Metasploit: Re: Using AdjustTokenPrivileges via Meterpreter Railgun

Metasploit mailing list archives

Re: Using AdjustTokenPrivileges via Meterpreter Railgun

From: Rob Fuller <mubix () room362 com>
Date: Thu, 10 Jan 2013 15:34:44 -0500

The only way I know to make structs is to create them in ruby, byte for
bytes, get a size and write them to memory, then point what needs the
struct at that memory space (keeping in mind endianess)

Chao-mu was working on an automated way to do this but I don't think he
finished it. I do believe others have done this in other modules too. Look
for any write memory stuff in the post modules section.


--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org


On Mon, Jan 7, 2013 at 3:45 PM, Spencer, Shelby C
<Shelby_C_Spencer () rl gov>wrote:

Hi,****

** **

I’m trying to add a couple token privilege to the current process
Meterpreter is running under like so:****

** **

hcurrent = client.railgun.kernel32.GetCurrentProcess****

hcurrentToken =
client.railgun.advapi32.OpenProcessToken(hcurrent["return"], 40, 4) ****

SeIncreaseQuotaPrivilege =
client.railgun.advapi32.LookupPrivilegeValueW(nil,
"SeIncreaseQuotaPrivilege", 4)****

SeAssignPrimaryTokenPrivilege =
client.railgun.advapi32.LookupPrivilegeValueW(nil,
"SeAssignPrimaryTokenPrivilege", 4)****

client.railgun.advapi32.AdjustTokenPrivileges(hcurrentToken["TokenHandle"],
false, <PTOKEN_PRIVILEGES Struct Here>, 0, nil, nil)****

** **

According to the MSDN documentation on AdjustTokenPrivileges (
http://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=vs.85%29.aspx),
the PTOKEN_PRIVILEGES struct should look something like this:****

privileges = {"PrivilegeCount" => 2, "Privileges" => [{"Luid" =>
SeIncreaseQuotaPrivilege["lpLuid"], "Attributes" => 2}, {"Luid" =>
SeIncreaseQuotaPrivilege["lpLuid"], "Attributes" => 2}]} #Ruby syntax****

** **

Obviously this complicated struct needs to be packed somehow using Ruby’s
“pack” command, but the problem is that I have no idea how to begin.  I
can’t find any documentation or any other modules which do anything
similarly complex.****

The closest code I found was in Metasm source:
https://github.com/rapid7/metasploit-framework/blob/master/lib/metasm/metasm/os/windows.rb
****

I couldn’t seem to figure out how to translate this to my method using
Railgun, or call the Metasm module and methods in that file directly.****

** **

I’m sure this is probably pretty simple, I just need a little guidance.***
*

** **

Thanks in advance,****

shellster****

** **

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

By Date By Thread

Current thread:

Using AdjustTokenPrivileges via Meterpreter Railgun Spencer, Shelby C (Jan 07)
- Re: Using AdjustTokenPrivileges via Meterpreter Railgun Rob Fuller (Jan 10)
- <Possible follow-ups>
- Re: Using AdjustTokenPrivileges via Meterpreter Railgun Spencer, Shelby C (Jan 14)
  - Re: Using AdjustTokenPrivileges via Meterpreter Railgun devin bjelland (Jan 16)
    - Re: Using AdjustTokenPrivileges via Meterpreter Railgun Rob Fuller (Jan 16)
    - Re: Using AdjustTokenPrivileges via Meterpreter Railgun Spencer, Shelby C (Jan 16)