Land #16676, Add 6th getsystem technique

smcintyre-r7 · smcintyre-r7 · commit fb3d3499693a · 2022-06-23T15:14:52.000-04:00
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -30,7 +30,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 2.0.93)
+      metasploit-payloads (= 2.0.94)
       metasploit_data_models
       metasploit_payloads-mettle (= 1.0.18)
       mqtt
@@ -247,7 +247,7 @@ GEM
       activemodel (~> 6.0)
       activesupport (~> 6.0)
       railties (~> 6.0)
-    metasploit-payloads (2.0.93)
+    metasploit-payloads (2.0.94)
     metasploit_data_models (5.0.5)
       activerecord (~> 6.0)
       activesupport (~> 6.0)
diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -30,7 +30,8 @@ def self.extension_id
     named_pipe_2: 2,
     token_dup: 3,
     named_pipe_rpcss: 4,
-    named_pipe_print_spooler: 5
+    named_pipe_print_spooler: 5,
+    named_pipe_efs: 6
   }.freeze
 
   #
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
@@ -24,6 +24,7 @@ class Console::CommandDispatcher::Priv::Elevate
   ELEVATE_TECHNIQUE_SERVICE_TOKENDUP        = 3
   ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE_RPCSS = 4
   ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER  = 5
+  ELEVATE_TECHNIQUE_NAMEDPIPE_EFS           = 6
 
   ELEVATE_TECHNIQUE_DESCRIPTION =
     [
@@ -32,7 +33,8 @@ class Console::CommandDispatcher::Priv::Elevate
       'Named Pipe Impersonation (Dropper/Admin)',
       'Token Duplication (In Memory/Admin)',
       'Named Pipe Impersonation (RPCSS variant)',
-      'Named Pipe Impersonation (PrintSpooler variant)'
+      'Named Pipe Impersonation (PrintSpooler variant)',
+      'Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)'
     ]
 
   #
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '2.0.93'
+  spec.add_runtime_dependency 'metasploit-payloads', '2.0.94'
   # Needed for the next-generation POSIX Meterpreter
   spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.18'
   # Needed by msfgui and other rpc components
diff --git a/modules/post/windows/escalate/getsystem.rb b/modules/post/windows/escalate/getsystem.rb
@@ -28,12 +28,22 @@ def initialize(info = {})
               priv_elevate_getsystem
             ]
           }
+        },
+        'Notes' => {
+          'AKA' => [
+            'Named Pipe Impersonation',
+            'Token Duplication',
+            'RPCSS',
+            'PrintSpooler',
+            'EFSRPC',
+            'EfsPotato'
+          ]
         }
       )
     )
 
     register_options([
-      OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-5), otherwise try them all", 0])
+      OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-6), otherwise try them all", 0])
     ])
   end
 

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,8 @@ def self.extension_id`
`30`	`30`	`named_pipe_2: 2,`
`31`	`31`	`token_dup: 3,`
`32`	`32`	`named_pipe_rpcss: 4,`
`33`		`- named_pipe_print_spooler: 5`
	`33`	`+ named_pipe_print_spooler: 5,`
	`34`	`+ named_pipe_efs: 6`
`34`	`35`	`}.freeze`
`35`	`36`
`36`	`37`	`#`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ class Console::CommandDispatcher::Priv::Elevate`
`24`	`24`	`ELEVATE_TECHNIQUE_SERVICE_TOKENDUP = 3`
`25`	`25`	`ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE_RPCSS = 4`
`26`	`26`	`ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER = 5`
	`27`	`+ ELEVATE_TECHNIQUE_NAMEDPIPE_EFS = 6`
`27`	`28`
`28`	`29`	`ELEVATE_TECHNIQUE_DESCRIPTION =`
`29`	`30`	`[`
`@@ -32,7 +33,8 @@ class Console::CommandDispatcher::Priv::Elevate`
`32`	`33`	`'Named Pipe Impersonation (Dropper/Admin)',`
`33`	`34`	`'Token Duplication (In Memory/Admin)',`
`34`	`35`	`'Named Pipe Impersonation (RPCSS variant)',`
`35`		`- 'Named Pipe Impersonation (PrintSpooler variant)'`
	`36`	`+ 'Named Pipe Impersonation (PrintSpooler variant)',`
	`37`	`+ 'Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)'`
`36`	`38`	`]`
`37`	`39`
`38`	`40`	`#`
Original file line number	Diff line number	Diff line change
`@@ -28,12 +28,22 @@ def initialize(info = {})`
`28`	`28`	`priv_elevate_getsystem`
`29`	`29`	`]`
`30`	`30`	`}`
	`31`	`+ },`
	`32`	`+ 'Notes' => {`
	`33`	`+ 'AKA' => [`
	`34`	`+ 'Named Pipe Impersonation',`
	`35`	`+ 'Token Duplication',`
	`36`	`+ 'RPCSS',`
	`37`	`+ 'PrintSpooler',`
	`38`	`+ 'EFSRPC',`
	`39`	`+ 'EfsPotato'`
	`40`	`+ ]`
`31`	`41`	`}`
`32`	`42`	`)`
`33`	`43`	`)`
`34`	`44`
`35`	`45`	`register_options([`
`36`		`- OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-5), otherwise try them all", 0])`
	`46`	`+ OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-6), otherwise try them all", 0])`
`37`	`47`	`])`
`38`	`48`	`end`
`39`	`49`