search

rapid7 / metasploit-payloads

Unified repository for different Metasploit Framework payloads
Other
1.72k stars 668 forks source link

get_user_token fails if thread is holding an impersonation token #699

Open upsidedwn opened 8 months ago

upsidedwn commented 8 months ago

Currently, get_user_token fails if the current thread is holding an impersonation token.

meterpreter > getsid
[-] stdapi_sys_config_getsid: Operation failed: Access is denied.

Here, we see that OpenAsSelf is set to FALSE. https://github.com/rapid7/metasploit-payloads/blob/7ff8ee535f2d29c39c8d176d2d5a7baad1889c06/c/meterpreter/source/extensions/stdapi/server/sys/config/config.c#L137-L143

From MSDN, we see that the call will fail.

The OpenAsSelf parameter allows the caller of this function to open the access token of a specified thread when the caller is impersonating a token at SecurityIdentification level. Without this parameter, the calling thread cannot open the access token on the specified thread because it is impossible to open executive-level objects by using the SecurityIdentification impersonation level.

Would suggest we try again if with OpenAsSelf set to TRUE, if the existing two tries fail. If this is acceptable, I can create a PR.

 if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &hToken)) 
 { 
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) 
    { 
            if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)) 
            {
                BREAK_ON_ERROR("[TOKEN] Failed to get a valid token for thread/process."); 
            }
    } 
 }
smcintyre-r7 commented 6 months ago

I think that sounds like a reasonable solution.