Land #592, Fix #584: Close memory and handle leaks

2025-03-18 15:14:10 +01:00 · 2022-11-10 16:10:23 -06:00 · 2022-11-10 16:10:23 -06:00 · 3d8b02f17b
commit 3d8b02f17b
parent c2bc9b2b4a f5bae3b63c
1 changed files with 151 additions and 128 deletions
--- a/c/meterpreter/source/extensions/incognito/list_tokens.c
+++ b/c/meterpreter/source/extensions/incognito/list_tokens.c
@ -189,12 +189,13 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
 				{
 					hObject = NULL;
-					if (DuplicateHandle(process, (HANDLE)(DWORD_PTR)((i + 1) * 4),
+					if (DuplicateHandle(process, (HANDLE)(DWORD_PTR)((i + 1) * 4), GetCurrentProcess(), &hObject, MAXIMUM_ALLOWED, FALSE, 0x02))
 						GetCurrentProcess(), &hObject, MAXIMUM_ALLOWED, FALSE, 0x02) != FALSE)
 					{
 						LPWSTR lpwsType = NULL;
 						lpwsType = GetObjectInfo(hObject, ObjectTypeInformation);
-						if ((lpwsType != NULL) && !wcscmp(lpwsType, L"Token") && ImpersonateLoggedOnUser(hObject) != 0)
+						if (lpwsType)
 						{
 							if (wcscmp(lpwsType, L"Token") && (ImpersonateLoggedOnUser(hObject)))
 							{
 								// ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification
 								// also revert to self after getting new token context
@ -207,9 +208,12 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
 									if (*num_tokens_enum >= token_list_size)
 									{
 										token_list_size *= 2;
-									token_list = (SavedToken*)realloc(token_list, token_list_size*sizeof(SavedToken));
+										token_list = (SavedToken*)realloc(token_list, token_list_size * sizeof(SavedToken));
 										if (!token_list)
 										{
 											CloseHandle(hObject2);
 											CloseHandle(hObject);
 											CloseHandle(process);
 											goto cleanup;
 										}
 									}
@ -271,10 +275,17 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
 									(*num_tokens_enum)++;
 								}
 								else {
 									CloseHandle(hObject);
 								}
 								CloseHandle(hObject2);
 							}
-						else
+							else {
-						{
+								CloseHandle(hObject);
 							}
 							free(lpwsType);
 						}
 						else {
 							CloseHandle(hObject);
 						}
 					}
@ -282,8 +293,9 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
 				// Also process primary
 				// if has impersonate privs, only needs read access
-				if (OpenProcessToken(process, MAXIMUM_ALLOWED, &hObject) && ImpersonateLoggedOnUser(hObject))
+				if (OpenProcessToken(process, MAXIMUM_ALLOWED, &hObject))
 				{
 					if (ImpersonateLoggedOnUser(hObject)) {
 						// ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification
 						// also revert to self after getting new token context
 						// only process if it was impersonation or higher
@ -345,14 +357,25 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
 									}
 								}
 							}
-
+							else {
 								CloseHandle(hObject);
 							}
 							CloseHandle(hObject2);
 						}
 						else {
 							CloseHandle(hObject);
 						}
 					}
 					else {
 						dprintf("[INCOGNITO] Failed next level impersonation, ImpersonateLoggedOnUser failed with %u (%x)", GetLastError(), GetLastError());
 						CloseHandle(hObject);
 					}
 				}
 				else
 				{
-					dprintf("[INCOGNITO] Failed next level impersonation with %u (%x)", GetLastError(), GetLastError());
+					dprintf("[INCOGNITO] Failed next level impersonation, OpenProcessToken failed with %u (%x)", GetLastError(), GetLastError());
 				}
 				CloseHandle(process);
 			}
 			dprintf("[INCOGNITO] Moving to next process from %p", pProcessInfo);