4bfd9e4b2a
Fixing a little error.
2020-12-10 05:15:37 -05:00
4883050f7f
Adding new options to module. Now it is possible to choose which process to launch as SYSTEM, as well as the port the exploit will listen (because on some Windows configuration, WinRM should listen on port 47001).
2020-12-10 03:53:06 -05:00
61f76b77b9
Removing useless token verification batch of code.
2020-12-08 13:43:32 -05:00
d997b07ded
Fixing inconsistency in flags for spnego token processes.
2020-12-08 13:35:40 -05:00
bda377cb7e
Passing "notepad.exe" to const.
2020-12-08 13:19:56 -05:00
43b49672d3
Removing old commented code.
2020-12-08 13:16:10 -05:00
b903595443
Improving function in charge of isolate B64 negotiate token from NTLM1 request.
2020-12-08 13:14:45 -05:00
58997efe9d
Complete change of IsTokenSystem function. Now the function uses windows built in API to check if token is system instead of checking username wstring. I did that because I noticed that in foreign language, SYSTEM account can be called differently such as "système" in french. Moreover, the original function was buggy and the exploit only succeeded because the tested account was called "système", and the function checked that the account is different from "SYSTEM".
2020-12-08 10:39:45 -05:00
b39eb0658a
Reorganizing code in order to free allocated memory space.
2020-12-08 00:11:49 -05:00
6821e52095
Adding a calloc check.
2020-12-07 23:45:12 -05:00
669e668b65
Fixing potential buffer overflow.
2020-12-07 23:42:04 -05:00
c7d9d02490
Initializing service at zero.
2020-12-07 23:26:36 -05:00
e58c14add7
Removing old and weird commented code.
2020-12-07 23:25:59 -05:00
60638160a7
Replacing all manual zero initializations by one ZeroMemory at start of constructor.
2020-12-07 23:24:54 -05:00
6bdbdd7f62
Removing a useless call to WTSGetActiveConsoleSessionId
2020-12-07 21:39:07 -05:00
ff8981c4ee
Various little corrections.
2020-12-07 21:38:55 -05:00
8a3790f265
Adding process informations to hide notepad.exe when launching.
2020-12-07 21:38:30 -05:00
46f59a76f0
Removing powershell payload serving method, and replacing it by just writing and executing in remote SYSTEM process.
2020-12-07 21:37:35 -05:00
b935842cc5
Updating an outdated comment.
2020-12-07 21:37:24 -05:00
d05bffdab3
Adding more detailed debug messages.
2020-12-07 21:36:34 -05:00
c7f832526d
Fixing unfree-ed allocated memory space.
2020-11-30 14:54:19 +00:00
381d371e8e
Adding a check after memory allocation for localNegotiator object.
2020-11-30 14:47:20 +00:00
08a744c1a6
Fixing a bad return code (ERROR_HEAP_ALLOC_FAILURE -> ERROR_NOT_ENOUGH_PRIVILEGES).
2020-11-30 14:44:20 +00:00
0ce9d585cb
Adding a line of dprintf for debugging.
2020-11-30 14:42:22 +00:00
9d298c4059
Change code line for improving readability.
2020-11-30 14:39:10 +00:00
49dbff8c27
Correction of a little wrong error code in return value.
2020-10-28 16:05:51 +00:00
53d358dd33
Update of a comment.
2020-10-28 16:00:28 +00:00
f9b0aecc8f
Changing debug system. Now, dprintf prints readable and filterable output logs. Debug boolean defined in entry point was removed.
2020-10-28 15:52:18 +00:00
7ec20cfb0e
Integration of powershell module into exploit. Now, metasploit is in charge of creating the powershell payload and transmit it to running exploit (instead of raw shellcode transformed into powershell previously).
2020-10-25 19:50:45 +00:00
d93c2d03fb
Fixing a bug preventing to serve very large powershell payloads.
2020-10-25 19:00:39 +00:00
64cbd7de49
Fixing typos in comments.
2020-10-25 18:57:56 +00:00
868f406c2d
Improvement by setting all buffers explicitly to 0 at initialization.
2020-10-25 18:52:12 +00:00
567367c0ac
Fixing a bug caused by base64 functions writing a long in an area expecting a short.
2020-10-25 18:41:11 +00:00
8d9a0c1926
Removing extra ";"
2020-10-25 18:30:13 +00:00
03b7c00fce
Replacing a malloc by a calloc for more reliability.
2020-09-29 00:07:37 +00:00
cbb07ec208
Replacing old base64 encoding and decoding "homemade" function by wincrypt.h functions (CryptBinaryToStringA and CryptStringToBinaryA). Adding some little adjustments in calling functions of elevator server.
2020-09-29 00:05:49 +00:00
de5390a4a7
Fixing typo. Not important.
2020-09-28 23:41:45 +00:00
695e541682
Fixing unused result of DuplicateTokenEx() function. Now, the returned error code is used for monitoring the calling function process.
2020-09-28 23:41:19 +00:00
d4c1f65e99
Fixing typo in description comments of function IsTokenSystem().
2020-09-28 23:25:08 +00:00
e533626aa0
Fixing non-use of error codes in function IsTokenSystem(). Now error codes are controlled and if token does not belong to SYSTEM, RunRogueWinRM returns the proper error code.
2020-09-28 23:23:49 +00:00
a2ef556cd8
Fixing redundant ZeroMemory instruction.
2020-09-28 23:17:06 +00:00
234ddd2c1c
Fixing typo in HEAP_ALLOC_FAILURE constant name.
2020-09-28 23:13:47 +00:00
494e3d113e
Adding new and more granular error codes.
2020-09-28 23:10:46 +00:00
1b68a41c9a
Formatting code by removing whitespaces.
2020-08-28 17:34:49 +02:00
995d6a7fc9
Changing all printf and wprintf to dprintf macro, defined in pch.h
2020-08-28 15:27:23 +02:00
3336040f2d
Adding a new privilege escalation exploit for windows.
...
New files and folders:
- metasploit-framework/modules/exploits/windows/local/bits_ntlm_token_impersonation.rb
- metasploit-framework/data/exploits/drunkpotato/
- metasploit-framework/external/source/exploits/drunkpotato/
2020-08-25 14:27:41 +02:00
C4ssandre