OIDs.value(oid_string) || Rex::Proto::CryptoAsn1::ObjectId.new(oid_string)
+    # ms-app-policies (CertificatePolicies) - existing handling
+    if (ext = cert.extensions.find { |e| e.oid == 'ms-app-policies' })
+      begin
+        cert_policies = Rex::Proto::CryptoAsn1::X509::CertificatePolicies.parse(ext.value_der)
+        cert_policies.value.each do |policy_info|
+          oid_string = policy_info[:policyIdentifier].value
+          all_oids << (Rex::Proto::CryptoAsn1::OIDs.value(oid_string) || Rex::Proto::CryptoAsn1::ObjectId.new(oid_string))
+        end
+      rescue StandardError => e
+        vprint_error("Failed to parse ms-app-policies from certificate with subject:\"#{cert.subject.to_s}\" and issuer:\"#{cert.issuer.to_s}\". #{e.class}: #{e.message}")
+      end
     end
+
+    # extendedKeyUsage - SEQUENCE OF OBJECT IDENTIFIER
+    if (eku_ext = cert.extensions.find { |e| e.oid == 'extendedKeyUsage' })
+      begin
+        asn1 = OpenSSL::ASN1.decode(eku_ext.value_der)
+        # asn1 should be a Sequence whose children are OBJECT IDENTIFIER nodes
+        if asn1.is_a?(OpenSSL::ASN1::Sequence)
+          asn1.value.each do |node|
+            next unless node.is_a?(OpenSSL::ASN1::ObjectId)
+            oid_string = node.value
+            all_oids << (Rex::Proto::CryptoAsn1::OIDs.value(oid_string) || Rex::Proto::CryptoAsn1::ObjectId.new(oid_string))
+          end
+        end
+      rescue StandardError => e
+        vprint_error("Failed to parse extendedKeyUsage from certificate with subject:\"#{cert.subject.to_s}\" and issuer:\"#{cert.issuer.to_s}\". #{e.class}: #{e.message}")
+      end
+    end
+
+    all_oids
   end