Re: Using AdjustTokenPrivileges via Meterpreter Railgun

["Spencer, Shelby C" <Shelby_C_Spencer () rl gov>]

Thanks Mubix for your response.  I understand that I need to construct the Struct as a byte sequence, but I don't know 
what that should look like.  Is there a guide on this?  Does it follow some predefined standard (of which I am not 
aware)?


Date: Thu, 10 Jan 2013 15:34:44 -0500
From: Rob Fuller <mubix () room362 com>
To: "Spencer, Shelby C" <Shelby_C_Spencer () rl gov>
Cc: "framework () spool metasploit com" <framework () spool metasploit com>
Subject: Re: [framework] Using AdjustTokenPrivileges via Meterpreter
        Railgun
Message-ID:
        <CAP-=ew18BsdmPJHRgrXXd==hubNSrakdhtXyKG2SA+wAzFrWOw () mail gmail com>
Content-Type: text/plain; charset="windows-1252"

The only way I know to make structs is to create them in ruby, byte for bytes, get a size and write them to memory, 
then point what needs the struct at that memory space (keeping in mind endianess)

Chao-mu was working on an automated way to do this but I don't think he finished it. I do believe others have done this 
in other modules too. Look for any write memory stuff in the post modules section.


--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org


On Mon, Jan 7, 2013 at 3:45 PM, Spencer, Shelby C
<Shelby_C_Spencer () rl gov>wrote:

> Hi,****
>
> ** **
>
> I?m trying to add a couple token privilege to the current process 
> Meterpreter is running under like so:****
>
> ** **
>
> hcurrent = client.railgun.kernel32.GetCurrentProcess****
>
> hcurrentToken =
> client.railgun.advapi32.OpenProcessToken(hcurrent["return"], 40, 4) 
> ****
>
> SeIncreaseQuotaPrivilege =
> client.railgun.advapi32.LookupPrivilegeValueW(nil,
> "SeIncreaseQuotaPrivilege", 4)****
>
> SeAssignPrimaryTokenPrivilege =
> client.railgun.advapi32.LookupPrivilegeValueW(nil,
> "SeAssignPrimaryTokenPrivilege", 4)****
>
> client.railgun.advapi32.AdjustTokenPrivileges(hcurrentToken["TokenHand
> le"], false, <PTOKEN_PRIVILEGES Struct Here>, 0, nil, nil)****
>
> ** **
>
> According to the MSDN documentation on AdjustTokenPrivileges ( 
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=v
> s.85%29.aspx), the PTOKEN_PRIVILEGES struct should look something like 
> this:****
>
> privileges = {"PrivilegeCount" => 2, "Privileges" => [{"Luid" => 
> SeIncreaseQuotaPrivilege["lpLuid"], "Attributes" => 2}, {"Luid" => 
> SeIncreaseQuotaPrivilege["lpLuid"], "Attributes" => 2}]} #Ruby 
> syntax****
>
> ** **
>
> Obviously this complicated struct needs to be packed somehow using 
> Ruby?s ?pack? command, but the problem is that I have no idea how to 
> begin.  I can?t find any documentation or any other modules which do 
> anything similarly complex.****
>
> The closest code I found was in Metasm source:
> https://github.com/rapid7/metasploit-framework/blob/master/lib/metasm/
> metasm/os/windows.rb
> ****
>
> I couldn?t seem to figure out how to translate this to my method using 
> Railgun, or call the Metasm module and methods in that file 
> directly.****
>
> ** **
>
> I?m sure this is probably pretty simple, I just need a little 
> guidance.***
> *
>
> ** **
>
> Thanks in advance,****
>
> shellster****
>
> ** **
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20130110/70ae17f6/attachment-0001.html>

------------------------------

_______________________________________________
framework mailing list
framework () spool metasploit com
https://mail.metasploit.com/mailman/listinfo/framework


End of framework Digest, Vol 60, Issue 5
****************************************
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework