Home page logo
/

metasploit logo Metasploit mailing list archives

Re: Using AdjustTokenPrivileges via Meterpreter Railgun
From: Rob Fuller <mubix () room362 com>
Date: Tue, 15 Jan 2013 23:49:03 -0500

Another thing is to just build it out based on the spec if you can.
DWORD,DWORD,DWORD,DWORD == 4 + 4 + 4 + 4 right? so if you wanted to set
each to 1 you could do this in ruby:

1.9.3-p194 :008 > bob =
"\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01"
 =>
"\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001"

1.9.3-p194 :010 > bob.unpack("C*")
 => [0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1]

1.9.3-p194 :013 > bob.unpack("N*")
 => [1, 1, 1, 1]

Then write that into memory. (VirtualAlloc first, then writemem)



--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org


On Tue, Jan 15, 2013 at 10:03 PM, devin bjelland <devinbjelland () gmail com>wrote:

Try writing the structure in c++, compiling for the target architecture,
and then looking at the structure in memory with a debugger.

On Tue, Jan 15, 2013 at 12:40 AM, Spencer, Shelby C <
Shelby_C_Spencer () rl gov> wrote:

Thanks Mubix for your response.  I understand that I need to construct
the Struct as a byte sequence, but I don't know what that should look like.
 Is there a guide on this?  Does it follow some predefined standard (of
which I am not aware)?


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]