Home page logo

metasploit logo Metasploit mailing list archives

Problem with getprivs/Railgun call from SYSTEM
From: faberk () comcast net
Date: Mon, 25 Apr 2011 17:51:30 +0000 (UTC)

I am working on a meterpreter script that takes a username, password, and command as input and runs in the context of 
that user (loading their profile). I'm using it to access and decrypt the browser for users that are not currently 
logged in, I'm sure someone would be curious as to why. 

Anyways I use a railgun call to CreateProcessWithLogonW to generate the process....this works fine as a local admin, 
but not as system. From Microsoft here is why:
 You cannot call CreateProcessWithLogonW
 from a process that is running under the LocalSystem account, because 
the function uses the logon SID in the caller token, and the token for 
the LocalSystem account does not contain this SID. As an alternative, 
use the CreateProcessAsUser and LogonUser functions.

When I try to do a call to LogonUser and CreateProcessAsUser I get: ERROR_PRIVILEGE_NOT_HELD (1314) from CPUA(). 
Researching it i have found I need the SE_INCREASE_QUOTA_NAME and SE_ASSIGNPRIMARYTOKEN_NAME privs enabled. The system 
account has both of those assigned by default, but not enabled. I have used the getprivs command and it enables 
SE_INCREASE_QUOTA_NAME but not SE_ASSIGNPRIMARYTOKEN_NAME. I looked through the source and it does try to enable it, 
just not sure why it was never enabled. The even weirder piece of this is that the CPUA() function is supposed to 
enable these temporarily when it runs if the privs are present. This makes me think that somehow the SYSTEM account in 
vista does not have the priv assigned by default.....Any ideas? This one has me stumped.

  By Date           By Thread  

Current thread:
  • Problem with getprivs/Railgun call from SYSTEM faberk (Apr 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]