From b684da050ad6a9b91ae1afc6caaf3faf54c38f72 Mon Sep 17 00:00:00 2001 From: clymb3r Date: Wed, 12 Feb 2014 13:52:41 -0800 Subject: Inject-LogonCredentials has been renamed to Invoke-CredentialInjection. Added a check to ensure the script isn't being run from Session0 with the "NewWinLogon" flag. This flag does not work in Session0 because winlogon.exe tries to load stuff from user32.dll which requires a desktop is present. This is not possible in Session0 because there is no desktop/GUI, so it causes winlogon to load and then immediately close with error code c0000142 indicating a DLL failed to initialize. There is no way to fix this that I know of, if you need to run the script from Session0 use the "ExistingWinLogon" flag. --- Exfiltration/LogonUser/LogonUser/logon/logon.cpp | 12 ++++++++---- Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj | 10 +++++----- 2 files changed, 13 insertions(+), 9 deletions(-) (limited to 'Exfiltration/LogonUser') diff --git a/Exfiltration/LogonUser/LogonUser/logon/logon.cpp b/Exfiltration/LogonUser/LogonUser/logon/logon.cpp index 8011ed8..a06da47 100644 --- a/Exfiltration/LogonUser/LogonUser/logon/logon.cpp +++ b/Exfiltration/LogonUser/LogonUser/logon/logon.cpp @@ -32,26 +32,29 @@ extern "C" __declspec( dllexport ) void VoidFunc() wchar_t* password = new wchar_t[strSize]; DWORD bytesRead = 0; - BOOL success = ReadFile(pipe, domain, strSize, &bytesRead, NULL); + BOOL success = ReadFile(pipe, domain, bytesToRead, &bytesRead, NULL); if (!success) { return; } domain[bytesRead/2] = '\0'; + bytesRead = 0; - success = ReadFile(pipe, username, strSize-2, &bytesRead, NULL); + success = ReadFile(pipe, username, bytesToRead, &bytesRead, NULL); if (!success) { return; } username[bytesRead/2] = '\0'; + bytesRead = 0; - success = ReadFile(pipe, password, strSize-2, &bytesRead, NULL); + success = ReadFile(pipe, password, bytesToRead, &bytesRead, NULL); if (!success) { return; } password[bytesRead/2] = '\0'; + bytesRead = 0; //Get the logon type from the pipe USHORT logonType = 10; @@ -60,6 +63,7 @@ extern "C" __declspec( dllexport ) void VoidFunc() { return; } + bytesRead = 0; //Get the authentication package to use. 1 = Msv1_0, 2 = Kerberos USHORT authPackageToUse = 0; @@ -68,7 +72,7 @@ extern "C" __declspec( dllexport ) void VoidFunc() { return; } - + bytesRead = 0; ///////////// //Build the parameters to call LsaLogonUser with diff --git a/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj b/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj index 7fb078b..dcba5a8 100644 --- a/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj +++ b/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj @@ -1,5 +1,5 @@  - + Debug @@ -27,26 +27,26 @@ DynamicLibrary true - v110 + v120 Unicode DynamicLibrary true - v110 + v120 Unicode DynamicLibrary false - v110 + v120 true Unicode DynamicLibrary false - v110 + v120 true Unicode -- cgit v1.2.3