LPCSTR lpszUsername = "admin user";
LPCSTR lpszDomain = "DESKTOP-H60GO83";
LPCSTR lpszPassword = "password";
DWORD dwLogonType = LOGON32_LOGON_INTERACTIVE;
DWORD dwLogonProvider = LOGON32_PROVIDER_WINNT40;
PHANDLE hToken;
LogonUserA(
lpszUsername,
lpszDomain,
lpszPassword,
dwLogonType,
dwLogonProvider,
hToken);
memset(&sui, 0, sizeof(sui));
sui.cb = sizeof(sui);
LPTSTR lpApplicationName = "C:\\Windows\\System32\\cmd.exe ";
CreateProcessAsUserA(
hToken,
lpApplicationName,
NULL,
NULL,
NULL,
TRUE,
NULL,
NULL,
NULL,
&sui,
&pi
);
That's my code. What am I doing wrong? Process exits immediately when the console loads.
I need this to add to my reverse shell.
I used CreateProcess()
and it worked. I'm using CreateProcessAsUserA()
to give my shell admin privileges.
CodePudding user response:
You are not using the hToken
variable correctly.
You have declared an uninitialized pointer to a HANDLE
, but are not pointing it at a valid HANDLE
. You are then passing that bad pointer to LogonUserA()
, which is undefined behavior. And then you are passing that bad pointer to CreateProcessAsUserA()
, which doesn't even want a pointer to a HANDLE
to begin with, it wants the actual HANDLE
instead.
You are also not checking for errors from the API calls.
Try this instead:
LPCSTR lpszUsername = "admin user";
LPCSTR lpszDomain = "DESKTOP-H60GO83";
LPCSTR lpszPassword = "password";
DWORD dwLogonType = LOGON32_LOGON_INTERACTIVE;
DWORD dwLogonProvider = LOGON32_PROVIDER_WINNT40;
HANDLE hToken = NULL; // <-- no P !
if (!LogonUserA(
lpszUsername,
lpszDomain,
lpszPassword,
dwLogonType,
dwLogonProvider,
&hToken)) // <-- add & !
{
// error handling...
}
STARTUPINFO sui;
memset(&sui, 0, sizeof(sui));
sui.cb = sizeof(sui);
PROCESS_INFORMATION pi;
LPTSTR lpApplicationName = "C:\\Windows\\System32\\cmd.exe";
if (!CreateProcessAsUserA(
hToken,
lpApplicationName,
NULL,
NULL,
NULL,
TRUE,
NULL,
NULL,
NULL,
&sui,
&pi
))
{
// error handling ...
}
...
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
CodePudding user response:
/*
author: @......MARSHA4CODING
*/
#include <iostream>
#include <windows.h>
using namespace std;
STARTUPINFO sui;
PROCESS_INFORMATION pi;
int main(){
LPCSTR lpszUsername = "ADMIN";
LPCSTR lpszDomain = " DESKTOP-
H60GO73";
LPCSTR lpszPassword = "PASSWORD" ;
DWORD dwLogonType =
LOGON32_LOGON_INTERACTIVE;
DWORD dwLogonProvider =
LOGON32_PROVIDER_DEFAULT ;
HANDLE hToken = NULL; // <-- no P !
if (!LogonUserA(
lpszUsername,
lpszDomain,
lpszPassword,
dwLogonType,
dwLogonProvider,
&hToken)) // <-- add & !
{
DWORD rx2 = GetLastError();
return rx2;
}
STARTUPINFO sui;
memset(&sui, 0, sizeof(sui));
sui.cb = sizeof(sui);
PROCESS_INFORMATION pi;
LPTSTR lpApplicationName =
"C:\\Windows\\System32\\cmd.exe";
HANDLE phNewToken; // stores either the
Primary or Impersonation token gotten
from DuplicateTokenEx
//LPSECURITY_ATTRIBUTES
lpTokenAttributes
//SECURITY_IMPERSONATION_LEVEL
ImpersonationLevel
if(!DuplicateTokenEx(hToken,
0,lpTokenAttributes,
ImpersonationLevel,1,phNewToken)){
cout<<"Duplication Error";
}
if (!CreateProcessAsUserA(
hToken,
lpApplicationName,
NULL,
NULL,
NULL,
TRUE,
NULL,
NULL,
NULL,
&sui,
&pi
))
{
DWORD rx2 = GetLastError();
return rx2;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return 0;
}
I think the issue is with the DuplicateTokenEx(); function because the token I'm supposed to get from the LogonUserA(); Will be used to generate either a Primary or Impersonation Token with DuplicateTokenEx(); function So my challenge right now is with the TokenAttributes and Impersonationlevel when using DuplicateTokenEx(): function I don't know what to write there, Pardon my silly Questions.