Home > OS >  CreateprocessAsUserA Using LogonUserA
CreateprocessAsUserA Using LogonUserA

Time:09-09

LPCSTR  lpszUsername = "admin user";
LPCSTR  lpszDomain =  "DESKTOP-H60GO83";
LPCSTR  lpszPassword = "password";
DWORD   dwLogonType = LOGON32_LOGON_INTERACTIVE;
DWORD   dwLogonProvider = LOGON32_PROVIDER_WINNT40;
PHANDLE hToken;

LogonUserA(
    lpszUsername,
    lpszDomain,
    lpszPassword,
    dwLogonType,
    dwLogonProvider,
    hToken);
      
memset(&sui, 0, sizeof(sui));
  
sui.cb = sizeof(sui);
     
LPTSTR lpApplicationName = "C:\\Windows\\System32\\cmd.exe ";
      
CreateProcessAsUserA(
    hToken,
    lpApplicationName,
    NULL,
    NULL,
    NULL,
    TRUE,
    NULL,
    NULL,
    NULL,
    &sui,
    &pi
);

That's my code. What am I doing wrong? Process exits immediately when the console loads.

I need this to add to my reverse shell.

I used CreateProcess() and it worked. I'm using CreateProcessAsUserA() to give my shell admin privileges.

CodePudding user response:

You are not using the hToken variable correctly.

You have declared an uninitialized pointer to a HANDLE, but are not pointing it at a valid HANDLE. You are then passing that bad pointer to LogonUserA(), which is undefined behavior. And then you are passing that bad pointer to CreateProcessAsUserA(), which doesn't even want a pointer to a HANDLE to begin with, it wants the actual HANDLE instead.

You are also not checking for errors from the API calls.

Try this instead:

LPCSTR  lpszUsername = "admin user";
LPCSTR  lpszDomain =  "DESKTOP-H60GO83";
LPCSTR  lpszPassword = "password";
DWORD   dwLogonType = LOGON32_LOGON_INTERACTIVE;
DWORD   dwLogonProvider = LOGON32_PROVIDER_WINNT40;
HANDLE hToken = NULL; // <-- no P !

if (!LogonUserA(
    lpszUsername,
    lpszDomain,
    lpszPassword,
    dwLogonType,
    dwLogonProvider,
    &hToken)) // <-- add & !
{
    // error handling...
}
      
STARTUPINFO sui;
memset(&sui, 0, sizeof(sui));
sui.cb = sizeof(sui);
     
PROCESS_INFORMATION pi;

LPTSTR lpApplicationName = "C:\\Windows\\System32\\cmd.exe";
      
if (!CreateProcessAsUserA(
    hToken,
    lpApplicationName,
    NULL,
    NULL,
    NULL,
    TRUE,
    NULL,
    NULL,
    NULL,
    &sui,
    &pi
))
{
    // error handling ...
}

...

CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);

CodePudding user response:

/*
author: @......MARSHA4CODING
*/
#include <iostream>
#include <windows.h>

using namespace std;

STARTUPINFO sui;
PROCESS_INFORMATION pi;

int main(){



LPCSTR  lpszUsername = "ADMIN";
LPCSTR  lpszDomain =  " DESKTOP- 
H60GO73";
LPCSTR  lpszPassword = "PASSWORD" ;
DWORD   dwLogonType = 
LOGON32_LOGON_INTERACTIVE;
DWORD   dwLogonProvider =  
LOGON32_PROVIDER_DEFAULT ;
HANDLE hToken = NULL; // <-- no P !

if (!LogonUserA(
lpszUsername,
lpszDomain,
lpszPassword,
dwLogonType,
dwLogonProvider,
&hToken)) // <-- add & !
{
DWORD rx2 =   GetLastError();
return rx2;
}
  
STARTUPINFO sui;
memset(&sui, 0, sizeof(sui));
sui.cb = sizeof(sui);
 
PROCESS_INFORMATION pi;

LPTSTR lpApplicationName = 
"C:\\Windows\\System32\\cmd.exe";

HANDLE phNewToken; // stores either the 
Primary or Impersonation token gotten 
from DuplicateTokenEx

//LPSECURITY_ATTRIBUTES        
lpTokenAttributes
//SECURITY_IMPERSONATION_LEVEL 
ImpersonationLevel
if(!DuplicateTokenEx(hToken,
0,lpTokenAttributes,
ImpersonationLevel,1,phNewToken)){
cout<<"Duplication Error";
}
  
if (!CreateProcessAsUserA(
hToken,
lpApplicationName,
NULL,
NULL,
NULL,
TRUE,
NULL,
NULL,
NULL,
&sui,
&pi
))
{
 DWORD rx2 =   GetLastError();
 return rx2;
 }



 CloseHandle(pi.hThread);
 CloseHandle(pi.hProcess);

 return 0; 


 }

I think the issue is with the DuplicateTokenEx(); function because the token I'm supposed to get from the LogonUserA(); Will be used to generate either a Primary or Impersonation Token with DuplicateTokenEx(); function So my challenge right now is with the TokenAttributes and Impersonationlevel when using DuplicateTokenEx(): function I don't know what to write there, Pardon my silly Questions.

  • Related