mailing list archives
Problem with getprivs/Railgun call from SYSTEM
From: faberk () comcast net
Date: Mon, 25 Apr 2011 17:51:30 +0000 (UTC)
I am working on a meterpreter script that takes a username, password, and command as input and runs in the context of
that user (loading their profile). I'm using it to access and decrypt the browser for users that are not currently
logged in, I'm sure someone would be curious as to why.
Anyways I use a railgun call to CreateProcessWithLogonW to generate the process....this works fine as a local admin,
but not as system. From Microsoft here is why:
You cannot call CreateProcessWithLogonW
from a process that is running under the LocalSystem account, because
the function uses the logon SID in the caller token, and the token for
the LocalSystem account does not contain this SID. As an alternative,
use the CreateProcessAsUser and LogonUser functions.
When I try to do a call to LogonUser and CreateProcessAsUser I get: ERROR_PRIVILEGE_NOT_HELD (1314) from CPUA().
Researching it i have found I need the SE_INCREASE_QUOTA_NAME and SE_ASSIGNPRIMARYTOKEN_NAME privs enabled. The system
account has both of those assigned by default, but not enabled. I have used the getprivs command and it enables
SE_INCREASE_QUOTA_NAME but not SE_ASSIGNPRIMARYTOKEN_NAME. I looked through the source and it does try to enable it,
just not sure why it was never enabled. The even weirder piece of this is that the CPUA() function is supposed to
enable these temporarily when it runs if the privs are present. This makes me think that somehow the SYSTEM account in
vista does not have the priv assigned by default.....Any ideas? This one has me stumped.
- Problem with getprivs/Railgun call from SYSTEM faberk (Apr 25)