4883050f7f
Adding new options to module. Now it is possible to choose which process to launch as SYSTEM, as well as the port the exploit will listen (because on some Windows configuration, WinRM should listen on port 47001).
2020-12-10 03:53:06 -05:00
61f76b77b9
Removing useless token verification batch of code.
2020-12-08 13:43:32 -05:00
bda377cb7e
Passing "notepad.exe" to const.
2020-12-08 13:19:56 -05:00
58997efe9d
Complete change of IsTokenSystem function. Now the function uses windows built in API to check if token is system instead of checking username wstring. I did that because I noticed that in foreign language, SYSTEM account can be called differently such as "système" in french. Moreover, the original function was buggy and the exploit only succeeded because the tested account was called "système", and the function checked that the account is different from "SYSTEM".
2020-12-08 10:39:45 -05:00
6bdbdd7f62
Removing a useless call to WTSGetActiveConsoleSessionId
2020-12-07 21:39:07 -05:00
ff8981c4ee
Various little corrections.
2020-12-07 21:38:55 -05:00
8a3790f265
Adding process informations to hide notepad.exe when launching.
2020-12-07 21:38:30 -05:00
46f59a76f0
Removing powershell payload serving method, and replacing it by just writing and executing in remote SYSTEM process.
2020-12-07 21:37:35 -05:00
b935842cc5
Updating an outdated comment.
2020-12-07 21:37:24 -05:00
d05bffdab3
Adding more detailed debug messages.
2020-12-07 21:36:34 -05:00
381d371e8e
Adding a check after memory allocation for localNegotiator object.
2020-11-30 14:47:20 +00:00
08a744c1a6
Fixing a bad return code (ERROR_HEAP_ALLOC_FAILURE -> ERROR_NOT_ENOUGH_PRIVILEGES).
2020-11-30 14:44:20 +00:00
0ce9d585cb
Adding a line of dprintf for debugging.
2020-11-30 14:42:22 +00:00
9d298c4059
Change code line for improving readability.
2020-11-30 14:39:10 +00:00
49dbff8c27
Correction of a little wrong error code in return value.
2020-10-28 16:05:51 +00:00
53d358dd33
Update of a comment.
2020-10-28 16:00:28 +00:00
f9b0aecc8f
Changing debug system. Now, dprintf prints readable and filterable output logs. Debug boolean defined in entry point was removed.
2020-10-28 15:52:18 +00:00
7ec20cfb0e
Integration of powershell module into exploit. Now, metasploit is in charge of creating the powershell payload and transmit it to running exploit (instead of raw shellcode transformed into powershell previously).
2020-10-25 19:50:45 +00:00
64cbd7de49
Fixing typos in comments.
2020-10-25 18:57:56 +00:00
de5390a4a7
Fixing typo. Not important.
2020-09-28 23:41:45 +00:00
695e541682
Fixing unused result of DuplicateTokenEx() function. Now, the returned error code is used for monitoring the calling function process.
2020-09-28 23:41:19 +00:00
d4c1f65e99
Fixing typo in description comments of function IsTokenSystem().
2020-09-28 23:25:08 +00:00
e533626aa0
Fixing non-use of error codes in function IsTokenSystem(). Now error codes are controlled and if token does not belong to SYSTEM, RunRogueWinRM returns the proper error code.
2020-09-28 23:23:49 +00:00
a2ef556cd8
Fixing redundant ZeroMemory instruction.
2020-09-28 23:17:06 +00:00
234ddd2c1c
Fixing typo in HEAP_ALLOC_FAILURE constant name.
2020-09-28 23:13:47 +00:00
494e3d113e
Adding new and more granular error codes.
2020-09-28 23:10:46 +00:00
1b68a41c9a
Formatting code by removing whitespaces.
2020-08-28 17:34:49 +02:00
995d6a7fc9
Changing all printf and wprintf to dprintf macro, defined in pch.h
2020-08-28 15:27:23 +02:00
3336040f2d
Adding a new privilege escalation exploit for windows.
...
New files and folders:
- metasploit-framework/modules/exploits/windows/local/bits_ntlm_token_impersonation.rb
- metasploit-framework/data/exploits/drunkpotato/
- metasploit-framework/external/source/exploits/drunkpotato/
2020-08-25 14:27:41 +02:00
C4ssandre