/Toggle_Token_Privileges_BOF

Syscall BOF to arbitrarily add/detract process token privilege rights.

Primary LanguageC

Toggle_Token_Privileges_BOF

What is this?

  • An (almost) syscall-only BOF file intended to either add or remove token privileges within the context of your current process.

Who wrote it?

  • Justin Lucas (@the_bit_diddler)
  • Brad Campbell (@hackersoup)

What problem are you trying to solve?

  • There are many boilerplate options to enable a specific subset of privileges; traditionally, this has been almost entirely centered around SE_DEBUG
    • Why not let you, the operator have the power of choice? Pick to add-or-remove from an à la carte help menu.

How do I build this?

git clone https://github.com/EspressoCake/Toggle_Token_Privileges_BOF.git
cd Toggle_Token_Privileges_BOF/src
make

How do I use this?

  • Load the Aggressor .cna file from the dist directory, after building
  • Determine whatever relative privilege number (see the help menu) you wish to apply to your current process token
  • From a given Beacon:
    # Getting general help
    syscall_enable_priv
    
    # Adding a privilege (SE_DEBUG)
    syscall_enable_priv 20
    
    # Removing a privilege (SE_DEBUG)
    syscall_disable_priv 20

I tend to touch the stove carelessly, how are you taking care of the injury-prone?

  • Currently, the Aggressor script has safeguards
    • The current Beacon is checked to ensure that it is administrative, and an x64 process

What does the output look like?

Adding/Revoking Current Process Token Privileges