Merge pull request #986 from BishopFox/feature/runas-password

Revamped `runas` command
BishopFox · Nov 3, 2022 · 5a7ee43 · 5a7ee43
2 parents 8b7a66a + f8ae372
commit 5a7ee43
Show file tree

Hide file tree

Showing 8 changed files with 1,003 additions and 859 deletions.
diff --git a/client/command/commands.go b/client/command/commands.go
@@ -2046,9 +2046,14 @@ func BindCommands(con *console.SliverConsoleClient) {
 		Help:     "Run a new process in the context of the designated user (Windows Only)",
 		LongHelp: help.GetHelpFor([]string{consts.RunAsStr}),
 		Flags: func(f *grumble.Flags) {
-			f.String("u", "username", "NT AUTHORITY\\SYSTEM", "user to impersonate")
+			f.String("u", "username", "", "user to impersonate")
 			f.String("p", "process", "", "process to start")
 			f.String("a", "args", "", "arguments for the process")
+			f.String("d", "domain", "", "domain of the user")
+			f.String("P", "password", "", "password of the user")
+			f.Bool("s", "show-window", false, `
+			Log on, but use the specified credentials on the network only. The new process uses the same token as the caller, but the system creates a new logon session within LSA, and the process uses the specified credentials as the default credentials.`)
+			f.Bool("n", "net-only", false, "use ")
 			f.Int("t", "timeout", 30, "command timeout in seconds")
 		},
 		Run: func(ctx *grumble.Context) error {

diff --git a/client/command/privilege/runas.go b/client/command/privilege/runas.go
@@ -36,8 +36,12 @@ func RunAsCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	}
 
 	username := ctx.Flags.String("username")
+	password := ctx.Flags.String("password")
+	domain := ctx.Flags.String("domain")
+	showWindow := ctx.Flags.Bool("show-window")
 	process := ctx.Flags.String("process")
 	arguments := ctx.Flags.String("args")
+	netonly := ctx.Flags.Bool("net-only")
 
 	if username == "" {
 		con.PrintErrorf("Please specify a username\n")
@@ -54,6 +58,10 @@ func RunAsCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 		Username:    username,
 		ProcessName: process,
 		Args:        arguments,
+		Domain:      domain,
+		Password:    password,
+		HideWindow:  !showWindow,
+		NetOnly:     netonly,
 	})
 	if err != nil {
 		con.PrintErrorf("%s", err)

diff --git a/implant/sliver/handlers/handlers_windows.go b/implant/sliver/handlers/handlers_windows.go
@@ -152,10 +152,12 @@ func runAsHandler(data []byte, resp RPCResponse) {
 		// {{end}}
 		return
 	}
-	out, err := priv.RunProcessAsUser(runAsReq.Username, runAsReq.ProcessName, runAsReq.Args)
-	runAs := &sliverpb.RunAs{
-		Output: out,
+	show := 10
+	if runAsReq.HideWindow {
+		show = 0
 	}
+	err = priv.RunAs(runAsReq.Username, runAsReq.Domain, runAsReq.Password, runAsReq.ProcessName, runAsReq.Args, show, runAsReq.NetOnly)
+	runAs := &sliverpb.RunAs{}
 	if err != nil {
 		runAs.Response = &commonpb.Response{Err: err.Error()}
 	}

diff --git a/implant/sliver/priv/priv_windows.go b/implant/sliver/priv/priv_windows.go
@@ -279,6 +279,82 @@ func deleteRegistryKey(keyPath, keyName string) (err error) {
 	return
 }
 
