Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removed GetThreadId and replaced with optional CLIENTID argument #713

Merged
merged 2 commits into from
Sep 20, 2024
Merged

Removed GetThreadId and replaced with optional CLIENTID argument #713

merged 2 commits into from
Sep 20, 2024
+4 −3

Conversation

wolfcod
Copy link
Contributor

@wolfcod wolfcod commented Aug 27, 2024

As reported in the pull request #712 GetThreadId api, used in create_remote_thread function is available only from Windows Vista or Windows Server 2003.
The API function is available in platform sdk, but it doesn't reflect Windows XP SP3.

GetThreadId needs an HANDLE to retrieve the UniqueThread value, and the same information is available calling RtlCreateUserThread with the optional argument CLIENTID.

@dledda-r7 dledda-r7 self-assigned this Aug 30, 2024
@dledda-r7 dledda-r7 mentioned this pull request Sep 16, 2024
Merged
dledda-r7
dledda-r7 approved these changes Sep 20, 2024
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

DebugString: "[39ac] [MIGRATE] Migrate context: 0x[000001574E6E013D](x64dbg://localhost/address64#000001574E6E013D) -> 388 bytes"
DebugString: "[39ac] [MIGRATE] Migrate payload: 0x[000001574E6E02C1](x64dbg://localhost/address64#000001574E6E02C1) -> 279040 bytes"
DebugString: "[39ac] [MIGRATE] Configuration: 0x[000001574E7244C1](x64dbg://localhost/address64#000001574E7244C1) -> 1614 bytes"
DebugString: "[39ac] [REMOTETHREAD] CreateRemoteThread seems to lack permissions, trying alternative options"
DebugString: "[39ac] [REMOTETHREAD] RtlCreateUserThread found at [00007FF9311CC1F0](x64dbg://localhost/address64#00007FF9311CC1F0), using for backup remote thread creation"
DebugString: "[39ac] [REMOTETHREAD] Attempting thread creation with RtlCreateUserThread"
DebugString: "[39ac] [INJECT] inject_via_remotethread: succeeded"
DebugString: "[39ac] [INJECT] inject_via_remotethread: Sending a migrate response..."
DebugString: "[39ac] [TRANSMIT] Sending packet to the server"
DebugString: "[39ac] [PKT FIND] Looking for type 65538"
DebugString: "[39ac] [PKT FIND] TLV header length: 12"
DebugString: "[39ac] [PKT FIND] TLV header type: 131073"
DebugString: "[39ac] [PKT FIND] Types don't match, skipping."
DebugString: "[39ac] [PKT FIND] TLV header length: 41"
DebugString: "[39ac] [PKT FIND] TLV header type: 65538"

meterpreter > ps |grep "Notepad"
Filtering on 'Notepad'

Process List
============

 PID    PPID  Name         Arch  Session  User          Path
 ---    ----  ----         ----  -------  ----          ----
 8760   2604  Notepad.exe  x64   2        winvm01\User  C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2407.9.0_x64__8wekyb3d8bbwe\Notepad\Notep
                                                        ad.exe
 10072  8760  Notepad.exe  x64   2        winvm01\User  C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2407.9.0_x64__8wekyb3d8bbwe\Notepad\Notep
                                                        ad.exe

meterpreter > migrate 8760
[*] Migrating from 12036 to 8760...
WARNING: Local file /home/kali/Documents/github/metasploit-framework/data/meterpreter/metsrv.x64.debug.dll is being used
[*] Migration completed successfully.
meterpreter >

@dledda-r7 dledda-r7 merged commit a6da6dd into rapid7:master Sep 20, 2024
15 of 18 checks passed
zeroSteiner added a commit to zeroSteiner/metasploit-framework that referenced this pull request Oct 10, 2024
@zeroSteiner
Update metasploit-payloads gem to 2.0.175
0309f51 
Includes changes from:
* rapid7/metasploit-payloads#719
* rapid7/metasploit-payloads#718
* rapid7/metasploit-payloads#715
* rapid7/metasploit-payloads#713
* rapid7/metasploit-payloads#712
* rapid7/metasploit-payloads#709
* rapid7/metasploit-payloads#708
* rapid7/metasploit-payloads#705
* rapid7/metasploit-payloads#704
* rapid7/metasploit-payloads#703
@zeroSteiner zeroSteiner mentioned this pull request Oct 10, 2024
Merged
zeroSteiner added a commit to zeroSteiner/metasploit-framework that referenced this pull request Oct 10, 2024
@zeroSteiner
Update metasploit-payloads gem to 2.0.176
af43bd5 
Includes changes from:
* rapid7/metasploit-payloads#716
* rapid7/metasploit-payloads#719
* rapid7/metasploit-payloads#718
* rapid7/metasploit-payloads#715
* rapid7/metasploit-payloads#713
* rapid7/metasploit-payloads#712
* rapid7/metasploit-payloads#709
* rapid7/metasploit-payloads#708
* rapid7/metasploit-payloads#705
* rapid7/metasploit-payloads#704
* rapid7/metasploit-payloads#703
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dledda-r7 dledda-r7 dledda-r7 approved these changes

Assignees

@dledda-r7 dledda-r7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wolfcod @dledda-r7