get_user_token fails if thread is holding an impersonation token

[upsidedwn]

Currently, get_user_token fails if the current thread is holding an impersonation token.

meterpreter > getsid
[-] stdapi_sys_config_getsid: Operation failed: Access is denied.

Here, we see that OpenAsSelf is set to FALSE.

metasploit-payloads/c/meterpreter/source/extensions/stdapi/server/sys/config/config.c

Lines 137 to 143 in 7ff8ee5

	if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &hToken))
	{
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
	{
	BREAK_ON_ERROR("[TOKEN] Failed to get a valid token for thread/process.");
	}
	}

From MSDN, we see that the call will fail.

The OpenAsSelf parameter allows the caller of this function to open the access token of a specified thread when the caller is impersonating a token at SecurityIdentification level. Without this parameter, the calling thread cannot open the access token on the specified thread because it is impossible to open executive-level objects by using the SecurityIdentification impersonation level.

Would suggest we try again if with OpenAsSelf set to TRUE, if the existing two tries fail. If this is acceptable, I can create a PR.

 if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &hToken)) 
 { 
 	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) 
 	{ 
            if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)) 
            {
                BREAK_ON_ERROR("[TOKEN] Failed to get a valid token for thread/process."); 
            }
 	} 
 } 

[smcintyre-r7]

I think that sounds like a reasonable solution.