Tool - RunAsUser v0.5 released

---

• From: inode <inode@xxxxxxxxxxxxxxxx>
• Date: Thu, 14 Feb 2008 21:42:10 +0100

---

What is RunAsUser?
----------------------------------------------------------
RunAsUser is able to run a command as another user. You need the local administrator privileges and the user must have a running process on the system.

How does it work?
----------------------------------------------------------
RunAsUser uses dll injection techniques to gain SYSTEM privileges. With SYSTEM privileges the dll is able to open the target process, duplicate the access token and run a program with the user privileges.

What I can do with RunAsUser?
----------------------------------------------------------
RunAsUser can be used in a lot of situations, the most interesting usage is the privilege escalation that can be done on a Microsoft domain. If the user has local administrator rights and a domain admin is logged on the system you can get domain administrator privileges.

Command line arguments
----------------------------------------------------------
-p <pid>
Pid of the target process
-c <command>
Command to be executed with user privileges
-s <session ID> Target session ID
Session where the new process is spawned. To get your current session id run taskmgr.exe, go to "View" -> "Select columns" and select "Session ID" and search one of your current processes.
-l <lsass pid> (optional)
RunAsUser looks for the lsass.exe process. If this process fails, try using this option specifying the lsass pid.


You can download source and binary at:
http://lab.mediaservice.net/code.php#runasuser

inode

--
Agazzini Maurizio @ Mediaservice.net S.R.L.
0xF574450C - 09C5 E9A5 E481 D70A 708E DC3B 690D 1A36 F574 450C

"C programmers never die. They are just cast into void."

http://mediaservice.net/disclaimer

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

---

• Prev by Date: Re: Security/Pen-testing Courses?
• Next by Date: Re: Volatile Worm
• Previous by thread: cracking sniffed hashs issue
• Next by thread: Certified Security Analyst / LPT - LIVE Class
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: PPPD, TCPIP Services and incomplete negotiations ... Are you sure you have privileges to create a detached process, and the privileges to change attributes ... The trace I showed here was the result of logging in to a unprivileged user on TTA0: and issuing te PPPD CONNECT command which turns the current terminal into the ASN device. ... (comp.os.vms) IBM DB2 Remote Command Execution Privilege Upgrade (#NISR09032004) ... IBM DB2 Remote Command Execution Privilege Upgrade ... allow attackers to gain administrative privileges on the server running DB2. ... (NT-Bugtraq) IBM DB2 Remote Command Execution Privilege Upgrade (#NISR09032004) ... IBM DB2 Remote Command Execution Privilege Upgrade ... allow attackers to gain administrative privileges on the server running DB2. ... (Bugtraq) [VulnWatch] IBM DB2 Remote Command Execution Privilege Upgrade (#NISR09032004) ... IBM DB2 Remote Command Execution Privilege Upgrade ... allow attackers to gain administrative privileges on the server running DB2. ... (VulnWatch) Re: Commands to do this... [NOOB] ... David Douthitt wrote: ... and 2) finding where a command is actually located. ... Something else the OP needs to understand is that unlike UN*X, VMS ... only those privileges authorized for you will actually be turned on. ... (comp.os.vms)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > pen-test  > 2008-02