Land #592, Fix #584: Close memory and handle leaks

2025-02-22 03:19:04 +01:00 · 2022-11-10 16:10:23 -06:00 · 2022-11-10 16:10:23 -06:00 · 3d8b02f17b
commit 3d8b02f17b
parent c2bc9b2b4a f5bae3b63c
1 changed files with 151 additions and 128 deletions
--- a/c/meterpreter/source/extensions/incognito/list_tokens.c
+++ b/c/meterpreter/source/extensions/incognito/list_tokens.c
@ -189,12 +189,13 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
 				{
 					hObject = NULL;

-					if (DuplicateHandle(process, (HANDLE)(DWORD_PTR)((i + 1) * 4),
-						GetCurrentProcess(), &hObject, MAXIMUM_ALLOWED, FALSE, 0x02) != FALSE)
+					if (DuplicateHandle(process, (HANDLE)(DWORD_PTR)((i + 1) * 4), GetCurrentProcess(), &hObject, MAXIMUM_ALLOWED, FALSE, 0x02))
 					{
 						LPWSTR lpwsType = NULL;
 						lpwsType = GetObjectInfo(hObject, ObjectTypeInformation);
-						if ((lpwsType != NULL) && !wcscmp(lpwsType, L"Token") && ImpersonateLoggedOnUser(hObject) != 0)
+						if (lpwsType)
+						{
+							if (wcscmp(lpwsType, L"Token") && (ImpersonateLoggedOnUser(hObject)))
 							{
 								// ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification
 								// also revert to self after getting new token context
@ -210,6 +211,9 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
 										token_list = (SavedToken*)realloc(token_list, token_list_size * sizeof(SavedToken));
 										if (!token_list)
 										{
+											CloseHandle(hObject2);
+											CloseHandle(hObject);
+											CloseHandle(process);
 											goto cleanup;
 										}
 									}
@ -271,10 +275,17 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)

 									(*num_tokens_enum)++;
 								}
+								else {
+									CloseHandle(hObject);
+								}
 								CloseHandle(hObject2);
 							}
-						else
-						{
+							else {
+								CloseHandle(hObject);
+							}
+							free(lpwsType);
+						}
+						else {
 							CloseHandle(hObject);
 						}
 					}
@ -282,8 +293,9 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)

 				// Also process primary
 				// if has impersonate privs, only needs read access
-				if (OpenProcessToken(process, MAXIMUM_ALLOWED, &hObject) && ImpersonateLoggedOnUser(hObject))
+				if (OpenProcessToken(process, MAXIMUM_ALLOWED, &hObject))
 				{
+					if (ImpersonateLoggedOnUser(hObject)) {
 						// ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification
 						// also revert to self after getting new token context
 						// only process if it was impersonation or higher
@ -345,14 +357,25 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
 									}
 								}
 							}
-
+							else {
+								CloseHandle(hObject);
+							}
 							CloseHandle(hObject2);
 						}
+						else {
+							CloseHandle(hObject);
+						}
+					}
+					else {
+						dprintf("[INCOGNITO] Failed next level impersonation, ImpersonateLoggedOnUser failed with %u (%x)", GetLastError(), GetLastError());
+						CloseHandle(hObject);
+					}
 				}
 				else
 				{
-					dprintf("[INCOGNITO] Failed next level impersonation with %u (%x)", GetLastError(), GetLastError());
+					dprintf("[INCOGNITO] Failed next level impersonation, OpenProcessToken failed with %u (%x)", GetLastError(), GetLastError());
 				}
+				CloseHandle(process);
 			}

 			dprintf("[INCOGNITO] Moving to next process from %p", pProcessInfo);