Vuln Dev
Named Pipe Impersonation -> CreateProcessAsUser(); Jul 14 2003 07:45PM
wirepair (wirepair roguemail net) (1 replies)
Hello, I'm attempting to finish up my exploit for the
@stake advisory, i've hit quite a snag when i found out
that calling a new process does not inherit the privileges
of the named pipe. (I must have been thinking of fork() or
something heh). So I can impersonate SYSTEM, but I can not
create a new process with these nice privileges. Here is
where i am at:
ConnectNamedPipe() <-- yada yada wait for connection
if (!ImpersonateNamedPipeClient (hPipe)) // impersonate
the pipe so we now are SYSTEM.
printf ("Failed to impersonate the named pipe.\n");
return 5;
// found this on msdn, i'm trying to get a token with full
access, then call CreateProcessAsUser();
if (!OpenThreadToken(GetCurrentThread(),
printf("damn: %u\n", GetLastError());

MapGenericMask( &dwAccessDesired, pGeneric ); //this i'm
kinda shady on, looks like i'm just mapping the id to the
SYSTEM name? when i call GetUserName i get garble after
the OpenThreadToken unless i call MapGenericMask...

CreateProcessAsUser(hToken, "cmd.exe",

now i call createprocessasuser, using the token from
openthreadtoken. In the debugger, it tries to execute cmd,
but but i get nothing back... if anyone wants to see my
code it's at Thanks
this is starting to bug me :),
For the best comics, toys, movies, and more,
please visit <>

[ reply ]
Re: Named Pipe Impersonation -> CreateProcessAsUser(); Jul 14 2003 08:13PM
Blue Boar (BlueBoar thievco com)


Privacy Statement
Copyright 2010, SecurityFocus