Inject-LogonCredentials has been renamed to Invoke-CredentialInjection.

Added a check to ensure the script isn't being run from Session0 with the "NewWinLogon" flag. This flag does not work in Session0 because winlogon.exe tries to load stuff from user32.dll which requires a desktop is present. This is not possible in Session0 because there is no desktop/GUI, so it causes winlogon to load and then immediately close with error code c0000142 indicating a DLL failed to initialize. There is no way to fix this that I know of, if you need to run the script from Session0 use the "ExistingWinLogon" flag.
author: clymb3r <bialek.joseph@gmail.com> 2014-02-12 13:52:41 -0800
committer: clymb3r <bialek.joseph@gmail.com> 2014-02-12 13:52:41 -0800
commit: b684da050ad6a9b91ae1afc6caaf3faf54c38f72 (patch)
tree: 35f16b278fb424575fe845f935335a3e4f06fdf1 /Exfiltration/LogonUser
parent: bb41ab98ca19ab0ed661b5e403d5f603b08dcacb (diff)
download: PowerSploit-b684da050ad6a9b91ae1afc6caaf3faf54c38f72.tar.gz
PowerSploit-b684da050ad6a9b91ae1afc6caaf3faf54c38f72.zip
2 files changed, 13 insertions, 9 deletions
diff --git a/Exfiltration/LogonUser/LogonUser/logon/logon.cpp b/Exfiltration/LogonUser/LogonUser/logon/logon.cpp
index 8011ed8..a06da47 100644
--- a/Exfiltration/LogonUser/LogonUser/logon/logon.cpp
+++ b/Exfiltration/LogonUser/LogonUser/logon/logon.cpp
@@ -32,26 +32,29 @@ extern "C" __declspec( dllexport ) void VoidFunc()
 	wchar_t* password = new wchar_t[strSize];
 	DWORD bytesRead = 0;
 
-	BOOL success = ReadFile(pipe, domain, strSize, &bytesRead, NULL);
+	BOOL success = ReadFile(pipe, domain, bytesToRead, &bytesRead, NULL);
 	if (!success)
 	{
 		return;
 	}
 	domain[bytesRead/2] = '\0';
+	bytesRead = 0;
 
-	success = ReadFile(pipe, username, strSize-2, &bytesRead, NULL);
+	success = ReadFile(pipe, username, bytesToRead, &bytesRead, NULL);
 	if (!success)
 	{
 		return;
 	}
 	username[bytesRead/2] = '\0';
+	bytesRead = 0;
 
-	success = ReadFile(pipe, password, strSize-2, &bytesRead, NULL);
+	success = ReadFile(pipe, password, bytesToRead, &bytesRead, NULL);
 	if (!success)
 	{
 		return;
 	}
 	password[bytesRead/2] = '\0';
+	bytesRead = 0;
 
 	//Get the logon type from the pipe
 	USHORT logonType = 10;
@@ -60,6 +63,7 @@ extern "C" __declspec( dllexport ) void VoidFunc()
 	{
 		return;
 	}
+	bytesRead = 0;
 
 	//Get the authentication package to use. 1 = Msv1_0, 2 = Kerberos
 	USHORT authPackageToUse = 0;
@@ -68,7 +72,7 @@ extern "C" __declspec( dllexport ) void VoidFunc()
 	{
 		return;
 	}
-	
+	bytesRead = 0;
 
 	/////////////
 	//Build the parameters to call LsaLogonUser with
diff --git a/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj b/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj
index 7fb078b..dcba5a8 100644
--- a/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj
+++ b/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -27,26 +27,26 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v110</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v110</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v110</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v110</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
author	clymb3r <bialek.joseph@gmail.com>	2014-02-12 13:52:41 -0800
committer	clymb3r <bialek.joseph@gmail.com>	2014-02-12 13:52:41 -0800
commit	b684da050ad6a9b91ae1afc6caaf3faf54c38f72 (patch)
tree	35f16b278fb424575fe845f935335a3e4f06fdf1 /Exfiltration/LogonUser
parent	bb41ab98ca19ab0ed661b5e403d5f603b08dcacb (diff)
download	PowerSploit-b684da050ad6a9b91ae1afc6caaf3faf54c38f72.tar.gz PowerSploit-b684da050ad6a9b91ae1afc6caaf3faf54c38f72.zip