Home page logo

metasploit logo Metasploit mailing list archives

Using AdjustTokenPrivileges via Meterpreter Railgun
From: "Spencer, Shelby C" <Shelby_C_Spencer () rl gov>
Date: Mon, 7 Jan 2013 12:45:06 -0800


I'm trying to add a couple token privilege to the current process Meterpreter is running under like so:

hcurrent = client.railgun.kernel32.GetCurrentProcess
hcurrentToken = client.railgun.advapi32.OpenProcessToken(hcurrent["return"], 40, 4)
SeIncreaseQuotaPrivilege = client.railgun.advapi32.LookupPrivilegeValueW(nil, "SeIncreaseQuotaPrivilege", 4)
SeAssignPrimaryTokenPrivilege = client.railgun.advapi32.LookupPrivilegeValueW(nil, "SeAssignPrimaryTokenPrivilege", 4)
client.railgun.advapi32.AdjustTokenPrivileges(hcurrentToken["TokenHandle"], false, <PTOKEN_PRIVILEGES Struct Here>, 0, 
nil, nil)

According to the MSDN documentation on AdjustTokenPrivileges 
(http://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=vs.85%29.aspx), the PTOKEN_PRIVILEGES struct 
should look something like this:
privileges = {"PrivilegeCount" => 2, "Privileges" => [{"Luid" => SeIncreaseQuotaPrivilege["lpLuid"], "Attributes" => 
2}, {"Luid" => SeIncreaseQuotaPrivilege["lpLuid"], "Attributes" => 2}]} #Ruby syntax

Obviously this complicated struct needs to be packed somehow using Ruby's "pack" command, but the problem is that I 
have no idea how to begin.  I can't find any documentation or any other modules which do anything similarly complex.
The closest code I found was in Metasm source: 
I couldn't seem to figure out how to translate this to my method using Railgun, or call the Metasm module and methods 
in that file directly.

I'm sure this is probably pretty simple, I just need a little guidance.

Thanks in advance,


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]