+func RunAs(username string, domain string, password string, program string, args string, show int, netonly bool) (err error) {
+	// call CreateProcessWithLogonW to create a new process with the specified credentials
+	// https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw
+	// convert username, domain, password, program, args, env, dir to *uint16
+	u, err := windows.UTF16PtrFromString(username)
+	if err != nil {
+		// {{if .Config.Debug}}
+		log.Printf("Invalid username\n")
+		// {{end}}
+		return
+	}
+	d, err := windows.UTF16PtrFromString(domain)
+	if err != nil {
+		// {{if .Config.Debug}}
+		log.Printf("Invalid domain\n")
+		// {{end}}
+		return
+	}
+	p, err := windows.UTF16PtrFromString(password)
+	if err != nil {
+		// {{if .Config.Debug}}
+		log.Printf("Invalid password\n")
+		// {{end}}
+		return
+	}
+	prog, err := windows.UTF16PtrFromString(program)
+	if err != nil {
+		// {{if .Config.Debug}}
+		log.Printf("Invalid program\n")
+		// {{end}}
+		return
+	}
+	var cmd *uint16
+	if len(args) > 0 {
+		cmd, err = windows.UTF16PtrFromString(fmt.Sprintf("%s %s", program, args))
+		if err != nil {
+			// {{if .Config.Debug}}
+			log.Printf("Invalid prog args\n")
+			// {{end}}
+			return
+		}
+	}
+	var e *uint16
+	// env := os.Environ()
+	// e, err = windows.UTF16PtrFromString(strings.Join(env, "\x00"))
+	// if err != nil {
+	// 	// {{if .Config.Debug}}
+	// 	log.Printf("Invalid env\n")
+	// 	// {{end}}
+	// 	return
+	// }
+	var di *uint16
+
+	// create a new startup info struct
+	si := &syscalls.StartupInfoEx{
+		StartupInfo: windows.StartupInfo{
+			Flags:      windows.STARTF_USESHOWWINDOW,
+			ShowWindow: uint16(show),
+		},
+	}
+	// create a new process info struct
+	pi := &windows.ProcessInformation{}
+	// call CreateProcessWithLogonW
+	var logonFlags uint32 = 0
+	if netonly {
+		logonFlags = 2 // LOGON_NETCREDENTIALS_ONLY
+	}
+	err = syscalls.CreateProcessWithLogonW(u, d, p, logonFlags, prog, cmd, 0, e, di, si, pi)
+	if err != nil {
+		// {{if .Config.Debug}}
+		log.Printf("CreateProcessWithLogonW failed: %v\n", err)
+		// {{end}}
+	}
+	return
+}
+
 // RunProcessAsUser - Retrieve a primary token belonging to username
 // and starts a new process using that token.
 func RunProcessAsUser(username, command, args string) (out string, err error) {

diff --git a/implant/sliver/syscalls/syscalls_windows.go b/implant/sliver/syscalls/syscalls_windows.go
@@ -9,6 +9,7 @@ package syscalls
 //sys HeapSize(hHeap windows.Handle, dwFlags uint32, lpMem uintptr) (res uint32, err error) = kernel32.HeapSize
 //sys UpdateProcThreadAttribute(lpAttributeList *PROC_THREAD_ATTRIBUTE_LIST, dwFlags uint32, attribute uintptr, lpValue *uintptr, cbSize uintptr, lpPreviousValue uintptr, lpReturnSize *uintptr) (err error) = kernel32.UpdateProcThreadAttribute
 //sys CreateProcess(appName *uint16, commandLine *uint16, procSecurity *windows.SecurityAttributes, threadSecurity *windows.SecurityAttributes, inheritHandles bool, creationFlags uint32, env *uint16, currentDir *uint16, startupInfo *StartupInfoEx, outProcInfo *windows.ProcessInformation) (err error) = kernel32.CreateProcessW
+//sys CreateProcessWithLogonW(username *uint16, domain *uint16, password *uint16, logonFlags uint32, appName *uint16, commandLine *uint16, creationFlags uint32, env *uint16, currentDir *uint16, startupInfo *StartupInfoEx, outProcInfo *windows.ProcessInformation) (err error) = advapi32.CreateProcessWithLogonW
 //sys VirtualAllocEx(hProcess windows.Handle, lpAddress uintptr, dwSize uintptr, flAllocationType uint32, flProtect uint32) (addr uintptr, err error) = kernel32.VirtualAllocEx
 //sys WriteProcessMemory(hProcess windows.Handle, lpBaseAddress uintptr, lpBuffer *byte, nSize uintptr, lpNumberOfBytesWritten *uintptr) (err error) = kernel32.WriteProcessMemory
 //sys VirtualProtectEx(hProcess windows.Handle, lpAddress uintptr, dwSize uintptr, flNewProtect uint32, lpflOldProtect *uint32) (err error) = kernel32.VirtualProtectEx

diff --git a/implant/sliver/syscalls/zsyscalls_windows.go b/implant/sliver/syscalls/zsyscalls_windows.go