From 38af96a7ba77b3e122b969c263c4209ae3a32b76 Mon Sep 17 00:00:00 2001 From: Philip Woolford Date: Sun, 5 Jan 2020 16:54:58 +1030 Subject: [PATCH 1/2] Prevent constraint violation on objects with restrictive permissions Restrict access to ADSI object so they're only writting to the ACL. This fixes an issue writting an ACL when you exclusively have `WriteDACL` permission on a object. --- Recon/PowerView.ps1 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index d35a9f02..b51863c4 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -3629,7 +3629,14 @@ function Add-ObjectAcl { # add all the new ACEs to the specified object ForEach ($ACE in $ACEs) { Write-Verbose "Granting principal $ResolvedPrincipalSID '$($ACE.ObjectType)' rights on $($_.Properties.distinguishedname)" + # resolve the object $Object = [adsi]($_.path) + + # restrict object changes to ACL only + [System.DirectoryServices.DirectoryEntryConfiguration]$SecOptions = $Object.get_Options() + $SecOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]’Dacl’ + + # add ACE $Object.PsBase.ObjectSecurity.AddAccessRule($ACE) $Object.PsBase.commitchanges() } From 5ca7ba08fe86dc3f28e07b4316a6b1710b134eff Mon Sep 17 00:00:00 2001 From: Philip Woolford Date: Mon, 20 Jan 2020 23:58:24 +1030 Subject: [PATCH 2/2] Fix smart quotes Smart quotes in the previous patch caused issue importing the script. --- Recon/PowerView.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index b51863c4..81a5e2a7 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -3634,7 +3634,7 @@ function Add-ObjectAcl { # restrict object changes to ACL only [System.DirectoryServices.DirectoryEntryConfiguration]$SecOptions = $Object.get_Options() - $SecOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]’Dacl’ + $SecOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl' # add ACE $Object.PsBase.ObjectSecurity.AddAccessRule($ACE)