github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-30 22:19:17 +02:00
Code Releases Activity

Close the handle when it wasn't copied

Browse Source 
Close the hObject handle when it wasn't copied into token_list.
This commit is contained in:
Spencer McIntyre 2022-11-10 15:34:18 -05:00
parent d0ab25e521
commit 80e8b721ef
1 changed files with 75 additions and 59 deletions

26
c/meterpreter/source/extensions/incognito/list_tokens.c

@ -189,8 +189,7 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
{ {
hObject = NULL; hObject = NULL;
if (DuplicateHandle(process, (HANDLE)(DWORD_PTR)((i + 1) * 4), if (DuplicateHandle(process, (HANDLE)(DWORD_PTR)((i + 1) * 4), GetCurrentProcess(), &hObject, MAXIMUM_ALLOWED, FALSE, 0x02))
GetCurrentProcess(), &hObject, MAXIMUM_ALLOWED, FALSE, 0x02) != FALSE)
{ {
LPWSTR lpwsType = NULL; LPWSTR lpwsType = NULL;
lpwsType = GetObjectInfo(hObject, ObjectTypeInformation); lpwsType = GetObjectInfo(hObject, ObjectTypeInformation);
@ -273,8 +272,14 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
(*num_tokens_enum)++; (*num_tokens_enum)++;
} }
else {
CloseHandle(hObject);
}
CloseHandle(hObject2); CloseHandle(hObject2);
} }
else {
CloseHandle(hObject);
}
free(lpwsType); free(lpwsType);
} }
else { else {
@ -285,8 +290,9 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
// Also process primary // Also process primary
// if has impersonate privs, only needs read access // if has impersonate privs, only needs read access
if (OpenProcessToken(process, MAXIMUM_ALLOWED, &hObject) && ImpersonateLoggedOnUser(hObject)) if (OpenProcessToken(process, MAXIMUM_ALLOWED, &hObject))
{ {
if (ImpersonateLoggedOnUser(hObject)) {
// ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification // ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification
// also revert to self after getting new token context // also revert to self after getting new token context
// only process if it was impersonation or higher // only process if it was impersonation or higher
@ -348,13 +354,23 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
} }
} }
} }
else {
CloseHandle(hObject);
}
CloseHandle(hObject2); CloseHandle(hObject2);
} }
else {
CloseHandle(hObject);
}
}
else {
dprintf("[INCOGNITO] Failed next level impersonation, ImpersonateLoggedOnUser failed with %u (%x)", GetLastError(), GetLastError());
CloseHandle(hObject);
}
} }
else else
{ {
dprintf("[INCOGNITO] Failed next level impersonation with %u (%x)", GetLastError(), GetLastError()); dprintf("[INCOGNITO] Failed next level impersonation, OpenProcessToken failed with %u (%x)", GetLastError(), GetLastError());
} }
CloseHandle(process); CloseHandle(process);
} }