Re: rev2self vs drop_token?

[Matt Weeks <scriptjunkie () scriptjunkie us>]

1. Meterpreter can hold a token that it will use when spawning off any new
threads or processes using Meterpreter functionality. drop_token tells
meterpreter to release that token and go back to the Windows token.

Windows itself natively handles various tokens as well; say you had
exploited a process that runs as SYSTEM serving a named pipe that had
called ImpersonateNamedPipeClient; you would be running as the impersonated
user, which may not be privileged. So you need to drop the Windows token by
calling the RevertToSelf Windows function call. So the meterpreter
RevertToSelf not only drops the meterpreter token, it also calls
ReverToSelf() to drop any temporary Windows tokens.

2. Steal_token steals a token from the process specified by ID;
impersonate_token looks for a token specified by user name to steal from
the entire system.

3. Yes


-- 

http://www.scriptjunkie.us/

_______________________________________________
https://dev.metasploit.com/mailman/listinfo/framework