Metasploit mailing list archives
Re: Using AdjustTokenPrivileges via Meterpreter Railgun
From: "Spencer, Shelby C" <Shelby_C_Spencer () rl gov>
Date: Mon, 14 Jan 2013 06:10:09 -0800
Thanks Mubix for your response. I understand that I need to construct the Struct as a byte sequence, but I don't know what that should look like. Is there a guide on this? Does it follow some predefined standard (of which I am not aware)? Date: Thu, 10 Jan 2013 15:34:44 -0500 From: Rob Fuller <mubix () room362 com> To: "Spencer, Shelby C" <Shelby_C_Spencer () rl gov> Cc: "framework () spool metasploit com" <framework () spool metasploit com> Subject: Re: [framework] Using AdjustTokenPrivileges via Meterpreter Railgun Message-ID: <CAP-=ew18BsdmPJHRgrXXd==hubNSrakdhtXyKG2SA+wAzFrWOw () mail gmail com> Content-Type: text/plain; charset="windows-1252" The only way I know to make structs is to create them in ruby, byte for bytes, get a size and write them to memory, then point what needs the struct at that memory space (keeping in mind endianess) Chao-mu was working on an automated way to do this but I don't think he finished it. I do believe others have done this in other modules too. Look for any write memory stuff in the post modules section. -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org On Mon, Jan 7, 2013 at 3:45 PM, Spencer, Shelby C <Shelby_C_Spencer () rl gov>wrote:
Hi,**** ** ** I?m trying to add a couple token privilege to the current process Meterpreter is running under like so:**** ** ** hcurrent = client.railgun.kernel32.GetCurrentProcess**** hcurrentToken = client.railgun.advapi32.OpenProcessToken(hcurrent["return"], 40, 4) **** SeIncreaseQuotaPrivilege = client.railgun.advapi32.LookupPrivilegeValueW(nil, "SeIncreaseQuotaPrivilege", 4)**** SeAssignPrimaryTokenPrivilege = client.railgun.advapi32.LookupPrivilegeValueW(nil, "SeAssignPrimaryTokenPrivilege", 4)**** client.railgun.advapi32.AdjustTokenPrivileges(hcurrentToken["TokenHand le"], false, <PTOKEN_PRIVILEGES Struct Here>, 0, nil, nil)**** ** ** According to the MSDN documentation on AdjustTokenPrivileges ( http://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=v s.85%29.aspx), the PTOKEN_PRIVILEGES struct should look something like this:**** privileges = {"PrivilegeCount" => 2, "Privileges" => [{"Luid" => SeIncreaseQuotaPrivilege["lpLuid"], "Attributes" => 2}, {"Luid" => SeIncreaseQuotaPrivilege["lpLuid"], "Attributes" => 2}]} #Ruby syntax**** ** ** Obviously this complicated struct needs to be packed somehow using Ruby?s ?pack? command, but the problem is that I have no idea how to begin. I can?t find any documentation or any other modules which do anything similarly complex.**** The closest code I found was in Metasm source: https://github.com/rapid7/metasploit-framework/blob/master/lib/metasm/ metasm/os/windows.rb **** I couldn?t seem to figure out how to translate this to my method using Railgun, or call the Metasm module and methods in that file directly.**** ** ** I?m sure this is probably pretty simple, I just need a little guidance.*** * ** ** Thanks in advance,**** shellster**** ** ** _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20130110/70ae17f6/attachment-0001.html> ------------------------------ _______________________________________________ framework mailing list framework () spool metasploit com https://mail.metasploit.com/mailman/listinfo/framework End of framework Digest, Vol 60, Issue 5 **************************************** _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Using AdjustTokenPrivileges via Meterpreter Railgun Spencer, Shelby C (Jan 07)
- Re: Using AdjustTokenPrivileges via Meterpreter Railgun Rob Fuller (Jan 10)
- <Possible follow-ups>
- Re: Using AdjustTokenPrivileges via Meterpreter Railgun Spencer, Shelby C (Jan 14)
- Re: Using AdjustTokenPrivileges via Meterpreter Railgun devin bjelland (Jan 15)
- Re: Using AdjustTokenPrivileges via Meterpreter Railgun Rob Fuller (Jan 15)
- Re: Using AdjustTokenPrivileges via Meterpreter Railgun Spencer, Shelby C (Jan 16)
- Re: Using AdjustTokenPrivileges via Meterpreter Railgun devin bjelland (Jan 15)