CreateprocessAsUserA Using LogonUserA-CodePudding

LPCSTR  lpszUsername = "admin user";
LPCSTR  lpszDomain =  "DESKTOP-H60GO83";
LPCSTR  lpszPassword = "password";
DWORD   dwLogonType = LOGON32_LOGON_INTERACTIVE;
DWORD   dwLogonProvider = LOGON32_PROVIDER_WINNT40;
PHANDLE hToken;

LogonUserA(
    lpszUsername,
    lpszDomain,
    lpszPassword,
    dwLogonType,
    dwLogonProvider,
    hToken);
      
memset(&sui, 0, sizeof(sui));
  
sui.cb = sizeof(sui);
     
LPTSTR lpApplicationName = "C:\\Windows\\System32\\cmd.exe ";
      
CreateProcessAsUserA(
    hToken,
    lpApplicationName,
    NULL,
    NULL,
    NULL,
    TRUE,
    NULL,
    NULL,
    NULL,
    &sui,
    &pi
);

That's my code. What am I doing wrong? Process exits immediately when the console loads.

I need this to add to my reverse shell.

I used CreateProcess() and it worked. I'm using CreateProcessAsUserA() to give my shell admin privileges.

CodePudding user response：

You are not using the hToken variable correctly.

You have declared an uninitialized pointer to a HANDLE, but are not pointing it at a valid HANDLE. You are then passing that bad pointer to LogonUserA(), which is undefined behavior. And then you are passing that bad pointer to CreateProcessAsUserA(), which doesn't even want a pointer to a HANDLE to begin with, it wants the actual HANDLE instead.

You are also not checking for errors from the API calls.

Try this instead:

LPCSTR  lpszUsername = "admin user";
LPCSTR  lpszDomain =  "DESKTOP-H60GO83";
LPCSTR  lpszPassword = "password";
DWORD   dwLogonType = LOGON32_LOGON_INTERACTIVE;
DWORD   dwLogonProvider = LOGON32_PROVIDER_WINNT40;
HANDLE hToken = NULL; // <-- no P !

if (!LogonUserA(
    lpszUsername,
    lpszDomain,
    lpszPassword,
    dwLogonType,
    dwLogonProvider,
    &hToken)) // <-- add & !
{
    // error handling...
}
      
STARTUPINFO sui;
memset(&sui, 0, sizeof(sui));
sui.cb = sizeof(sui);
     
PROCESS_INFORMATION pi;

LPTSTR lpApplicationName = "C:\\Windows\\System32\\cmd.exe";
      
if (!CreateProcessAsUserA(
    hToken,
    lpApplicationName,
    NULL,
    NULL,
    NULL,
    TRUE,
    NULL,
    NULL,
    NULL,
    &sui,
    &pi
))
{
    // error handling ...
}

...

CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);

CodePudding user response：

/*
author: @......MARSHA4CODING
*/
#include <iostream>
#include <windows.h>

using namespace std;

STARTUPINFO sui;
PROCESS_INFORMATION pi;

int main(){



LPCSTR  lpszUsername = "ADMIN";
LPCSTR  lpszDomain =  " DESKTOP- 
H60GO73";
LPCSTR  lpszPassword = "PASSWORD" ;
DWORD   dwLogonType = 
LOGON32_LOGON_INTERACTIVE;
DWORD   dwLogonProvider =  
LOGON32_PROVIDER_DEFAULT ;
HANDLE hToken = NULL; // <-- no P !

if (!LogonUserA(
lpszUsername,
lpszDomain,
lpszPassword,
dwLogonType,
dwLogonProvider,
&hToken)) // <-- add & !
{
DWORD rx2 =   GetLastError();
return rx2;
}
  
STARTUPINFO sui;
memset(&sui, 0, sizeof(sui));
sui.cb = sizeof(sui);
 
PROCESS_INFORMATION pi;

LPTSTR lpApplicationName = 
"C:\\Windows\\System32\\cmd.exe";

HANDLE phNewToken; // stores either the 
Primary or Impersonation token gotten 
from DuplicateTokenEx

//LPSECURITY_ATTRIBUTES        
lpTokenAttributes
//SECURITY_IMPERSONATION_LEVEL 
ImpersonationLevel
if(!DuplicateTokenEx(hToken,
0,lpTokenAttributes,
ImpersonationLevel,1,phNewToken)){
cout<<"Duplication Error";
}
  
if (!CreateProcessAsUserA(
hToken,
lpApplicationName,
NULL,
NULL,
NULL,
TRUE,
NULL,
NULL,
NULL,
&sui,
&pi
))
{
 DWORD rx2 =   GetLastError();
 return rx2;
 }



 CloseHandle(pi.hThread);
 CloseHandle(pi.hProcess);

 return 0; 


 }

I think the issue is with the DuplicateTokenEx(); function because the token I'm supposed to get from the LogonUserA(); Will be used to generate either a Primary or Impersonation Token with DuplicateTokenEx(); function So my challenge right now is with the TokenAttributes and Impersonationlevel when using DuplicateTokenEx(): function I don't know what to write there, Pardon my silly Questions.